CVE-2018-14009
published 2018-07-12CVE-2018-14009: Codiad through 2.8.4 allows Remote Code Execution, a different vulnerability than CVE-2017-11366 and CVE-2017-15689.
PriorityP272critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
EXPLOIT
EPSS
38.44%
98.4th percentile
Codiad through 2.8.4 allows Remote Code Execution, a different vulnerability than CVE-2017-11366 and CVE-2017-15689.
Affected
2 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| codiad | codiad | <= 2.8.4 | — |
| codiad | codiad | 0 – 2.8.4 | — |
Detection & IOCsextracted from sources · hover to see the quote
- →Detect base64-encoded PowerShell payloads passed via the search_file_type parameter, specifically the -enc flag combined with -ep bypass -NoLogo -NonInteractive -NoProfile. ↗
- →Alert on POST requests to /components/user/controller.php?action=authenticate followed shortly by requests to the filemanager search endpoint — this sequence indicates authenticated exploitation. ↗
- →On Linux targets, look for nc (netcat) pipe to /bin/bash in HTTP POST body parameters, specifically the pattern: newline-encoded nc <ip> <port>|/bin/bash injected into search_file_type. ↗
- →Detect outbound TCP connections from the web server process (e.g., php-fpm, apache) to arbitrary IPs/ports, consistent with a reverse shell established via TCPClient or nc. ↗
- →Flag Content-Type: application/x-www-form-urlencoded requests to the Codiad filemanager search endpoint where search_file_type contains %0A, ||, or %22|| sequences. ↗
- ·The exploit targets Codiad <= 2.8.4 and requires valid credentials (authenticated RCE). The injection point differs between Windows and Linux targets, and also between old vs. new versions of escapeshellarg on Windows — two separate payloads are tried automatically. ↗
- ·This CVE is distinct from CVE-2017-11366 and CVE-2017-15689, which are prior Codiad RCE vulnerabilities. Detection rules should not conflate these. ↗
CVSS provenance
nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.010.0CRITICALAV:N/AC:L/Au:N/C:C/I:C/A:C
ghsa9.8CRITICAL
osv9.8CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
OSV
Codiad remote code execution vulnerability
osv·2022-05-13·CVSS 9.8
CVE-2018-14009 [CRITICAL] Codiad remote code execution vulnerability
Codiad remote code execution vulnerability
Codiad through 2.8.4 allows Remote Code Execution, a different vulnerability than CVE-2017-11366 and CVE-2017-15689.
GHSA
Codiad remote code execution vulnerability
ghsa·2022-05-13·CVSS 9.8
CVE-2018-14009 [CRITICAL] CWE-20 Codiad remote code execution vulnerability
Codiad remote code execution vulnerability
Codiad through 2.8.4 allows Remote Code Execution, a different vulnerability than CVE-2017-11366 and CVE-2017-15689.
No detection rules found.
No writeups or analysis indexed.
http://packetstormsecurity.com/files/161944/Codiad-2.8.4-Remote-Code-Execution.htmlhttps://github.com/Codiad/Codiad/issues/1078https://github.com/WangYihang/Codiad-Remote-Code-Execute-Exploithttp://packetstormsecurity.com/files/161944/Codiad-2.8.4-Remote-Code-Execution.htmlhttps://github.com/Codiad/Codiad/issues/1078https://github.com/WangYihang/Codiad-Remote-Code-Execute-Exploit
2018-07-12
Published