CVE-2020-8644
published 2020-02-05CVE-2020-8644: PlaySMS before 1.4.3 does not sanitize inputs from a malicious string.
PriorityP190critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
KEVITWEXPLOIT
CISA Known Exploited Vulnerabilitydue 2022-05-03
Exploited in the wild
EPSS
86.69%
99.7th percentile
PlaySMS before 1.4.3 does not sanitize inputs from a malicious string.
Affected
1 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| playsms | playsms | < 1.4.3 | 1.4.3 |
Detection & IOCsextracted from sources · hover to see the quote
- →Detect SSTI payload pattern in the username POST parameter: look for double-curly-brace template syntax (e.g., `{{...}}`) submitted to /index.php?app=main&inc=core_auth&route=login&op=login ↗
- →A 302 redirect to index.php?app=main&inc=core_auth&route=login on a GET to index.php is used by exploit modules as a fingerprint that the target is a vulnerable PlaySMS instance ↗
- →Monitor for backtick command-execution syntax inside TPL template double-curly-brace expressions in HTTP POST body username fields, e.g., {{`...`}} ↗
- →The nuclei template checks for the reversed string '4468-0202-EVC' in the response body as a proof-of-execution indicator for CVE-2020-8644 ↗
- ·The exploit requires a valid CSRF token extracted from the login page before submitting the malicious username; detection rules must account for this two-step request pattern ↗
- ·The payload is base64-encoded to bypass HTML tag and semicolon filters applied by the application; detection must decode or match encoded variants ↗
- ·The vulnerability exists in the TPL template engine's _compile() method via double-processing; the malicious value is stored first and executed on a second render, meaning the payload execution is deferred to a subsequent GET request ↗
CVSS provenance
nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.07.5HIGHAV:N/AC:L/Au:N/C:P/I:P/A:P
vulncheck9.8CRITICAL
cisa9.8CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
CISA
PlaySMS Server-Side Template Injection Vulnerability
cisa·2021-11-03·CVSS 9.8
CVE-2020-8644 [CRITICAL] CWE-94 PlaySMS Server-Side Template Injection Vulnerability
Vulnerability: PlaySMS Server-Side Template Injection Vulnerability
Affected: PlaySMS PlaySMS
PlaySMS contains a server-side template injection vulnerability that allows for remote code execution.
Required Action: Apply updates per vendor instructions.
Notes: https://nvd.nist.gov/vuln/detail/CVE-2020-8644
Remediation Due Date: 2022-05-03
GHSA
GHSA-q834-vxjw-r888: PlaySMS before 1
ghsa_unreviewed·2022-05-24
CVE-2020-8644 [HIGH] CWE-20 GHSA-q834-vxjw-r888: PlaySMS before 1
PlaySMS before 1.4.3 does not sanitize inputs from a malicious string.
VulnCheck
PlaySMS Server-Side Template Injection Vulnerability
vulncheck·2020·CVSS 9.8
CVE-2020-8644 [CRITICAL] CWE-94 PlaySMS Server-Side Template Injection Vulnerability
PlaySMS Server-Side Template Injection Vulnerability
PlaySMS contains a server-side template injection vulnerability that allows for remote code execution.
Affected: PlaySMS PlaySMS
Required Action: Apply updates per vendor instructions.
Exploitation References: https://www.cisa.gov/sites/default/files/feeds/known_exploited_vulnerabilities.json
Exploit PoC: https://vulncheck.com/xdb/7f9ab9f4fabb
Remediation Due: 2022-05-03
No detection rules found.
Exploit-DB
PlaySMS - index.php Unauthenticated Template Injection Code Execution (Metasploit)
exploitdb·2020-04-16
CVE-2020-8644 PlaySMS - index.php Unauthenticated Template Injection Code Execution (Metasploit)
PlaySMS - index.php Unauthenticated Template Injection Code Execution (Metasploit)
---
##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
class MetasploitModule 'PlaySMS index.php Unauthenticated Template Injection Code Execution',
'Description' => %q{
This module exploits a preauth Server-Side Template Injection vulnerability that leads to remote code execution
in PlaySMS before version 1.4.3. This issue is caused by double processing a server-side template with a custom
PHP template system called 'TPL' which is used in the PlaySMS template engine at
`src/Playsms/Tpl.php:_compile()`. The vulnerability is triggered when an attacker supplied username with a
malicious payload is submitted. This maliciou
Exploit-DB
PlaySMS 1.4.3 - Template Injection / Remote Code Execution
exploitdb·2020-03-11
PlaySMS 1.4.3 - Template Injection / Remote Code Execution
PlaySMS 1.4.3 - Template Injection / Remote Code Execution
---
##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
class MetasploitModule 'PlaySMS 1.4.3 Pre Auth Template Injection Remote Code
Execution',
'Description' => %q{
This module exploits a Preauth Server-Side Template Injection
leads remote code execution vulnerability in PlaySMS Before Version 1.4.3.
This issue is caused by Double processes a server-side template
by Custom PHP Template system called 'TPL'.
which is used in PlaySMS template engine location
src/Playsms/Tpl.php:_compile(). When Attacker supply username with a
malicious payload
and submit. This malicious payload first process by TPL and
save the value in the current template afte
Metasploit
PlaySMS index.php Unauthenticated Template Injection Code Execution
metasploit
PlaySMS index.php Unauthenticated Template Injection Code Execution
PlaySMS index.php Unauthenticated Template Injection Code Execution
This module exploits a preauth Server-Side Template Injection vulnerability that leads to remote code execution in PlaySMS before version 1.4.3. This issue is caused by double processing a server-side template with a custom PHP template system called 'TPL' which is used in the PlaySMS template engine at `src/Playsms/Tpl.php:_compile()`. The vulnerability is triggered when an attacker supplied username with a malicious payload is submitted. This malicious payload is then stored in a TPL template which when rendered a second time, results in code execution. The TPL(https://github.com/antonraharja/tpl) template language is vulnerable to PHP code injection. This module was tested against PlaySMS 1.4 on HackTheBox's Forlic Mac
Nuclei
playSMS <1.4.3 - Remote Code Execution
nuclei·CVSS 9.8
CVE-2020-8644 [CRITICAL] playSMS <1.4.3 - Remote Code Execution
playSMS <1.4.3 - Remote Code Execution
PlaySMS before version 1.4.3 is susceptible to remote code execution because it double processes a server-side template.
Template:
id: CVE-2020-8644
info:
name: playSMS <1.4.3 - Remote Code Execution
author: dbrwsky
severity: critical
description: PlaySMS before version 1.4.3 is susceptible to remote code execution because it double processes a server-side template.
impact: |
Successful exploitation of this vulnerability allows an attacker to execute arbitrary code on the target system.
remediation: |
Upgrade playSMS to version 1.4.4 or later to mitigate this vulnerability.
reference:
- https://research.nccgroup.com/2020/02/11/technical-advisory-playsms-pre-authentication-remote-code-execution-cve-2020-8644/
- https://playsms.org/2020/02/05/playsm
http://packetstormsecurity.com/files/157106/PlaySMS-index.php-Unauthenticated-Template-Injection-Code-Execution.htmlhttps://forum.playsms.org/t/playsms-1-4-3-has-been-released/2704https://playsms.org/2020/02/05/playsms-1-4-3-has-been-released/https://research.nccgroup.com/2020/02/11/technical-advisory-playsms-pre-authentication-remote-code-execution-cve-2020-8644/http://packetstormsecurity.com/files/157106/PlaySMS-index.php-Unauthenticated-Template-Injection-Code-Execution.htmlhttps://forum.playsms.org/t/playsms-1-4-3-has-been-released/2704https://playsms.org/2020/02/05/playsms-1-4-3-has-been-released/https://research.nccgroup.com/2020/02/11/technical-advisory-playsms-pre-authentication-remote-code-execution-cve-2020-8644/https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2020-8644
2020-02-05
Published
2021-11-03
Added to CISA KEV
Exploited in the wild