CVE-2022-24734
published 2022-03-09CVE-2022-24734: MyBB is a free and open source forum software. In affected versions the Admin CP's Settings management module does not validate setting types correctly on…
PriorityP268high7.2CVSS 3.1
AVNACLPRHUINSUCHIHAH
EXPLOIT
EPSS
77.68%
99.5th percentile
MyBB is a free and open source forum software. In affected versions the Admin CP's Settings management module does not validate setting types correctly on insertion and update, making it possible to add settings of supported type `php` with PHP code, executed on on _Change Settings_ pages. This results in a Remote Code Execution (RCE) vulnerability. The vulnerable module requires Admin CP access with the `Can manage settings?` permission. MyBB's Settings module, which allows administrators to add, edit, and delete non-default settings, stores setting data in an options code string ($options_code; mybb_settings.optionscode database column) that identifies the setting type and its options, separated by a new line character (\n). In MyBB 1.2.0, support for setting type php was added, for which the remaining part of the options code is PHP code executed on Change Settings pages (reserved for plugins and internal use). MyBB 1.8.30 resolves this issue. There are no known workarounds.
Affected
2 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| mybb | mybb | — | — |
| mybb | mybb | >= 1.2.0 < 1.8.30 | 1.8.30 |
Detection & IOCsextracted from sources · hover to see the quote
- →Detect POST requests to the MyBB Admin CP settings add endpoint containing a 'type' field value of '\tphp' (tab-prefixed 'php'), which bypasses type validation to inject executable PHP code. ↗
- →Monitor for HTTP POST requests to '/admin/index.php?module=config-settings&action=add' followed shortly by a GET to '/admin/index.php?module=config-settings&action=change' from the same session — this two-request pattern is the exploit's inject-then-trigger sequence. ↗
- →Alert on the presence of PHP system() call syntax (e.g., '" . system(' ) in the 'extra' or 'optionscode' fields of MyBB settings POST bodies, indicating code injection into the options code string. ↗
- →Look for the HTML element 'row_setting_<random_string>' appearing in the Change Settings page response, which is used by the exploit to retrieve command output from the injected PHP setting. ↗
- →The exploit requires an authenticated Admin CP session with 'Can manage settings?' permission; correlate Admin CP login events with subsequent settings add/change actions as a behavioral detection signal. ↗
- →After exploitation, the Metasploit module cleans up by deleting the injected setting; monitor for rapid add-then-delete cycles on MyBB settings as a post-exploitation indicator. ↗
- ·Exploitation requires an authenticated Admin CP account; this is not an unauthenticated vulnerability. Detection should focus on privileged admin sessions, not anonymous traffic. ↗
- ·There are no known workarounds for this vulnerability; patching to 1.8.30 is the only remediation. ↗
CVSS provenance
nvdv3.17.2HIGHCVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
nvdv2.06.5MEDIUMAV:N/AC:L/Au:S/C:P/I:P/A:P
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
No advisories linked to this vulnerability.
No detection rules found.
Exploit-DB
MyBB 1.8.29 - MyBB 1.8.29 - Remote Code Execution (RCE) (Authenticated)
exploitdb·2022-05-11·CVSS 7.2
CVE-2022-24734 [HIGH] MyBB 1.8.29 - MyBB 1.8.29 - Remote Code Execution (RCE) (Authenticated)
MyBB 1.8.29 - MyBB 1.8.29 - Remote Code Execution (RCE) (Authenticated)
---
# Exploit Title: MyBB 1.8.29 - Remote Code Execution (RCE) (Authenticated)
# Date: 2022-05-08
# Exploit Author: Altelus
# Vendor Homepage: https://mybb.com/
# Software Link: https://github.com/mybb/mybb/releases/tag/mybb_1829
# Version: MyBB 1.8.29
# Tested on: Linux
# CVE : CVE-2022-24734
# An RCE can be obtained on MyBB's Admin CP in Configuration -> Add New Setting.
# The user must have a rights to add or update setting. This is tested on MyBB 1.8.29.
# The vulnerability may have existed as early as 1.4.0 since this
# 'php' checking is introduced in 1.4.0 (https://github.com/mybb/mybb/security/advisories/GHSA-876v-gwgh-w57f)
import requests
import argparse
import random
import string
from base64 import b64de
Metasploit
MyBB Admin Control Code Injection RCE
metasploit
MyBB Admin Control Code Injection RCE
MyBB Admin Control Code Injection RCE
This exploit module leverages an improper input validation vulnerability in MyBB prior to `1.8.30` to execute arbitrary code in the context of the user running the application. MyBB Admin Control setting page calls PHP `eval` function with an unsanitized user input. The exploit adds a new setting, injecting the payload in the vulnerable field, and triggers its execution with a second request. Finally, it takes care of cleaning up and removes the setting. Note that authentication is required for this exploit to work and the account must have rights to add or update settings (typically, myBB administrator role).
No writeups or analysis indexed.
http://packetstormsecurity.com/files/167082/MyBB-1.8.29-Remote-Code-Execution.htmlhttp://packetstormsecurity.com/files/167333/MyBB-Admin-Control-Remote-Code-Execution.htmlhttps://github.com/mybb/mybb/commit/92012b9831b330714b9f9b4646a98784113489c1https://github.com/mybb/mybb/security/advisories/GHSA-876v-gwgh-w57fhttps://mybb.com/versions/1.8.30/https://www.zerodayinitiative.com/advisories/ZDI-22-503/http://packetstormsecurity.com/files/167082/MyBB-1.8.29-Remote-Code-Execution.htmlhttp://packetstormsecurity.com/files/167333/MyBB-Admin-Control-Remote-Code-Execution.htmlhttps://github.com/mybb/mybb/commit/92012b9831b330714b9f9b4646a98784113489c1https://github.com/mybb/mybb/security/advisories/GHSA-876v-gwgh-w57fhttps://mybb.com/versions/1.8.30/https://www.zerodayinitiative.com/advisories/ZDI-22-503/
2022-03-09
Published