CVE-2023-46865
📋 TL;DR
This vulnerability allows authenticated superadmin users in Crater invoice software to execute arbitrary PHP code by embedding malicious code within PNG image files uploaded as company logos. It affects Crater installations through version 6.0.6. The attack requires superadmin privileges but leads to full server compromise.
💻 Affected Systems
- Crater Invoice
📦 What is this software?
Crater by Craterapp
⚠️ Risk & Real-World Impact
Worst Case
Complete server takeover with attacker gaining full control over the web server, accessing sensitive data, and potentially pivoting to other systems.
Likely Case
Superadmin account compromise leading to data theft, invoice manipulation, and installation of backdoors.
If Mitigated
Limited impact if proper access controls restrict superadmin accounts and file upload validation is enforced.
🎯 Exploit Status
Exploit requires authenticated superadmin access. Public proof-of-concept code is available showing how to embed PHP code in PNG IDAT chunks.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 6.0.7 and later
Vendor Advisory: https://github.com/crater-invoice/crater/pull/1271
Restart Required: No
Instructions:
1. Update Crater to version 6.0.7 or later. 2. Apply the patch from GitHub pull request #1271 if updating is not possible. 3. Verify the fix by checking that uploaded images are properly validated.
🔧 Temporary Workarounds
Restrict superadmin access
allLimit superadmin account usage and implement strict access controls for administrative functions.
Disable logo upload functionality
allTemporarily disable the company logo upload feature until patched.
🧯 If You Can't Patch
- Implement strict file upload validation to reject PNG files containing PHP code in IDAT chunks.
- Monitor and audit all superadmin account activities and file uploads to the /api/v1/company/upload-logo endpoint.
🔍 How to Verify
Check if Vulnerable:
Check if Crater version is 6.0.6 or earlier and verify if the /api/v1/company/upload-logo endpoint exists without proper file validation.Check Version:
Check composer.json or application configuration for version number, or run: php artisan --version (if using Laravel artisan)Verify Fix Applied:
Verify Crater version is 6.0.7 or later and test that PNG files with embedded PHP code in IDAT chunks are rejected.📡 Detection & Monitoring
Log Indicators:
- Unusual file uploads to /api/v1/company/upload-logo
- Superadmin account performing unexpected logo uploads
- PHP execution errors from uploaded files
Network Indicators:
- POST requests to /api/v1/company/upload-logo with PNG files
- Unusual outbound connections from web server after logo uploads
SIEM Query:
source="web_logs" AND (url="/api/v1/company/upload-logo" OR file_upload="*.png") AND user_role="superadmin"🔗 References
- https://github.com/asylumdx/Crater-CVE-2023-46865-RCE
- https://github.com/crater-invoice/crater/issues/1267
- https://github.com/crater-invoice/crater/pull/1271
- https://notes.netbytesec.com/2023/11/post-auth-rce-in-crater-invoice.html
- https://github.com/asylumdx/Crater-CVE-2023-46865-RCE
- https://github.com/crater-invoice/crater/issues/1267
- https://github.com/crater-invoice/crater/pull/1271
- https://notes.netbytesec.com/2023/11/post-auth-rce-in-crater-invoice.html
