CVE-2024-35373
📋 TL;DR
Mocodo Online versions 4.2.6 and below contain a remote code execution vulnerability in the rewrite.php file. Attackers can execute arbitrary code on affected servers, potentially compromising the entire system. This affects all deployments running vulnerable versions of Mocodo Online.
💻 Affected Systems
- Mocodo Mocodo Online
📦 What is this software?
⚠️ Risk & Real-World Impact
Worst Case
Complete system compromise allowing attackers to execute arbitrary commands, steal data, install malware, pivot to other systems, and maintain persistent access.
Likely Case
Attackers gain shell access to the web server, allowing them to read/write files, access databases, and potentially compromise other services on the same host.
If Mitigated
Limited impact if proper network segmentation, least privilege, and monitoring are in place, though the web application would still be compromised.
🎯 Exploit Status
The vulnerability is publicly documented with proof-of-concept details available in security advisories.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Version after 4.2.6
Vendor Advisory: https://github.com/laowantong/mocodo
Restart Required: No
Instructions:
1. Update Mocodo Online to the latest version. 2. Replace the vulnerable rewrite.php file with the patched version. 3. Verify the fix by checking the file modification date and version number.
🔧 Temporary Workarounds
Disable rewrite.php access
allBlock access to the vulnerable rewrite.php file via web server configuration
# Apache: Add to .htaccess
<Files "rewrite.php">
Order allow,deny
Deny from all
</Files>
# Nginx: Add to server block
location ~ /rewrite\.php$ {
deny all;
return 403;
}
Remove vulnerable file
linuxDelete or rename the rewrite.php file if not required for functionality
rm /path/to/mocodo/web/rewrite.php
mv /path/to/mocodo/web/rewrite.php /path/to/mocodo/web/rewrite.php.disabled
🧯 If You Can't Patch
- Implement strict network access controls to limit who can access the Mocodo web interface
- Deploy a web application firewall (WAF) with rules to block RCE attempts and monitor for exploitation attempts
🔍 How to Verify
Check if Vulnerable:
Check if rewrite.php exists in the web directory and if the Mocodo version is 4.2.6 or belowCheck Version:
Check the Mocodo configuration files or admin interface for version informationVerify Fix Applied:
Verify the rewrite.php file has been updated or removed, and confirm the Mocodo version is above 4.2.6📡 Detection & Monitoring
Log Indicators:
- Unusual POST requests to /web/rewrite.php
- Commands like system(), exec(), shell_exec() in web logs
- Unexpected process execution from web server user
Network Indicators:
- HTTP requests to rewrite.php with suspicious parameters
- Outbound connections from web server to unexpected destinations
SIEM Query:
source="web_logs" AND (url="/web/rewrite.php" OR url CONTAINS "rewrite.php") AND (method="POST" OR parameters CONTAINS "cmd" OR parameters CONTAINS "system")🔗 References
- https://chocapikk.com/posts/2024/mocodo-vulnerabilities/
- https://github.com/laowantong/mocodo/blob/11ca879060a68e06844058cd969c6379214cc2a8/web/rewrite.php#L45
- https://chocapikk.com/posts/2024/mocodo-vulnerabilities/
- https://github.com/laowantong/mocodo/blob/11ca879060a68e06844058cd969c6379214cc2a8/web/rewrite.php#L45
