CraftCMS vCard Plugin Deserialization Vulnerability Leading to Remote Code Execution

A deserialization vulnerability allowing remote code execution has been identified in the vCard Plugin for CraftCMS version 3, specifically in version 1.0.0. The vulnerability arises because the plugin's vCard download feature improperly handles serialized data, allowing unauthenticated attackers to execute arbitrary PHP code by sending a crafted payload. Exploitation involves generating a malicious serialized object that, when deserialized by the plugin, executes arbitrary code on the server.

Impact

Exploitation of this vulnerability allows for arbitrary code execution on the server where CraftCMS is running.

Reproduction

To reproduce this vulnerability, upload the provided Python script 'exploit_vcard.py' to a server with CraftCMS 3 vCard Plugin 1.0.0 installed. The script can be run using Python 3.6 or later. The vCard parameter must be replaced with a malicious payload that has been encrypted using the plugin's default salt. Once the payload is delivered, the deserialization will be triggered, and a shell.php file will be created in the web root. This file can be accessed to execute commands on the server.