request #10118 Remote code execution through object unserialization of a user's recent elements

Artifact

Infos

Artifact ID#10118

Submitted byThomas Gerbet (tgerbet)

Last Modified On2017-04-28 23:20

Submitted on2017-04-03 15:37

Rank10398

Details

Summary *

Remote code execution through object unserialization of a user's recent elements

Original Submission

A remote code execution can be achieved by any user by setting a well crafted user's preference.

Impact

An attacker could use this vulnerability to execute code on the server as the codendiadm user.
CVSSv3 score: 8.8 (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H)

Exploitation

The method User::getRecentsElements() is using unserialize() on data that can be arbitrarily manipulated by a user through the REST API leading to an object injection.

You can find attached a proof of concept to demonstrate the vulnerability.

References

The CVE ID CVE-2017-7411 has been attributed to this vulnerability.

https://cwe.mitre.org/data/definitions/502.html
https://www.owasp.org/index.php/PHP_Object_Injection

Credit

Thank you to Egidio Romano from Karma(In)Security to report and coordinate with us the disclosure of this vulnerability.

CategoryOther

Reported in versionAll

PlatformEmpty

Is an Enhancement or an internal improvement?

[ ] enhancement
[ ] internal improvement

CC listEmpty

Stage

Assigned toEmpty

StatusClosed

Close date2017-04-19

Attachments

Connected artifacts

Artifact links

Releases

Fixed in

	Artifact ID	Project	Tracker	Summary	Status	Last Update Date	Submitted By	Assigned to
	rel #10042	Tuleap	Releases	9.7	Delivered	2017-04-27 15:37	Manuel Vacelet (vaceletm)

Reverse artifact links

Empty

Attachments

By Thomas Gerbet (tgerbet)

(2 kB)

poc.php

References

Cross references

Referencing request #10118

Artifact Tracker v5

request #10149 Modifying an artifact without doing any changes throws a fatal error

Git commit

tuleap/tuleap/stable

Merge commit 'refs/changes/82/8082/5' of ssh://gerrit.tuleap.net:29418/tuleap into stable c430320f57

Nicolas Terray (nterray) , 2017-04-05 11:28

request #10118: Remote code execution through object unserialization of a user's recent elements f140d26eb5

Thomas Gerbet (tgerbet) , 2017-04-05 10:37

Remove the cookies used by PHPWiki 689f824820

Thomas Gerbet (tgerbet) , 2017-04-05 21:51

Remove the usage of unserialize() for the user's feedbacks 9f7e4072b6

Thomas Gerbet (tgerbet) , 2017-04-05 15:04

Do not try anymore to open the non existing dump config file of PHPWiki adf5e6a24f

Thomas Gerbet (tgerbet) , 2017-04-06 10:20

Remove unused cache code in PHPWiki 37e1fcef1e

Thomas Gerbet (tgerbet) , 2017-04-11 16:17

Show items referenced by request #10118

Referenced by request #10118

Artifact Tracker v5

rel #10042 9.7

Other

Follow-ups

Thomas Gerbet (tgerbet)

2017-04-28 23:20

Public disclosure.

Yannis ROSSETTO (rossettoy)

2017-04-19 10:47

PHPWiki part integrated into 9.6.99.90

Status changed from Under implementation to Closed
Connected artifacts
- Added Fixed in: rel #10042
Close date set to 2017-04-19

Thomas Gerbet (tgerbet)

2017-04-12 11:31

Updating the PoC, having a usable POP chain is not necessary to demonstrate the vulnerability.

Attachments poc.php removed; poc.php added

Thomas Gerbet (tgerbet)

2017-04-07 16:32

Last contribution to try to clean up PHPWiki: gerrit #8121

Manuel Vacelet (vaceletm)

2017-04-07 15:41

gerrit #8105 integrated in Tuleap 9.6.99.46

Nicolas Terray (nterray)

2017-04-06 16:19

gerrit #8092 integrated into Tuleap 9.6.99.34

Nicolas Terray (nterray)

2017-04-06 09:48

gerrit #8100 integrated into Tuleap 9.6.99.28

Thomas Gerbet (tgerbet)

2017-04-05 17:39

The clean up of PHPWiki begins in this contribution: gerrit #8100.

Thomas Gerbet (tgerbet)

2017-04-05 15:07

A contribution is under review to remove the usage of unserialize() in the feedback's response: gerrit #8092.

Nicolas Terray (nterray)

2017-04-05 11:31

gerrit #8082 integrated into Tuleap 9.6.99.22

Thomas Gerbet (tgerbet)

2017-04-04 15:51

In order to fix the issue and to ensure we do not have a similar issue elsewhere, I intend to go through the whole Tuleap codebase to remove all the unserialize() usage or at the bare minimum be fairly certain we do not unserialize data that can be arbitrarily manipulated.

A first look show usages in:
* User::getMostRecents() (which is the origin of the reported vulnerablity)
* Feedback's responses
* SimplePie library
* PHPWiki

A fix for the initial vulnerability is available here: gerrit #8082.

Thomas Gerbet (tgerbet)

2017-04-04 15:36

Original Submission

Something went wrong, the follow up content couldn't be loaded

Only formatting have been changed, you should switch to markup to see the changes

Thomas Gerbet (tgerbet)

2017-04-04 15:34

Attachments ~~poc.php~~ added

Thomas Gerbet (tgerbet)

2017-04-04 15:33

Add credits, CVE ID and the proof of concept code provided by the reporter.

Original Submission

Something went wrong, the follow up content couldn't be loaded

Only formatting have been changed, you should switch to markup to see the changes
Status changed from Verified to Under implementation