•  
      request #10118 - Remote code execution through object unserialization of a user's recent elements
    Infos
    #10118
    Thomas Gerbet (tgerbet)
    2017-04-28 23:20
    2017-04-03 15:37
    9213
    Details
    Remote code execution through object unserialization of a user's recent elements

    A remote code execution can be achieved  by any user by setting a well crafted user's preference.

    Impact

    An attacker could use this vulnerability to execute code on the server as the codendiadm user.
    CVSSv3 score: 8.8 (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H)

    Exploitation

    The method User::getRecentsElements() is using unserialize() on data that can be arbitrarily manipulated by a user through the REST API leading to an object injection.

    You can find attached a proof of concept to demonstrate the vulnerability.

    References

    The CVE ID CVE-2017-7411 has been attributed to this vulnerability.

    https://cwe.mitre.org/data/definitions/502.html
    https://www.owasp.org/index.php/PHP_Object_Injection

    Credit

    Thank you to Egidio Romano from Karma(In)Security to report and coordinate with us the disclosure of this vulnerability.

    Empty
    Other
    All
    Empty
    Empty
    Stage
    Empty
    Closed
    2017-04-19
    Attachments
    References

    Follow-ups

    • User avatar
      Public disclosure.
    • User avatar
      PHPWiki part integrated into 9.6.99.90

      • Status changed from Under implementation to Closed
      • Connected artifacts
      • Close date set to 2017-04-19
    • User avatar
      Updating the PoC, having a usable POP chain is not necessary to demonstrate the vulnerability.

      • Attachments poc.php removed; poc.php added
    • User avatar
      Last contribution to try to clean up PHPWiki: gerrit #8121
    • User avatar

      gerrit #8105 integrated in Tuleap 9.6.99.46

    • User avatar
      gerrit #8092 integrated into Tuleap 9.6.99.34
    • User avatar
      gerrit #8100 integrated into Tuleap 9.6.99.28
    • User avatar
      The clean up of PHPWiki begins in this contribution: gerrit #8100.
    • User avatar
      A contribution is under review to remove the usage of unserialize() in the feedback's response: gerrit #8092.
    • User avatar
      gerrit #8082 integrated into Tuleap 9.6.99.22
    • User avatar
      In order to fix the issue and to ensure we do not have a similar issue elsewhere, I intend to go through the whole Tuleap codebase to remove all the unserialize() usage or at the bare minimum be fairly certain we do not unserialize data that can be arbitrarily manipulated.

      A first look show usages in:
      * User::getMostRecents() (which is the origin of the reported vulnerablity)
      * Feedback's responses
      * SimplePie library
      * PHPWiki

      A fix for the initial vulnerability is available here: gerrit #8082.
    • User avatar
      • Original Submission
    • User avatar
      • Attachments poc.php added
    • User avatar
      Add credits, CVE ID and the proof of concept code provided by the reporter.

      • Original Submission
      • Status changed from Verified to Under implementation