•  
      request #10118 Remote code execution through object unserialization of a user's recent elements
    Infos
    #10118
    Thomas Gerbet (tgerbet)
    2017-04-28 23:20
    2017-04-03 15:37
    10128
    Details
    Remote code execution through object unserialization of a user's recent elements

    A remote code execution can be achieved  by any user by setting a well crafted user's preference.

    Impact

    An attacker could use this vulnerability to execute code on the server as the codendiadm user.
    CVSSv3 score: 8.8 (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H)

    Exploitation

    The method User::getRecentsElements() is using unserialize() on data that can be arbitrarily manipulated by a user through the REST API leading to an object injection.

    You can find attached a proof of concept to demonstrate the vulnerability.

    References

    The CVE ID CVE-2017-7411 has been attributed to this vulnerability.

    https://cwe.mitre.org/data/definitions/502.html
    https://www.owasp.org/index.php/PHP_Object_Injection

    Credit

    Thank you to Egidio Romano from Karma(In)Security to report and coordinate with us the disclosure of this vulnerability.

    Other
    All
    Empty
    • [ ] enhancement
    • [ ] internal improvement
    Empty
    Stage
    Empty
    Closed
    2017-04-19
    Attachments
    References

    Follow-ups

    • User avatar
      Thomas Gerbet (tgerbet)2017-04-28 23:20
      Public disclosure.
    • User avatar
      PHPWiki part integrated into 9.6.99.90

      • Status changed from Under implementation to Closed
      • Connected artifacts
      • Close date set to 2017-04-19
    • User avatar
      Thomas Gerbet (tgerbet)2017-04-12 11:31
      Updating the PoC, having a usable POP chain is not necessary to demonstrate the vulnerability.

      • Attachments poc.php removed; poc.php added
    • User avatar
      Thomas Gerbet (tgerbet)2017-04-07 16:32
      Last contribution to try to clean up PHPWiki: gerrit #8121
    • User avatar

      gerrit #8105 integrated in Tuleap 9.6.99.46

    • User avatar
      gerrit #8092 integrated into Tuleap 9.6.99.34
    • User avatar
      gerrit #8100 integrated into Tuleap 9.6.99.28
    • User avatar
      Thomas Gerbet (tgerbet)2017-04-05 17:39
      The clean up of PHPWiki begins in this contribution: gerrit #8100.
    • User avatar
      Thomas Gerbet (tgerbet)2017-04-05 15:07
      A contribution is under review to remove the usage of unserialize() in the feedback's response: gerrit #8092.
    • User avatar
      gerrit #8082 integrated into Tuleap 9.6.99.22
    • User avatar
      Thomas Gerbet (tgerbet)2017-04-04 15:51
      In order to fix the issue and to ensure we do not have a similar issue elsewhere, I intend to go through the whole Tuleap codebase to remove all the unserialize() usage or at the bare minimum be fairly certain we do not unserialize data that can be arbitrarily manipulated.

      A first look show usages in:
      * User::getMostRecents() (which is the origin of the reported vulnerablity)
      * Feedback's responses
      * SimplePie library
      * PHPWiki

      A fix for the initial vulnerability is available here: gerrit #8082.
    • User avatar
      Thomas Gerbet (tgerbet)2017-04-04 15:36
      • Original Submission
        Something went wrong, the follow up content couldn't be loaded
        Only formatting have been changed, you should switch to markup to see the changes
    • User avatar
      Thomas Gerbet (tgerbet)2017-04-04 15:34
      • Attachments poc.php added
    • User avatar
      Thomas Gerbet (tgerbet)2017-04-04 15:33
      Add credits, CVE ID and the proof of concept code provided by the reporter.

      • Original Submission
        Something went wrong, the follow up content couldn't be loaded
        Only formatting have been changed, you should switch to markup to see the changes
      • Status changed from Verified to Under implementation