•  
      request #10118 Remote code execution through object unserialization of a user's recent elements
    Infos
    #10118
    Thomas Gerbet (tgerbet)
    2017-04-28 23:20
    2017-04-03 15:37
    10398
    Details
    Remote code execution through object unserialization of a user's recent elements

    A remote code execution can be achieved  by any user by setting a well crafted user's preference.

    Impact

    An attacker could use this vulnerability to execute code on the server as the codendiadm user.
    CVSSv3 score: 8.8 (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H)

    Exploitation

    The method User::getRecentsElements() is using unserialize() on data that can be arbitrarily manipulated by a user through the REST API leading to an object injection.

    You can find attached a proof of concept to demonstrate the vulnerability.

    References

    The CVE ID CVE-2017-7411 has been attributed to this vulnerability.

    https://cwe.mitre.org/data/definitions/502.html
    https://www.owasp.org/index.php/PHP_Object_Injection

    Credit

    Thank you to Egidio Romano from Karma(In)Security to report and coordinate with us the disclosure of this vulnerability.

    Other
    All
    Empty
    • [ ] enhancement
    • [ ] internal improvement
    Empty
    Stage
    Empty
    Closed
    2017-04-19
    Attachments
    References

    Follow-ups

    User avatar
    PHPWiki part integrated into 9.6.99.90

    • Status changed from Under implementation to Closed
    • Connected artifacts
    • Close date set to 2017-04-19
    User avatar
    Thomas Gerbet (tgerbet)2017-04-12 11:31
    Updating the PoC, having a usable POP chain is not necessary to demonstrate the vulnerability.

    • Attachments poc.php removed; poc.php added
    User avatar
    Thomas Gerbet (tgerbet)2017-04-04 15:51
    In order to fix the issue and to ensure we do not have a similar issue elsewhere, I intend to go through the whole Tuleap codebase to remove all the unserialize() usage or at the bare minimum be fairly certain we do not unserialize data that can be arbitrarily manipulated.

    A first look show usages in:
    * User::getMostRecents() (which is the origin of the reported vulnerablity)
    * Feedback's responses
    * SimplePie library
    * PHPWiki

    A fix for the initial vulnerability is available here: gerrit #8082.
    User avatar
    Thomas Gerbet (tgerbet)2017-04-04 15:36
    • Original Submission
      Something went wrong, the follow up content couldn't be loaded
      Only formatting have been changed, you should switch to markup to see the changes
    User avatar
    Thomas Gerbet (tgerbet)2017-04-04 15:33
    Add credits, CVE ID and the proof of concept code provided by the reporter.

    • Original Submission
      Something went wrong, the follow up content couldn't be loaded
      Only formatting have been changed, you should switch to markup to see the changes
    • Status changed from Verified to Under implementation