FirstBlood-#622 — Insecure Deserialization leading to RCE [COLLAB]- mrrootsec
This issue was discovered on FirstBlood v2
On 2021-10-26, newrouge Level 3 reported:
Hey we have found that vaccine proof-upload feature is vulnerable to to Insecure Deserialization attack.
Description:
-
vaccine upload feature accepts JPEG, PNG and GIF files as proof. We discovered it validates files actually by file type bytes not by just file extension or file type. So any attempt to bypass that was in vain.
-
After Uploading a legit PNG file and observing the request flow. we noticed endpoint
GET /api/checkproof.php?proof=/app/firstblood/upload/fef6e65d70b42a64c4d04bdd2d5fc65c1ec20a74.jpg
-
This endpoint verifies if a file exist on server or not and return true false basis of that. Which indicated towards file_exists() in php, and later composer leak showed that it's using monolog v2.1.1. Which is vulnerable to deserialiaztion attack.
-
Using the phar:// wrapper will trigger unserialize() in any file operation, such as file(), file_exist(), file_get_contents(), fopen(), rename(), unlink() and include().
-
phar files are php archive files and extension independent as they are polyglots which means they are a valid file type for .jpg and .phar file also.
file_exists('phar:///var/www/phpBB3/files/evil.phar'); &file_exists('phar:///var/www/phpBB3/files/evil.jpg');
will work similarly in deserialization process.
-
So now we used PHPGGC php generic gadget tool to create payload for unserialization.
Github Link: https://github.com/ambionics/phpggc
Steps to reproduce
- We will need a valid jpg image. (say test.jpg)
-
Now we will use phpggc on this test.jpg image to create a phar file which will also be a valid jpg file.
./phpggc -pj test.jpg -o test.phar monolog/rce1 system "ls -la"
- ./phpgcc : executing binary
- -pj : Creates a polyglot JPEG/PHAR file from given image
- -o: payload file name
- monolog/rc1: according to leak it''s using monolog v2.1.1 which is vulnerable to this exploit.
- system ls -la: specifying the command to run on the server.
-
Now go to https://1b42ba552850-newrouge.a.firstbloodhackers.com/vaccination-manager/pub/upload-vaccination-proof.php and enter your email and upload your test.phar file, while burp running in background.
-
In burp now send the ?proof= request to repeater.
-
Now append phar:// befor the file path.
Impact:
As an attacker using this vulnerability Remote Code Execution is possible.
References :
- https://github.com/ambionics/phpggc
- https://vickieli.dev/insecure%20deserialization/php-phar/
- https://www.youtube.com/watch?v=fHZKSCMWqF4
- https://blog.sonarsource.com/new-php-exploitation-technique?redirect=rips
- https://www.youtube.com/watch?v=OrEar0TiS90&t=1s
Thanks & regards
mrrootsec, newrouge
P1 CRITICAL
Endpoint: /vaccination-manager/pub/upload-vaccination-proof.php
Parameter: N/A
Payload: N/A
FirstBlood ID: 34
Vulnerability Type: Deserialization
This endpoint calls filesize() on the path provided in the 'proof' param with no filtering or sanitisation. By adding the phar:// stream handler to the path, an attacker can force a previously uploaded file to be sent through deserialisation. Coupled with the fact that a gadget-chain vulnerable version of monolog is being used, this allows for RCE.