FirstBlood-#950 — [COLLAB] RCE using insecure deserialization
This issue was discovered on FirstBlood v2.0.0 (issues patched)
On 2021-10-26, twsec Level 2 reported:
twsec and I collaborated and found a deserialization vulnerabilty which can be exploited to obtain RCE.
Insecure deserialization is when user-controllable data is deserialized by a website. This potentially enables an attacker to manipulate serialized objects in order to pass harmful data into the application code.
At first, we found the
composer.jsonfile. It mentions that its using
This gives us a clue to use phpggc to create phar payload.
Using the Monolog/RCE1, we created a phar polyglot with command
uname -aand embedded it in a jpg.
php -c php.ini phpggc -pj /root/dog.jpg -o doggo.jpg Monolog/RCE1 system 'uname -a'Here the php.ini file has
phar.readonly=0so that we can create a phar file.
This jpg file can be uploaded to in the
After uploading it, the
/api/checkproof.phpchecks for the proof of the existence of file. The filename is the SHA1 hash of the file content.
If we use phar stream wrapper to fetch the file, it executes the polyglot in it and returns us the output of the
You can disable the phar stream wrapper by including
stream_wrapper_unregister('phar');in your code.
Have a nice day!
/api/checkproof.php This bug makes use of the following vulnerabilities in a chain:
FirstBlood ID: 34
Vulnerability Type: Deserialization
This endpoint calls filesize() on the path provided in the 'proof' param with no filtering or sanitisation. By adding the phar:// stream handler to the path, an attacker can force a previously uploaded file to be sent through deserialisation. Coupled with the fact that a gadget-chain vulnerable version of monolog is being used, this allows for RCE.
FirstBlood ID: 36
Vulnerability Type: Information leak/disclosure
It is possible to use the composer.json to aid with another vulnerability and gaining information/knowledge on versions used.