FirstBlood-#950[COLLAB] RCE using insecure deserialization
This issue was discovered on FirstBlood v2



On 2021-10-26, twsec Level 2 reported:

Hi Sean,

twsec and I collaborated and found a deserialization vulnerabilty which can be exploited to obtain RCE.

Insecure deserialization is when user-controllable data is deserialized by a website. This potentially enables an attacker to manipulate serialized objects in order to pass harmful data into the application code.

At first, we found the composer.json file. It mentions that its using Monolog 2.1.1.

This gives us a clue to use phpggc to create phar payload.

Using the Monolog/RCE1, we created a phar polyglot with command uname -a and embedded it in a jpg.

php -c php.ini phpggc -pj /root/dog.jpg -o doggo.jpg Monolog/RCE1 system 'uname -a' Here the php.ini file has phar.readonly=0 so that we can create a phar file.

This jpg file can be uploaded to in the upload-vaccination-proof.php.

After uploading it, the /api/checkproof.php checks for the proof of the existence of file. The filename is the SHA1 hash of the file content.

If we use phar stream wrapper to fetch the file, it executes the polyglot in it and returns us the output of the uname -a command.

GET /api/checkproof.php?proof=phar:///app/firstblood/upload/c04b72fd8ef01cc119b9c653dccea23f674ad56a.jpg/xyz

Fix

You can disable the phar stream wrapper by including stream_wrapper_unregister('phar'); in your code.

Have a nice day!

P1 CRITICAL

Endpoint: /api/checkproof.php

This report contains multiple vulnerabilities:

  • Deserialization
  • Information leak/disclosure


FirstBlood ID: 34
Vulnerability Type: Deserialization

This endpoint calls filesize() on the path provided in the 'proof' param with no filtering or sanitisation. By adding the phar:// stream handler to the path, an attacker can force a previously uploaded file to be sent through deserialisation. Coupled with the fact that a gadget-chain vulnerable version of monolog is being used, this allows for RCE.

FirstBlood ID: 36
Vulnerability Type: Information leak/disclosure

It is possible to use the composer.json to aid with another vulnerability and gaining information/knowledge on versions used.