One Article Review
| Source |  Code White |
|---|---|
| Identifiant | 351860 |
| Date de publication | 2015-05-08 20:48:26 (vue: 2015-05-08 20:48:26) |
| Titre | CVE-2015-0935: PHP Object Injection in Bomgar Remote Support Portal |
| Texte | Serialization is often used to convert objects into a string representation for communication or to save them for later use. However, deserialization in PHP has certain side-effects, which can be exploited by an attacker who is able to provide the data to be deserialized. This post will give you an insight on the deserialization of untrusted data vulnerability in the Bomgar Remote Support Portal 14.3.1 (US CERT VU#978652, CVE-2015-0935), which is part of Bomgar's appliance-based remote support software. It covers details on the weakness of Deserializion of Untrusted Data (CWE-502) in PHP applications in general, as well as specific details on the vulnerability and its exploitation in the Bomgar Remote Support Portal 14.3.1. Note that this post is not about the various bugs in the implementation of the unserialize function itself (see for example Sec Bug #67492, Sec Bug #68594, Sec Bug #68710, and Sec Bug #68942), but about the exploitation on the application level. Summary Description from US CERT VU#978652: Bomgar Remote Support Portal version 14.3.1 and possibly earlier versions deserialize untrusted data without sufficiently verifying the validity of the resulting data. An unauthenticated attacker can inject arbitrary input to at least one vulnerable PHP file, and authenticated attackers can inject arbitrary input to multiple vulnerable PHP files. When malicious data is deserialized, arbitrary PHP code may be executed in the context of the PHP server process. Vulnerability Details The PHP function unserialize allows the creation of arbitrary object constructs of any class with arbitrary attributes of almost arbitrary types without any validation. During the deserialization, the lifetime of an object, and the interaction with the object, several methods, including so called magic methods, may get called using these arbitrarily definable attributes. An attacker may be able to utilize the functionality provided within these called methods to his benefit. For more information on deserialization in PHP, have a look at Serialization in the PHP Internals Book and Writing Exploits For Exotic Bug Classes: unserialize() by Stephen Coty of Alert Logic. In Bomgar Remote Support Portal 14.3.1, unserialize is called several times with user provided data, among them there is one which can be called by an unauthenticated user. Exploitation The most challenging part of exploiting such a vulnerability is finding appropriate classes with effects beneficial for an attacker. Therefore, it solely depends on the available classes. If there are no classes with beneficial effects available, it is not exploitable. Fortunately, there is at least one in Bomgar Remote Support Portal 14.3.1! One way to exploit this vulnerability is by utilizing the Tracer class. It is used to write stack trace information to a log using a Logger instance, which wraps an instance of PEAR's Log class. By using a Log_file instance as an instance of Lo |
| Envoyé | Oui |
| Condensat | #67492 #68594 #68710 #68942 /tmp/poc 0935 0935: 2014 2015 285 287 293 295 303 502 able about above access accessible additional after alert allows almost already also among answer any appended appliance application applications appropriate arbitrarily arbitrary are asked asking attacker attackers attributes authenticated authentication authentication; autoload available based behavior: behind beneficial benefit blog bomgar book bug bugs but byte call called calls can cert certain challenge challenging class classes classes: code com communication confidential construct constructs contact contacted contain context convert cooperation coordination copyrighted corresponding coty course covers creates creation curtain: cve cwe data days definable depends description deserialization deserialize deserialized deserializion destruct destructor details directly disclosure document during earlier effects end especially established events eventually example executed executing exotic expected: explicit exploit exploitable exploitation exploited exploiting exploits expressed fast file filename files finding first following format fortunately forward: from function functionality general get gets give got happens has have having his how however immediately implementation including inclusion info@bomgar information initial inject injecting injection input insight insisted instance instantly instead intended interaction internals involved its itself kind known later least leave level lifetime like line lineformat loading local location log logger logic long longer look magic mail malicious may members mentioned method methods mode more most multiple name not note nul object objects objects: often one only opened part particular path payload pear performed person php poc portal possible possibly post prior process provide provided published reach reader relevant remote remove replied reply report representation represents request requires result resulting retrieved root runtime save sec see serialization serialized server several should show shown side since snippets software solely some source specific specified stack stating stephen string structure submission successful such sufficiently summary support than them then therefore these times tmp token took trace tracer triggered two types unauthenticated unknown unserialize untrusted use used user using utilize utilizing validation validity various verifying version versions very vu#978652 vu#978652: vulnerability vulnerable wanted way weakness web week well what when which who whole will within without would wraps write writing written wrote |
| Tags | |
| Stories | |
| Notes | ★★★★ |
| Move | 
|
L'article ne semble pas avoir été repris aprés sa publication.
L'article ne semble pas avoir été repris sur un précédent.