Egroupware 1.8.005 PHP Object Insertion

2014.02.21

Credit: Ribeiro

Risk: High

Local: No

Remote: Yes

CVE: CVE-2014-2027

CWE: CWE-94

CVSS Base Score: 7.5/10

Impact Subscore: 6.4/10

Exploitability Subscore: 10/10

Exploit range: Remote

Attack complexity: Low

Authentication: No required

Confidentiality impact: Partial

Integrity impact: Partial

Availability impact: Partial

> Vulnerabilities in EGroupware 1.8.005
> Discovered by Pedro Ribeiro (pedrib@gmail.com) of Agile Information Security
====================================================================
Vulnerability: PHP object insertion leading to all kinds of badness (arbitrary file deletion, possible code execution) (CVE-2014-2027)
File(line): egroupware/addressbook/csv_import.php(257,258)
File(line): egroupware/calendar/csv_import.php(277,278)
File(line): egroupware/projectmanager/csv_import.php(324,325)
File(line): egroupware/infolog/csv_import.php(336,337)
File(line): egroupware/preferences/inc/class.uiaclprefs.inc.php(108)
Code snippet:
egroupware/addressbook/csv_import.php(257,258):
case 'next':
$_POST['addr_fields'] = unserialize(stripslashes($_POST['addr_fields']));
$_POST['trans'] = unserialize(stripslashes($_POST['trans']));
egroupware/calendar/csv_import.php(277,278):
case 'next':
$_POST['cal_fields'] = unserialize(stripslashes($_POST['cal_fields']));
$_POST['trans'] = unserialize(stripslashes($_POST['trans']));
egroupware/projectmanager/csv_import.php(324,325):
egroupware/infolog/csv_import.php(336,337):
case 'next':
$_POST['info_fields'] = unserialize(stripslashes($_POST['info_fields']));
$_POST['trans'] = unserialize(stripslashes($_POST['trans']));
egroupware/preferences/inc/class.uiaclprefs.inc.php(108):
if ($_POST['save'] || $_POST['apply'])
{
$processed = $_POST['processed'];
$to_remove = unserialize(urldecode($processed));
Arbitrary file overwrite in __destruct:
egroupware/etemplate/inc/class.etemplate_request_files.inc.php
140 function __destruct()
141 {
142 if ($this->remove_if_not_modified && !$this->data_modified)
143 {
144 //error_log(__METHOD__."() destroying $this->id");
145 @unlink(self::$directory.'/'.$this->id);
146 }
147 elseif (!$this->destroyed && $this->data_modified &&
148 !file_put_contents($filename = self::$directory.'/'.$this->id,serialize($this->data)))
149 {
150 error_log("Error opening '$filename' to store the etemplate request data!");
151 }
152 }
Comment:
User input is passed directly into unserialize(), leading to object insertion, arbitrary file deletion and possible code execution.
There are lots of classes with exploitable magic methods, and the above is just an example.
References:
https://www.owasp.org/index.php/PHP_Object_Injection
http://www.alertlogic.com/writing-exploits-for-exotic-bug-classes/
http://www.suspekt.org/downloads/POC2009-ShockingNewsInPHPExploitation.pdf
http://vagosec.org/2013/12/wordpress-rce-exploit/

References:

https://www.owasp.org/index.php/PHP_Object_Injection

http://www.alertlogic.com/writing-exploits-for-exotic-bug-classes/

http://www.suspekt.org/downloads/POC2009-ShockingNewsInPHPExploitation.pdf

http://vagosec.org/2013/12/wordpress-rce-exploit/

See this note in RAW Version

Vote for this issue:

50%

Thanks for you vote!

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.

Nick (*)

Email (*)

Video

Text (*)

(*) - required fields.

{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1

{{ x.comment }}

Egroupware 1.8.005 PHP Object Insertion

References:

Thanks for you vote!

Thanks for you comment!Your message is in quarantine 48 hours.

Thanks for you comment!
Your message is in quarantine 48 hours.