Attacker Value
High
(1 user assessed)
Exploitability
High
(1 user assessed)
User Interaction
Unknown
Privileges Required
Unknown
Attack Vector
Unknown
1

CVE-2024-55556

Disclosure Date: January 07, 2025
CVE-2024-55556
Add MITRE ATT&CK tactics and techniques that apply to this CVE.
Execution
Techniques
Validation
Validated
Validated
Initial Access
Techniques
Validation
Validated

Description

A vulnerability in Crater Invoice allows an unauthenticated attacker with knowledge of the APP_KEY to achieve remote command execution on the server by manipulating the laravel_session cookie, exploiting arbitrary deserialization through the encrypted session data. The exploitation vector of this vulnerability relies on an attacker obtaining Laravel’s secret APP_KEY, which would allow them to decrypt and manipulate session cookies (laravel_session) containing serialized data. By altering this data and re-encrypting it with the APP_KEY, the attacker could trigger arbitrary deserialization on the server, potentially leading to remote command execution (RCE). The vulnerability is primarily exploited by accessing an exposed cookie and manipulating it using the secret key to gain malicious access to the server.

Add Assessment

2
Ratings
  • Attacker Value
    High
  • Exploitability
    High
Easy to weaponizeUnauthenticatedVulnerable in default configuration
Technical Analysis

This vulnerability has a similar attack surface as the one described in CVE-2024-55555 where Laravel based applications can be exploited due to bad decryption implementations. In this case, an attacker in possession of the secret Laravel APP_KEY would therefore be able to retrieve the Laravel cookie, uncipher it and modify the serialized data in order to get arbitrary deserialization on the affected server, allowing them to achieve remote command execution. The attack sequence is very well described in this security advisory of Synacktiv.
InvoiceShelf is an example of a Laravel PHP based application where this vulnerability can be abused. InvoiceShelf version 1.3.0 and lower, which is a fork of Crater Invoice, is vulnerable.

As discussed in my other attackerkb article, you can use the LaravelCrytpoKiller mixin to exploit this type of vulnerabilities using Metasploit. Therefore I created a Metasploit module targeting vulnerable InvoiceShelf applications to automate and demonstrate this attack.
You can find the module in this PR submission InvoiceShelf unauthenticated PHP deserialization vulnerability.

References

CVE-2024-55556
Laravel HackTricks
InvoiceShelf security disclosure from Synacktiv
Metasploit InvoiceShelf unauthenticated PHP deserialization vulnerability
InvoiceShelf Github

Credits

Rémi Matasse and Mickaël Benassouli from Synacktiv

Log in to Add Reply
CVSS V3 Severity and Metrics
Base Score:
None
Impact Score:
Unknown
Exploitability Score:
Unknown
Vector:
Unknown
Attack Vector (AV):
Unknown
Attack Complexity (AC):
Unknown
Privileges Required (PR):
Unknown
User Interaction (UI):
Unknown
Scope (S):
Unknown
Confidentiality (C):
Unknown
Integrity (I):
Unknown
Availability (A):
Unknown

General Information

Offensive Application
Unknown
Utility Class
Unknown
Ports
Unknown
OS
Unknown
Vulnerable Versions
n/a
Prerequisites
Unknown
Discovered By
Unknown
PoC Author
Unknown
Metasploit Module
Unknown
Reporter
Unknown

Additional Info

Authenticated
Unknown
Exploitable
Unknown
Reliability
Unknown
Stability
Unknown
Available Mitigations
Unknown
Shelf Life
Unknown
Userbase/Installbase
Unknown
Patch Effectiveness
Unknown
Technical Analysis