Moderate
Pimcore Deserialization Vulnerability
CVE ID
AttackerKB requires a CVE ID in order to pull vulnerability data and references from the CVE list and the National Vulnerability Database. If available, please supply below:
Add References:
Moderate
(1 user assessed)
Moderate
(1 user assessed)Unknown
Unknown
Unknown
Pimcore Deserialization Vulnerability
MITRE ATT&CK
Collection
Command and Control
Credential Access
Defense Evasion
Discovery
Execution
Exfiltration
Impact
Initial Access
Lateral Movement
Persistence
Privilege Escalation
Topic Tags
Description
In Pimcore versions prior to 5.7.1, a deserialization vulnerability exists in the handler function for the bulk-commit POST request.
Add Assessment
Ratings
-
Attacker ValueMedium
-
ExploitabilityMedium
Technical Analysis
Details
There exists a PHP deserialization vulnerability in Pimcore versions prior to 5.7.1 that allows the ability to gain remote code execution post authentication.
The Metasploit module documentation for exploit/multi/http/pimcore_unserialize_rce mentions that the PHP deserialization vulnerability exists in the ClassController.php file in the function that takes care of the bulk-commit method. The bulkCommitAction() function has a comment mentioning that it handles the bulk-commit route, so it’s safe to say that analysis should start there.
In bulkCommitAction(), the serialized PHP object gets assigned to the data variable, and its layout type is checked in an if statement.
The block of code is quite large, but the important detail happens in the first few lines of the elseif block:
elseif ($type == 'customlayout') { $layoutData = unserialize($data['name']); $className = $layoutData['className']; $layoutName = $layoutData['name']; ... }
The serialized payload is passed to the unserialize() function unsanitized, which will call the object’s magic method, __destruct() in this case. The object used in Metasploit’s module is an object of the ApcuAdapter class, which inherits its magic method from AbstractAdapter.
__destruct() method:
public function __destruct() { if ($this->deferred) { $this->commit(); } }
The deferred variable contains the PHP code, so the commit() function is called.
In commit(), there are two lines of interest:
$byLifetime = $this->mergeByLifetime; $byLifetime = $byLifetime($this->deferred, $this->namespace, $expiredIds);
The object’s mergeByLifetime variable, which is set to proc_open in the serialized object, gets assigned to $byLifetime. In the next line, $byLifetime is executed with the object’s instance variables passed as the arguments. As noted previously, the deferred variable contains the PHP code to execute. Viewing the serialized object in the pimcore_unserialize_rce Metasploit module shows us that the namespace variable is an empty array, and $expiredIds is a variable that will hold an array of file pointers. So summing this up, proc_open() will execute code embedded in a PHP serialized object, potentially giving unauthorized individuals shell access.
Would you also like to delete your Exploited in the Wild Report?
Delete Assessment Only Delete Assessment and Exploited in the Wild ReportGeneral Information
References
Miscellaneous
Additional Info
Technical Analysis
Report as Exploited in the Wild
CVE ID
AttackerKB requires a CVE ID in order to pull vulnerability data and references from the CVE list and the National Vulnerability Database. If available, please supply below:
