Attacker Value
High
(1 user assessed)
Exploitability
High
(1 user assessed)
User Interaction
Unknown
Privileges Required
Unknown
Attack Vector
Unknown
1

CVE-2024-55555

Disclosure Date: January 07, 2025
CVE-2024-55555
Add MITRE ATT&CK tactics and techniques that apply to this CVE.
Execution
Techniques
Validation
Validated
Validated
Initial Access
Techniques
Validation
Validated

Description

Invoice Ninja before 5.10.43 allows remote code execution from a pre-authenticated route when an attacker knows the APP_KEY. This is exacerbated by .env files, available from the product’s repository, that have default APP_KEY values. The route/{hash} route defined in the invoiceninja/routes/client.php file can be accessed without authentication. The parameter {hash} is passed to the function decrypt that expects a Laravel ciphered value containing a serialized object. (Furthermore, Laravel contains several gadget chains usable to trigger remote command execution from arbitrary deserialization.) Therefore, an attacker in possession of the APP_KEY is able to fully control a string passed to an unserialize function.

Add Assessment

1
Ratings
  • Attacker Value
    High
  • Exploitability
    High
Easy to weaponizeUnauthenticatedVulnerable in default configuration
Technical Analysis

Laravel PHP applications can be exploited due to bad implementations of decryption mechanisms. Synacktiv published this advisory where you can pull off arbitrary unserialization via decrypt in the application Invoice Ninja. I am not gonna dwell on the actual attack scenario because this is pretty good described in the Synacktiv advisory.

More interesting is the use of the Laravel Crypto Killer tool that was designed by Synacktiv team to support this type of attacks.
Having this toolkit available in Metasploit that can be leveraged in the different exploits that are subject to these bad implementations of decryption mechanisms in Laravel PHP applications would be a welcome addition.

Therefore I created the LaravelCryptoKiller mixin in combination with the Invoice Ninja exploit that automates these attacks.
You can find them both in this PR submission Invoice Ninja unauthenticated RCE [CVE-2024-55555] + Laravel Crypto Killer mixin #19897.

References

CVE-2024-55555
Laravel HackTricks
Invoice Ninja security disclosure from Synacktiv
Invoice Ninja unauthenticated RCE [CVE-2024-55555] + Laravel Crypto Killer mixin #19897

Credits

Rémi Matasse and Mickaël Benassouli from Synacktiv

Log in to Add Reply
CVSS V3 Severity and Metrics
Base Score:
None
Impact Score:
Unknown
Exploitability Score:
Unknown
Vector:
Unknown
Attack Vector (AV):
Unknown
Attack Complexity (AC):
Unknown
Privileges Required (PR):
Unknown
User Interaction (UI):
Unknown
Scope (S):
Unknown
Confidentiality (C):
Unknown
Integrity (I):
Unknown
Availability (A):
Unknown

General Information

Offensive Application
Unknown
Utility Class
Unknown
Ports
Unknown
OS
Unknown
Vulnerable Versions
n/a
Prerequisites
Unknown
Discovered By
Unknown
PoC Author
Unknown
Metasploit Module
Unknown
Reporter
Unknown

Additional Info

Authenticated
Unknown
Exploitable
Unknown
Reliability
Unknown
Stability
Unknown
Available Mitigations
Unknown
Shelf Life
Unknown
Userbase/Installbase
Unknown
Patch Effectiveness
Unknown
Technical Analysis