High
Laravel Framework Unserialize Token RCE (CVE-2018-15133)
Laravel Framework Unserialize Token RCE (CVE-2018-15133)
Description
In Laravel Framework through 5.5.40 and 5.6.x through 5.6.29, remote code execution might occur as a result of an unserialize call on a potentially untrusted X-XSRF-TOKEN value. This involves the decrypt method in Illuminate/Encryption/Encrypter.php and PendingBroadcast in gadgetchains/Laravel/RCE/3/chain.php in phpggc. The attacker must know the application key, which normally would never occur, but could happen if the attacker previously had privileged access or successfully accomplished a previous attack.
Add Assessment
Technical Analysis
CVE-2018-15133 is a vulnerability in the Laravel Framework versions 5.5.40 and 5.6.x up to 5.6.29. It allows remote code execution as a result of an unserialize call on a potentially untrusted X-XSRF-TOKEN value. This involves the decrypt method in Illuminate/Encryption/Encrypter.php and PendingBroadcast in gadgetchains/Laravel/RCE/3/chain.php in phpggc. An attacker must know the application key to exploit this vulnerability, which would normally be unlikely but could occur if they had previously gained privileged access or successfully accomplished a prior attack
Technical Analysis
The exploit depends on having a valid APP_KEY for the application. If the target Laravel Framework is vulnerable to CVE-2017-16894, then it would be possible to obtain the APP_KEY as an unauthenticated user. Also, if the environment has APP_DEBUG enabled, then it may be possible to retrieve the APP_KEY from error messages generated by Laravel Framework.
From Google searches, there appears to be several hosts that leak their APP_KEY.
This PR would have made APP_DEBUG no longer the default, but the developers appear to have immediately closed it for some reason: https://github.com/laravel/laravel/pull/5331
CVSS V3 Severity and Metrics
General Information
Vendors
- laravel
Products
- laravel
Metasploit Modules
Exploited in the Wild
References
