Attacker Value

High

Laravel Framework Unserialize Token RCE (CVE-2018-15133)

Attacker Value

High

(2 users assessed)

Exploitability

Moderate

(2 users assessed)

User Interaction

Laravel Framework Unserialize Token RCE (CVE-2018-15133)

Disclosure Date: August 09, 2018 •

CVE-2018-15133 CVSS v3 Base Score: 8.1

Exploited in the Wild

Reported by inokii and 1 more...
View Source Details

Description

In Laravel Framework through 5.5.40 and 5.6.x through 5.6.29, remote code execution might occur as a result of an unserialize call on a potentially untrusted X-XSRF-TOKEN value. This involves the decrypt method in Illuminate/Encryption/Encrypter.php and PendingBroadcast in gadgetchains/Laravel/RCE/3/chain.php in phpggc. The attacker must know the application key, which normally would never occur, but could happen if the attacker previously had privileged access or successfully accomplished a previous attack.

Add Assessment

cbeek-r7 (156)

January 17, 2024 10:10am UTC (6 months ago)

Ratings

Attacker Value

Medium

Exploitability

Very Low

CISA KEV Listed Unauthenticated

Technical Analysis

CVE-2018-15133 is a vulnerability in the Laravel Framework versions 5.5.40 and 5.6.x up to 5.6.29. It allows remote code execution as a result of an unserialize call on a potentially untrusted X-XSRF-TOKEN value. This involves the decrypt method in Illuminate/Encryption/Encrypter.php and PendingBroadcast in gadgetchains/Laravel/RCE/3/chain.php in phpggc. An attacker must know the application key to exploit this vulnerability, which would normally be unlikely but could occur if they had previously gained privileged access or successfully accomplished a prior attack

jrobles-r7 (40)

July 12, 2019 5:33pm UTC (5 years ago)•Edited 4 years ago

Ratings

Attacker Value

High

Exploitability

Very High

Technical Analysis

The exploit depends on having a valid APP_KEY for the application. If the target Laravel Framework is vulnerable to CVE-2017-16894, then it would be possible to obtain the APP_KEY as an unauthenticated user. Also, if the environment has APP_DEBUG enabled, then it may be possible to retrieve the APP_KEY from error messages generated by Laravel Framework.
From Google searches, there appears to be several hosts that leak their APP_KEY.

See More &1 replySee Less

busterb (321) June 29, 2020 12:38pm UTC (4 years ago)

This PR would have made APP_DEBUG no longer the default, but the developers appear to have immediately closed it for some reason: https://github.com/laravel/laravel/pull/5331

HT to https://twitter.com/hanno/status/1277580935328915457

CVSS V3 Severity and Metrics

Data provided by the National Vulnerability Database (NVD)

Base Score:

8.1 High

Impact Score:

5.9

Exploitability Score:

2.2

Vector:

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

Attack Vector (AV):

Network

Attack Complexity (AC):

High

Privileges Required (PR):

None

User Interaction (UI):

None

Scope (S):

Unchanged

Confidentiality (C):

High

Integrity (I):

High

Availability (A):

High

Vendors

laravel

Products

laravel

Metasploit Modules

exploit/unix/http/laravel_token_unserialize_exec (https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/unix/http/laravel_token_unserialize_exec.rb)

Exploited in the Wild

Reported by:

inokii indicated sources as

Government or Industry Alert (https://www.cisa.gov/known-exploited-vulnerabilities-catalog)
Other: CISA Gov Alert (https://www.cisa.gov/news-events/alerts/2024/01/16/cisa-adds-one-known-exploited-vulnerability-catalog)

Reported: January 17, 2024 5:53am UTC (6 months ago)

cbeek-r7 indicated source as Government or Industry Alert (https://www.cisa.gov/sites/default/files/2024-01/aa24-016a-known-indicators-of-compromise-associated-with-adroxgh0st-malware_0.pdf)

Reported: January 22, 2024 10:34am UTC (6 months ago)

References

Canonical

CVE-2018-15133 (https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-15133)

Rapid7

High