RSS Feed
更好更安全的互联网

From Deserialization to Type Confusion Vulnerability —— A Real Use in Ecshop Lastest

2020-11-02

Author: LoRexxar'@Knownsec 404 Team
Date: March 31,2020.
Chinese Version: https://paper.seebug.org/1267

This article was originally completed on March 31, 2020. Because it involves 0day utilization, it was reported to the vendor on March 31, 2020, and released after the 90-day vulnerability disclosure period.


A few days ago, I accidentally saw a vulnerability report submitted on Hackerone. In this vulnerability, the vulnerability discoverer proposed a very interesting use. The author makes use of a type confusion vulnerability of GMP and cooperates with the corresponding utilization chain to construct a code execution of mybb. Here we take a look at this vulnerability.

https://hackerone.com/reports/198734

Some details of the following article, thanks to the vulnerability discoverer @taoguangchen for his help.

GMP type confusion vulnerability

-https://bugs.php.net/bug.php?id=70513

Vulnerability conditions

  • php 5.6.x
  • Deserialization entry point
  • The trigger point that can trigger __wakeup (below php < 5.6.11, you can use the built-in class)

Vulnerability details

gmp.c

zend_object_handlers.c

From the snippet in gmp.c, we can roughly understand the original words of vulnerability discoverer taoguangchen.

Magic methods such as __wakeup can cause ZVAL to be modified in memory. Therefore, an attacker can convert **object to an integer or bool type ZVAL, then we can access any object stored in the object storage through Z_OBJ_P, which means that any object can be overwritten through zend_hash_copy attributes, which may cause a lot of problems, and can also cause security problems in certain scenarios.

Perhaps it is impossible to understand the above words only with code snippets, but we can take a look at the actual test.

First let's look at a test code

In the code, I show the environment in many different situations.

Let's see what the result is?

I successfully modified the first declared object.

But what happens if I change the deserialized class to b?

Obviously, it will not affect other class variables

If we add a __Wakeup function to class b, then it will produce the same effect.

But if we set the variable in the wakeup magic method to 2

The results returned can be seen, we successfully modified the second declared object.

But if we change ryat to 4, then the page will return 500 directly, because we modified the unallocated object space.

After completing the previous experiments, we can simplify the conditions for exploiting the vulnerability.

If we have a controllable deserialization entry, the target backend PHP has a GMP plugin installed (this plugin is not installed by default in the original PHP, but some packaging environments will bring it), If we find a controllable __wakeup magic method, we can modify the object properties declared before deserialization and cooperate with the scene to produce actual security problems.

If the target php version is in 5.6 <= 5.6.11, we can directly use the built-in magic method to trigger this vulnerability.

Real world case

After discussing the GMP type confusion vulnerability, we must discuss how this vulnerability is used in real scenarios.

Taoguang Chen, the discoverer of the vulnerability, submitted a related exploit in mybb.

https://hackerone.com/reports/198734

Here we do not continue to discuss this vulnerability, but discuss the use in ecshop from scratch.

Vulnerable Environment

  • ecshop 4.0.7
  • php 5.6.9

Deserialization Vulnerability

First we need to find an entry point for deserialization. Here we can search for unserializeglobally. Looking at each of them, we can find two controllable deserialization entries.

One of them is search.php line 45

This is an entrance to the front desk, but unfortunately, the initialization file is introduced after deserialization, which also makes us unable to find a target that can override the properties of class variables, and there is no way to use it further.

Another one is admin/order.php line 229

This function of the form page in the background meets our requirements. Not only can it be controlled, but also urlencode can be used to bypass ecshop's filtering of global variables.

In this way, we have found a controllable and suitable deserialization entry point.

Find the appropriate class attribute utilization chain

Before looking for a utilization chain, we can use

To determine the class that has been declared when deserializing.

In my local environment, I found 13 classes in addition to the PHP built-in classes

You can also see from the code that multiple library files are imported in the file header

Here we mainly focus on init.php, because most common classes of ecshop are declared in this file.

When looking at the class variables one by one, we can keenly see a special variable. Due to the special background structure of ecshop, most of the page content is compiled from templates, and this template class happens to be in init.php. statement

Back in order.php, we are looking for methods related to $smarty, it is not difficult to find, mainly concentrated in two methods

Here we mainly focus on the display method.

A rough look at the logic of the display method:

The more important code will be defined in the function make_compiled

When the process reaches this point, we need to find out what our goal is first?

Re-examining the code of cls_template.php, we can find that there are only a few functions involved in the code execution.

get_para is only called in select, but there is no place to trigger the select.

Then pop_vars

We can control the $this->_temp_key variable just in conjunction with GMP, so as long as we can call this method anywhere in the above process, we can construct a code execution with variable coverage.

Looking back at the code flow just now, we found such code from the compiled PHP file

order_info.htm.php

After traversing the form, pop_vars will be triggered.

In this way, as long as we control the _temp_key attribute that overrides the cls_templatevariable, we can complete a getshell

Final use effect

Timeline

  • 2020.03.31 Find the vulnerability.
  • 2020.03.31 Report the vulnerability to the manufacturer, CVE, CNVD, etc.
  • 2020.07.08 Announce details after 90-day vulnerability disclosure period.

Paper

本文由 Seebug Paper 发布,如需转载请注明来源。本文地址:https://paper.seebug.org/1268/

作者:江 | Categories:漏洞分析 | Tags:

发表评论