CVE-2014-8791
published 2014-12-02CVE-2014-8791: project/register.php in Tuleap before 7.7, when sys_create_project_in_one_step is disabled, allows remote authenticated users to conduct PHP object injection…
PriorityP350medium6CVSS 2.0
AVNACMAuSCPIPAP
EXPLOIT
EPSS
14.77%
96.3th percentile
project/register.php in Tuleap before 7.7, when sys_create_project_in_one_step is disabled, allows remote authenticated users to conduct PHP object injection attacks and execute arbitrary PHP code via the data parameter.
Affected
1 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| enalean | tuleap | — | — |
Detection & IOCsextracted from sources · hover to see the quote
bytes↗
O:6:"Jabbex":2:{S:15:"\00Jabbex\00handler";O:12:"EventHandler":1:{S:27:"\00EventHandler\00authenticated";b:1;}- →Monitor POST requests to /project/register.php containing a 'data' parameter with PHP serialized object strings (beginning with 'O:' notation), particularly referencing class names 'Jabbex' or 'EventHandler'. ↗
- →Detect HTTP requests to /project/register.php that include a custom 'payload' header containing Base64-encoded content, which is the exploit's mechanism for delivering PHP code to be eval()'d. ↗
- →Alert on POST requests to /account/login.php followed immediately by POST requests to /project/register.php from the same session/IP, as this is the exploit's two-step login-then-inject pattern. ↗
- →The exploit chain abuses the Jabbex destructor → Jabber call_user_func_array() → Transition_PostAction_FieldFactory fetchPostActions() → eval() call chain; look for eval() execution traces originating from register.php in PHP error/audit logs. ↗
- →This vulnerability is only exploitable when 'sys_create_project_in_one_step' is disabled; confirm this configuration state when triaging alerts on affected Tuleap <= 7.6-4 instances. ↗
- ·The vulnerability requires the attacker to be authenticated; unauthenticated exploitation is not possible. Detection rules should account for valid session cookies being present on the malicious POST to /project/register.php. ↗
- ·The vulnerability is only triggerable when the 'sys_create_project_in_one_step' configuration option is disabled. Instances with this option enabled are not affected and should not generate true-positive alerts. ↗
- ·The Metasploit module targets Tuleap <= 7.6-4 over SSL (port 443 by default). Network-layer detections should account for TLS-encrypted traffic; payload inspection requires SSL inspection to be effective. ↗
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
No detection rules found.
Exploit-DB
Tuleap - PHP Unserialize Code Execution (Metasploit)
exploitdb·2014-12-15
CVE-2014-8791 Tuleap - PHP Unserialize Code Execution (Metasploit)
Tuleap - PHP Unserialize Code Execution (Metasploit)
---
##
# This module requires Metasploit: http://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
require 'msf/core'
class Metasploit3 'Tuleap PHP Unserialize Code Execution',
'Description' => %q{
This module exploits a PHP object injection vulnerability in Tuelap MSF_LICENSE,
'Author' => 'EgiX',
'References' =>
[
['CVE', '2014-8791'],
['OSVDB', '115128'],
['URL', 'http://karmainsecurity.com/KIS-2014-13'],
['URL', 'https://tuleap.net/plugins/tracker/?aid=7601']
],
'Platform' => 'php',
'Arch' => ARCH_PHP,
'Targets' => [['Generic (PHP Payload)', {}]],
'DisclosureDate' => 'Nov 27 2014',
'DefaultTarget' => 0))
register_options(
[
OptString.new('TARGETURI', [true, "The base path to the web appli
Metasploit
Tuleap PHP Unserialize Code Execution
metasploit
Tuleap PHP Unserialize Code Execution
Tuleap PHP Unserialize Code Execution
This module exploits a PHP object injection vulnerability in Tuleap <= 7.6-4 which could be abused to allow authenticated users to execute arbitrary code with the permissions of the web server. The dangerous unserialize() call exists in the 'src/www/project/register.php' file. The exploit abuses the destructor method from the Jabbex class in order to reach a call_user_func_array() call in the Jabber class and call the fetchPostActions() method from the Transition_PostAction_FieldFactory class to execute PHP code through an eval() call. In order to work, the target must have the 'sys_create_project_in_one_step' option disabled.
No writeups or analysis indexed.
http://karmainsecurity.com/KIS-2014-13http://packetstormsecurity.com/files/129309/Tuleap-7.6-4-PHP-Object-Injection.htmlhttp://seclists.org/fulldisclosure/2014/Nov/101http://www.securityfocus.com/archive/1/534105/100/0/threadedhttp://www.securityfocus.com/bid/71335http://karmainsecurity.com/KIS-2014-13http://packetstormsecurity.com/files/129309/Tuleap-7.6-4-PHP-Object-Injection.htmlhttp://seclists.org/fulldisclosure/2014/Nov/101http://www.securityfocus.com/archive/1/534105/100/0/threadedhttp://www.securityfocus.com/bid/71335
2014-12-02
Published