CVE-2017-7411
published 2017-10-30CVE-2017-7411: An issue was discovered in Enalean Tuleap 9.6 and prior versions. The vulnerability exists because the User::getRecentElements() method is using the…
PriorityP276high8.8CVSS 3.0
AVNACLPRLUINSUCHIHAH
EXPLOIT
EPSS
66.63%
99.2th percentile
An issue was discovered in Enalean Tuleap 9.6 and prior versions. The vulnerability exists because the User::getRecentElements() method is using the unserialize() function with a preference value that can be arbitrarily manipulated by malicious users through the REST API interface, and this can be exploited to inject arbitrary PHP objects into the application scope, allowing an attacker to perform a variety of attacks (including but not limited to Remote Code Execution).
Affected
1 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| enalean | tuleap | <= 9.6 | — |
Detection & IOCsextracted from sources · hover to see the quote
- →Monitor REST API PATCH requests to /api/users/{id}/preferences containing a serialized PHP object payload (beginning with 'a:1:{i:0;a:1:{') in the 'recent_elements' preference key value. ↗
- →Detect POST requests to /api/tokens followed shortly by a PATCH to /api/users/{id}/preferences from the same source IP — this two-step sequence is the exploit's authentication and payload-staging flow. ↗
- →Alert on POST requests to /plugins/tracker/ containing a base64-encoded body parameter with a random alphabetic name — this is the exploit trigger step that causes eval() execution via the POP chain. ↗
- →The exploit abuses the Mustache class __toString() method chaining into Transition_PostActionSubFactory::fetchPostActions() to reach eval(). Inspect PHP stack traces or error logs for these class/method names during exploitation. ↗
- →The vulnerability is triggered when a user visits a tracker artifact page (GET/POST to /plugins/tracker/?aid=) after the malicious 'recent_elements' preference has been set, causing unserialize() to process attacker-controlled data. ↗
- ·Exploit requires valid authenticated credentials; it is not an unauthenticated attack. Detection rules should account for the authenticated REST API session flow. ↗
- ·The Metasploit module defaults to RPORT 443 (HTTPS); network-level detection must inspect TLS-decrypted traffic to catch the attack. ↗
- ·Affected versions are Tuleap 9.6 and prior; the module targets 'Tuleap <= 9.6'. ↗
CVSS provenance
nvdv3.08.8HIGHCVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
nvdv2.06.5MEDIUMAV:N/AC:L/Au:S/C:P/I:P/A:P
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
No detection rules found.
Exploit-DB
Tuleap 9.6 - Second-Order PHP Object Injection (Metasploit)
exploitdb·2017-12-19
CVE-2017-7411 Tuleap 9.6 - Second-Order PHP Object Injection (Metasploit)
Tuleap 9.6 - Second-Order PHP Object Injection (Metasploit)
---
##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
class MetasploitModule 'Tuleap 9.6 Second-Order PHP Object Injection',
'Description' => %q{
This module exploits a Second-Order PHP Object Injection vulnerability in Tuleap 'EgiX',
'License' => MSF_LICENSE,
'References' =>
[
['URL', 'http://karmainsecurity.com/KIS-2017-02'],
['URL', 'https://tuleap.net/plugins/tracker/?aid=10118'],
['CVE', '2017-7411']
],
'Privileged' => false,
'Platform' => ['php'],
'Arch' => ARCH_PHP,
'Targets' => [ ['Tuleap 0,
'DisclosureDate' => 'Oct 23 2017'
))
register_options(
[
OptString.new('TARGETURI', [true, "The base path to the web application", "/"]),
OptSt
Metasploit
Tuleap 9.6 Second-Order PHP Object Injection
metasploit
Tuleap 9.6 Second-Order PHP Object Injection
Tuleap 9.6 Second-Order PHP Object Injection
This module exploits a Second-Order PHP Object Injection vulnerability in Tuleap <= 9.6 which could be abused by authenticated users to execute arbitrary PHP code with the permissions of the webserver. The vulnerability exists because of the User::getRecentElements() method is using the unserialize() function with data that can be arbitrarily manipulated by a user through the REST API interface. The exploit's POP chain abuses the __toString() method from the Mustache class to reach a call to eval() in the Transition_PostActionSubFactory::fetchPostActions() method.
No writeups or analysis indexed.
http://karmainsecurity.com/KIS-2017-02http://packetstormsecurity.com/files/144716/Tuleap-9.6-Second-Order-PHP-Object-Injection.htmlhttp://seclists.org/fulldisclosure/2017/Oct/53http://www.openwall.com/lists/oss-security/2017/10/23/3https://tuleap.net/plugins/tracker/?aid=10118https://www.exploit-db.com/exploits/43374/http://karmainsecurity.com/KIS-2017-02http://packetstormsecurity.com/files/144716/Tuleap-9.6-Second-Order-PHP-Object-Injection.htmlhttp://seclists.org/fulldisclosure/2017/Oct/53http://www.openwall.com/lists/oss-security/2017/10/23/3https://tuleap.net/plugins/tracker/?aid=10118https://www.exploit-db.com/exploits/43374/
2017-10-30
Published