CVE-2024-55556
published 2025-01-07CVE-2024-55556: A vulnerability in Crater Invoice allows an unauthenticated attacker with knowledge of the APP_KEY to achieve remote command execution on the server by…
PriorityP182critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
EXPLOIT
EPSS
43.56%
98.6th percentile
A vulnerability in Crater Invoice allows an unauthenticated attacker with knowledge of the APP_KEY to achieve remote command execution on the server by manipulating the laravel_session cookie, exploiting arbitrary deserialization through the encrypted session data. The exploitation vector of this vulnerability relies on an attacker obtaining Laravel's secret APP_KEY, which would allow them to decrypt and manipulate session cookies (laravel_session) containing serialized data. By altering this data and re-encrypting it with the APP_KEY, the attacker could trigger arbitrary deserialization on the server, potentially leading to remote command execution (RCE). The vulnerability is primarily exploited by accessing an exposed cookie and manipulating it using the secret key to gain malicious access to the server.
Detection & IOCsextracted from sources · hover to see the quote
otherAPP_KEY=base64:kgk/4DW1vEVy7aEvet5FPp5un6PIGe/so8H0mvoUtW0=
path/login
otherIlluminate\Broadcasting\PendingBroadcast (PHP deserialization gadget chain)
otherIlluminate\Database\DatabaseManager (PHP deserialization gadget chain)
sigma
shodan-query: 'http.title:"InvoiceShelf"'
- →Exploit requires SESSION_DRIVER=cookie in the InvoiceShelf .env configuration; sessions are stored as AES-256-CBC encrypted cookies. Detect exploitation by monitoring for malformed or oversized laravel_session cookie values submitted to /login. ↗
- →The deserialization payload uses the gadget chain Illuminate\Broadcasting\PendingBroadcast -> Illuminate\Database\DatabaseManager with array_filter as the callable, triggering system() or equivalent. Alert on PHP error responses containing 'Illuminate/Database/DatabaseManager.php' in the response body (visible in debug mode).
- →The exploit fetches /login to harvest the laravel_session and a random session cookie, then re-submits a crafted cookie to /login. Correlate unauthenticated GET /login requests that are immediately followed by another GET /login with a different, large Cookie header from the same source IP.
- →The default hardcoded APP_KEY 'base64:kgk/4DW1vEVy7aEvet5FPp5un6PIGe/so8H0mvoUtW0=' is a known-bad value. Alert if this key is present in any .env file or environment variable on InvoiceShelf hosts.
- →HTTP 500 responses from /login combined with a Cookie header containing a base64-encoded JSON blob (iv/value/mac/tag fields) are a strong indicator of active exploitation attempts.
- ·The vulnerability is only exploitable when SESSION_DRIVER=cookie is set in the .env file. Default installations may not be vulnerable if this setting is absent. ↗
- ·The vulnerability is partially mitigated in default installations because the APP_KEY is regenerated during setup, meaning the hardcoded default key may not be present in production.
- ·The gadget chain error string 'Illuminate/Database/DatabaseManager.php' in the HTTP response body is only observable when the application is running in Laravel debug mode.
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
No detection rules found.
Metasploit
InvoiceShelf unauthenticated PHP Deserialization Vulnerability
metasploit
InvoiceShelf unauthenticated PHP Deserialization Vulnerability
InvoiceShelf unauthenticated PHP Deserialization Vulnerability
InvoiceShelf is an open-source web & mobile app that helps you track expenses, payments, create professional invoices & estimates and is based on the PHP framework Laravel. InvoiceShelf has a Remote Code Execution vulnerability that allows remote unauthenticated attackers to conduct PHP deserialization attacks. This is possible when the `SESSION_DRIVER=cookie` option is set on the default InvoiceShelf .env file meaning that any session will be stored as a ciphered value inside a cookie. These sessions are made from a specially crafted JSON containing serialized data which is then ciphered using Laravel's encrypt() function. An attacker in possession of the `APP_KEY` would therefore be able to retrieve the cookie, uncipher it a
Nuclei
InvoiceShelf <= 1.3.0 - PHP Deserialization
nuclei·CVSS 9.8
CVE-2024-55556 [CRITICAL] InvoiceShelf <= 1.3.0 - PHP Deserialization
InvoiceShelf <= 1.3.0 - PHP Deserialization
InvoiceShelf version 1.3.0 and below contains an unauthenticated PHP deserialization vulnerability that can lead to remote code execution. An attacker with knowledge of the APP_KEY can achieve remote command execution on the server through Laravel's cookie deserialization. While the vulnerability is severe, it is partially mitigated in default installations as the APP_KEY is regenerated during setup.
Template:
id: CVE-2024-55556
info:
name: InvoiceShelf <= 1.3.0 - PHP Deserialization
author: iamnoooob,rootxharsh,pdresearch
severity: critical
description: |
InvoiceShelf version 1.3.0 and below contains an unauthenticated PHP deserialization vulnerability that can lead to remote code execution. An attacker with knowledge of the APP_KEY can achi
No writeups or analysis indexed.
2025-01-07
Published