1

So I came across with this authentication bypass security notice and the fix for it was just simply changing all serialization to json encoding.

I am just wondering how is this really exploitable? I know that unserialize() can be used to perform object injection. But how can it be used to exploit this vulnerability be used to bypass authentication?

Anders
  • 64,406
  • 24
  • 178
  • 215
vincentleest
  • 113
  • 1
  • 7

1 Answers1

5

unserialize allows the creation of arbitrary object constructs of any class with arbitrary attributes. During deserialization, the lifetime of an object, and the interaction with the object, several methods including magic methods may get called using these arbitrarily definable attributes. An attacker may be able to utilize the functionality provided within these called methods for his benefit.

In the end, the exploitability of such a vulnerability solely depends on the available classes and their functionalities. Have a look at the Observed Examples and References section of CWE-915: Improperly Controlled Modification of Dynamically-Determined Object Attributes for examples and further information.

And since the mentioned vulnerability in FreePBX is accessible without authentication (it actually happens during the authentication process), one may say that it bypass authentication.

Gumbo
  • 2,003
  • 1
  • 13
  • 17
  • I also read about POP Chain when i was researching on this topic. But i can't find any reference/ detailed explanations on it, can you provide a link/ pointer regarding POP Chain? – vincentleest Dec 03 '14 at 04:34
  • @vincentleest POP chain? Never heard of that. Maybe you meant ROP chain? But that has nothing to do with this kind of vulnerability. – Gumbo Dec 03 '14 at 07:45
  • It's Property oriented programming. [This site](https://www.dionach.com/blog/php-magic-method-mapping) mentions it, so as OWASP PHP object injection page, last exmaple. But that's all the references i can find. – vincentleest Dec 03 '14 at 15:16
  • @vincentleest Ok, someone coined this term following the ROP term for whatever reason. But it’s not like ROP where you can actually choose which instructions are getting called. So I don’t see why this is called Property Oriented Programming as you can barely program with it. – Gumbo Dec 03 '14 at 15:36