Vulnerabilities > CVE-2018-15133 - Deserialization of Untrusted Data vulnerability in Laravel
Attack vector
NETWORK Attack complexity
HIGH Privileges required
NONE Confidentiality impact
HIGH Integrity impact
HIGH Availability impact
HIGH Summary
In Laravel Framework through 5.5.40 and 5.6.x through 5.6.29, remote code execution might occur as a result of an unserialize call on a potentially untrusted X-XSRF-TOKEN value. This involves the decrypt method in Illuminate/Encryption/Encrypter.php and PendingBroadcast in gadgetchains/Laravel/RCE/3/chain.php in phpggc. The attacker must know the application key, which normally would never occur, but could happen if the attacker previously had privileged access or successfully accomplished a previous attack.
Vulnerable Configurations
Common Weakness Enumeration (CWE)
Exploit-Db
| id | EDB-ID:47129 |
| last seen | 2019-07-16 |
| modified | 2019-07-16 |
| published | 2019-07-16 |
| reporter | Exploit-DB |
| source | https://www.exploit-db.com/download/47129 |
| title | PHP Laravel Framework 5.5.40 / 5.6.x < 5.6.30 - token Unserialize Remote Command Execution (Metasploit) |
Metasploit
| description | This module exploits a vulnerability in the PHP Laravel Framework for versions 5.5.40, 5.6.x <= 5.6.29. Remote Command Execution is possible via a correctly formatted HTTP X-XSRF-TOKEN header, due to an insecure unserialize call of the decrypt method in Illuminate/Encryption/Encrypter.php. Authentication is not required, however exploitation requires knowledge of the Laravel APP_KEY. Similar vulnerabilities appear to exist within Laravel cookie tokens based on the code fix. In some cases the APP_KEY is leaked which allows for discovery and exploitation. |
| id | MSF:EXPLOIT/UNIX/HTTP/LARAVEL_TOKEN_UNSERIALIZE_EXEC |
| last seen | 2020-05-31 |
| modified | 2019-07-12 |
| published | 2019-07-07 |
| references |
|
| reporter | Rapid7 |
| source | https://github.com/rapid7/metasploit-framework/blob/master//modules/exploits/unix/http/laravel_token_unserialize_exec.rb |
| title | PHP Laravel Framework token Unserialize Remote Command Execution |
Packetstorm
| data source | https://packetstormsecurity.com/files/download/153641/laravel_token_unserialize_exec.rb.txt |
| id | PACKETSTORM:153641 |
| last seen | 2019-07-15 |
| published | 2019-07-15 |
| reporter | aushack |
| source | https://packetstormsecurity.com/files/153641/PHP-Laravel-Framework-Token-Unserialize-Remote-Command-Execution.html |
| title | PHP Laravel Framework Token Unserialize Remote Command Execution |