POP chain crafted to demonstrate exploitability
Tracked as CVE-2022-39297 and with a CVSS score of 9.8, the object injection flaw has been patched along with high severity path traversal bug CVE-2022-39296 and CVE-2022-3928, another, high severity deserialization flaw.
Melis Platform, which is maintained by French vendor Melis Technology, is based on Laminas, a popular PHP framework formally known as Zend, and counts Keyrus, Paco Rabanne, and La Banque Postale among its users.
The vulnerabilities were discovered by researchers from Swiss security outfit Sonar.
“The main vulnerability we identified comes from the deserialization of user data, something that is known to be unsafe for quite some time now,” Sonar vulnerability researcher Thomas Chauchefoin told The Daily Swig.
“As modern applications are very loosely coupled, it was not immediately obvious, even to an educated eye, that attackers could reach this code. This is where automated code analysis can be very powerful,” they added.
Having established the potential for abuse of PHP’s unserialize() function with Sonar’s static analysis tool, the researchers tested exploitability by crafting a Property Oriented Programming (POP) chain.
“The fun thing about deserialization vulnerabilities in PHP is that not so many gadget chains are available when you adventure [move] yourself out of the usual targets; they are like small puzzle pieces you have to assemble to obtain code execution,” said Chauchefoin.
“We had to come up with a new chain for the framework Laminas. We added it to PHPGGC, a public database of the most common gadget chains, so other researchers don't have to do this work again!”
Targeting the cache layer
In a blog post, Chauchefoin and Sonar software engineer Karim El Ouerghemmi documented how they targeted Laminas’ cache layer.
“Cache systems are often good targets ‘because they are] designed in a way to be loosely coupled with the rest of the application (e.g. automatically trigger save at the end of the lifecycle of the request by using destructors) and support a broad range of storage backends, including filesystems,” they wrote. “It can also be assumed that gaining the ability to control what's stored in the cache can be abused later upon its retrieval, this data is always considered to be trusted.”
Sonar reported the vulnerabilities to Melis Technology back in June 2021 and patched updates were released on September 23, 2022.
The flaws affect versions spanning 2.2.0 and 5.0.0 inclusive, and were remediated in Melis 5.0.1.
Correction: This article was updated on October 26 to reflect the fact that Sonar discovered CVE-2022-3928 in Melis, not CVE-2022-3929, as originally and erroneously stated.