{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata — refreshed continuously.","feed_url":"https://feed.craftedsignal.io/tags/unserialize/","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["Grav CMS","composer/getgrav/grav (\u003c 2.0.0-beta.2)"],"_cs_severities":["critical"],"_cs_tags":["rce","unserialize","command-injection","ssti"],"_cs_type":"threat","_cs_vendors":["Grav"],"content_html":"\u003cp\u003eMultiple remote code execution (RCE) vulnerabilities have been identified in Grav CMS, a flat-file content management system. These vulnerabilities, including unsafe unserialize functions in JobQueue, FileCache, and Session, a command injection in git clone, and a server-side template injection (SSTI) blocklist bypass, allow attackers to execute arbitrary code on affected systems. The vulnerabilities are present in Grav CMS versions prior to 2.0.0-beta.2 and were patched in commit c66dfeb5f and 38685ac25. Successful exploitation of these vulnerabilities could lead to complete system compromise, data theft, and disruption of service. The most concerning are the unserialize issues, as they do not require admin access and can be triggered by any file write primitive.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker gains the ability to write files to the Grav CMS server, either through an existing vulnerability (e.g., file upload) or misconfiguration.\u003c/li\u003e\n\u003cli\u003eThe attacker crafts a serialized PHP object containing malicious code.\u003c/li\u003e\n\u003cli\u003eFor JobQueue or FileCache exploitation, the attacker writes this serialized object to the appropriate cache file location. For Session exploitation, the attacker sets a crafted serialized object within a session variable.\u003c/li\u003e\n\u003cli\u003eThe Grav CMS application deserializes the crafted object using \u003ccode\u003eunserialize()\u003c/code\u003e, without proper input validation.\u003c/li\u003e\n\u003cli\u003eThe deserialization process instantiates the malicious object, triggering the execution of arbitrary code. Specifically, the JobQueue vulnerability allows direct RCE via \u003ccode\u003eJob::exec → call_user_func_array\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eFor the git clone command injection, an administrator attempts to install a malicious plugin or theme. The attacker injects commands into the \u003ccode\u003ebranch\u003c/code\u003e, \u003ccode\u003eurl\u003c/code\u003e, or \u003ccode\u003epath\u003c/code\u003e parameters within the plugin\u0026rsquo;s or theme\u0026rsquo;s configuration.\u003c/li\u003e\n\u003cli\u003eThe \u003ccode\u003eInstallCommand.php\u003c/code\u003e script executes a \u003ccode\u003egit clone\u003c/code\u003e command, incorporating the attacker-controlled parameters without proper sanitization.\u003c/li\u003e\n\u003cli\u003eThe injected commands are executed on the server, granting the attacker arbitrary code execution.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of these vulnerabilities can lead to complete system compromise. An attacker could gain unauthorized access to sensitive data, modify website content, install backdoors, or use the compromised server as a launchpad for further attacks. The unserialize vulnerabilities are especially critical as they do not require administrative privileges if an attacker can write to the cache directory. The impact includes potential data theft, service disruption, and reputational damage.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eUpgrade Grav CMS to version 2.0.0-beta.2 or later to patch the vulnerabilities described in this brief.\u003c/li\u003e\n\u003cli\u003eImplement the Sigma rule \u003ccode\u003eDetect Unsafe PHP Unserialize\u003c/code\u003e to identify attempts to exploit the unserialize vulnerabilities in web server logs.\u003c/li\u003e\n\u003cli\u003eReview and harden file upload and file management functionalities to prevent unauthorized file writes to the Grav CMS server.\u003c/li\u003e\n\u003cli\u003eMonitor process creation events for git commands executed by the web server user, using the Sigma rule \u003ccode\u003eDetect Git Clone Command Injection\u003c/code\u003e.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-09T12:00:00Z","date_published":"2024-01-09T12:00:00Z","id":"/briefs/2024-01-grav-rce/","summary":"Multiple critical and high severity remote code execution vulnerabilities exist in Grav CMS due to unsafe unserialize functions, command injection in git clone, and an SSTI blocklist bypass, impacting versions prior to 2.0.0-beta.2.","title":"Grav CMS Multiple RCE Vulnerabilities","url":"https://feed.craftedsignal.io/briefs/2024-01-grav-rce/"}],"language":"en","title":"CraftedSignal Threat Feed — Unserialize","version":"https://jsonfeed.org/version/1.1"}