In this post, we’re going deep on CVE-2022-3525, a serious security issue that affected LibreNMS, a popular network monitoring platform. This vulnerability centers on the dangerous deserialization of untrusted data, which attackers can leverage to take control of systems, steal data, or launch further attacks. If your LibreNMS version is below 22.10., you could be at risk.
We’ll break down what went wrong, show code snippets, demonstrate a possible exploit, and give you resources to keep your systems safe.
What is Deserialization of Untrusted Data?
At its core, deserialization converts data stored as a string (like JSON) back into objects for a program to use. But if an attacker can control that data, they can trick programs into running malicious code.
- Example: If a PHP app unserializes data provided by the user, an attacker can craft data that triggers dangerous objects or methods.
The Issue in LibreNMS
LibreNMS is written in PHP and offers many features for device monitoring. Before version 22.10., certain endpoints in its codebase did not properly validate user-supplied data before deserializing it. This left the platform vulnerable to attacks.
Vulnerable Function Example
Here’s a simplified, illustrative snippet to show what happened (not the exact code, but based on the analysis):
if (isset($_POST['data'])) {
$info = unserialize($_POST['data']);
// ...do something with $info
}
- The app blindly calls unserialize() on user input. If an attacker submits specially crafted data, they could execute code on the server.
Why is This Dangerous?
- Remote Code Execution: Unchecked deserialization can allow code execution, file inclusion, or data theft.
Reproducing the Exploit
Note: This is for educational purposes only. Do not exploit this issue on systems you do not own or have permission to test.
1. Crafting a Malicious Payload
Attackers often exploit PHP’s unserialize() by sending objects referencing dangerous classes via the magic methods like __wakeup or __destruct.
Example malicious payload
class EvilObject {
public $cmd;
function __wakeup() {
system($this->cmd);
}
}
// Generate serialized string:
$payload = serialize(new EvilObject(['cmd'=>'id']));
echo $payload;
// O:10:"EvilObject":1:{s:3:"cmd";s:2:"id";}
An attacker posts this payload to the vulnerable endpoint
POST /some/endpoint
Content-Type: application/x-www-form-urlencoded
data=O:10:"EvilObject":1:{s:3:"cmd";s:2:"id";}
NOTE: The real-world impact depends on which classes exist within the codebase; attackers often look for classes they can abuse.
2. Achieving Code Execution
If the vulnerable server receives this payload and unserializes it, it might execute the system($this->cmd) call, running OS commands and giving the attacker control over the server.
How LibreNMS Fixed the Issue
The fix for CVE-2022-3525 was shipped in LibreNMS 22.10.. The developers stopped using unserialize() on user data and likely replaced it with safer methods, such as json_decode().
Fixed code pattern
if (isset($_POST['data'])) {
$info = json_decode($_POST['data'], true);
// Now $info can be safely used
}
- json_decode() does not cause code execution since it does not instantiate classes like unserialize().
How to Protect Yourself
1. Upgrade Immediately: Update your LibreNMS to the latest version (download here).
2. Never Unserialize Untrusted Data: In any PHP code you control, do not call unserialize() on user input.
References and Further Reading
- CVE-2022-3525 at NVD
- LibreNMS security advisories
- About PHP Object Injection
- PHP Manual: unserialize() Warnings
- Official Fix Release Note
Summary
CVE-2022-3525 is a solid reminder that deserialization of untrusted data is dangerous, especially in open-source tools like LibreNMS. Exploiting this bug could mean remote code execution and full server compromise.
To stay safe: update your LibreNMS, check your custom PHP code, and always treat user input carefully.
If you found this helpful, consider sharing it with your sysadmin or security team!
Timeline
Published on: 11/20/2022 05:15:00 UTC
Last modified on: 11/21/2022 12:48:00 UTC