Identifying Vulnerability

Scenario: HTBank

White-box assessment of HTBank website. Key information:

• Cannot create accounts with @htbank.com email addresses (admin only)

• Source code provided

---

Exploration

1. Registration

Register test account: pentest@test.com:pentest

Note: Lack of password policy (pentest allowed as password) signifies security weakness.

2. Settings Page

Found /settings with:

• Update username, email, password, profile picture

• Import/Export Settings feature

3. Export Settings

Clicking "Export Settings" produces Base64 string:

echo -n TzoyNDoiQXBwXEhlbHBlcnNcVXNl...SNIP... | base64 -d

Output:

O:24:"App\Helpers\UserSettings":4:{s:30:"App\Helpers\UserSettingsName";s:7:"pentest";s:31:"App\Helpers\UserSettingsEmail";s:16:"pentest@test.com";s:34:"App\Helpers\UserSettingsPassword";s:60:"$2y$10$kPfp572LjEN1HDYrBOoWqezWZcee58HteiIStVvRu6ndWimUqBN7a";s:36:"App\Helpers\UserSettingsProfilePic";s:11:"default.jpg";}

This is a serialized PHP object!

---

Source Code Analysis

Laravel application. Find the function:

grep 'Exported user settings!' -nr .
# ./app/Http/Controllers/HTController.php:123

Vulnerable Code

public function handleSettingsIE(Request $request) {
    if (Auth::check()) {
        if (isset($request['export'])) {
            $user = Auth::user();
            $userSettings = new UserSettings($user->name, $user->email, $user->password, $user->profile_pic);
            $exportedSettings = base64_encode(serialize($userSettings));
            Session::flash('ie-message', 'Exported user settings!');
            Session::flash('ie-exported-settings', $exportedSettings);
        } 
        else if (isset($request['import']) && !empty($request['settings'])) {
            // VULNERABLE: No validation before unserialize!
            $userSettings = unserialize(base64_decode($request['settings']));
            $user = Auth::user();
            $user->name = $userSettings->getName();
            $user->email = $userSettings->getEmail();
            $user->password = $userSettings->getPassword();
            $user->profile_pic = $userSettings->getProfilePic();
            $user->save();
                
            Session::flash('ie-message', "Imported settings for '" . $userSettings->getName() . "'");
        }
        return back();
    }
    return redirect("/login")->withSuccess('You must be logged in to complete this action');
}

Vulnerability Analysis

1. Server accepts serialized UserSettings object

2. No filters or checks on the string before unserialize()

3. User details updated based on deserialized object values

---

Key Takeaways

Note: Import and export of settings or progress are very popular, especially in games. Always keep an eye out for these features as they may be vulnerable if not properly secured.

Finding unserialize()

grep -n "unserialize" htbank-clean/app/Http/Controllers/HTController.php
# 127: $userSettings = unserialize(base64_decode($request['settings']));

---

Attack Surface

The vulnerability allows:

1. Object Injection - Modify serialized user data

2. Potential privilege escalation via email manipulation

3. Possible RCE if magic methods exist