As we saw in the previous story, Kinsing crypto malware was famous for infecting docker containers but has recently been detected in Laravel applications due to a vulnerability in debug mode applications.
Ignition is a beautiful and customizable error page for Laravel applications, this page is only displayed when the application is debugging. (APP_DEBUG = true, in .env file).
The vulnerability is RCE (CVE-2021–3129) affecting ignition <= 2.5.1 and already has an exploit.
I will not explain in detail how the exploit works, but basically it is due to a lack of validations in the input of the file_get_contents function, allowing the attacker to execute stream wrappers, if you want to know more about the operation of the exploit, visit the following link. You can also run the example exploit from here (python).
If you want to see the operation of the exploit step by step you can use this collection of insomnia (it includes all the necessary requests for the attack) https://pastebin.pl/view/c0b59f60.
This is a serious vulnerability since it allows the attacker to remotely execute commands such as downloading files, running scripts (kinsing) etc.
Conclusion
- Never release applications in debug mode to production!
- Always update your dependencies.
- Do not mark development dependencies as required (require-dev , scope=test, etc).
- Check if your development tools, frameworks, libraries has known vulnerabilities (cvedetails.com, exploit-db.com).
- Always sanitize/validate your inputs.
That’s it, thanks for reading.