Crater Invoice APP_KEY-Dependent Unauthenticated Remote Command Execution Vulnerability

A remote command execution vulnerability has been identified in Crater Invoice versions through 6.0.6. This issue allows an unauthenticated attacker to execute arbitrary commands on the server by manipulating the laravel_session cookie. The vulnerability arises from the use of Laravel's session management, where session data is encrypted and stored in cookies. An attacker with knowledge of the APP_KEY can decrypt this data, modify it to include malicious payloads, and then re-encrypt it before sending it back to the server. The exploitation process takes advantage of arbitrary deserialization, leading to remote command execution.

Impact

Exploitation of this vulnerability allows for unauthorized remote command execution on the server where Crater Invoice is running.

Reproduction

To reproduce this vulnerability, an attacker must first obtain the Laravel APP_KEY used in the application. Once the APP_KEY is acquired, the attacker can retrieve the laravel_session cookie from the application. This cookie contains serialized data that can be decrypted using the APP_KEY. After decrypting the cookie, the attacker can modify the serialized data to include a payload that, when re-encrypted and sent back to the server, is executed as a command. The exploitation can be automated with a tool called 'laravel-crypto-killer', available on GitHub.

Remediation

Users are advised to regenerate the APP_KEY if they have used the default value from the .env.example file. Additionally, migrating to InvoiceShelf, a maintained fork of Crater Invoice, is recommended.