FreeScout Deserialization Vulnerability Leading to Arbitrary Code Execution

A deserialization vulnerability allowing arbitrary code execution has been identified in FreeScout versions prior to 1.8.178. The issue arises from insufficient validation of user-supplied data, which enables an attacker to inject serialized objects. When these objects are deserialized, it can lead to execution of arbitrary code on the application server, potentially allowing access to local files, modification of application data, and execution of commands with the application's privileges. In cases of over-privileged applications or exploited operating system vulnerabilities, this could result in full control over the server.

Impact

Exploitation of this vulnerability allows for arbitrary code execution on the server where FreeScout is hosted, in the context of the application process. This could lead to unauthorized access to files, modification of application data, and execution of commands with the application's privileges. In the case of an over-privileged application or exploitation of operating system vulnerabilities, an attacker could gain full control over the server.

Reproduction

To reproduce this vulnerability, an authenticated administrator can send a POST request to the '/mailbox/ajax' endpoint with a serialized object that, when deserialized, executes arbitrary code. After injecting the serialized object, the same option can be retrieved using the 'get' method, which will trigger the deserialization and execute the injected code.

Remediation

Users should update FreeScout to version 1.8.178 or later, where this vulnerability has been patched.