FreeScout Remote Code Execution Vulnerability via Deserialization in the Conversation Ajax Endpoint

A critical deserialization vulnerability allowing remote code execution has been identified in FreeScout versions through 1.8.185. This vulnerability exists in the '/conversation/ajax' endpoint, where authenticated users with knowledge of the APP_KEY can exploit the issue. The problem arises because the application improperly processes the 'attachments_all' and 'attachments' POST parameters using the 'Helper::decrypt()' function, which unsafely deserializes user-controlled data without adequate validation. This flaw enables attackers to create arbitrary objects, manipulate their properties, and achieve complete compromise of the web application.

Impact

Exploitation of this vulnerability leads to remote code execution on the server where FreeScout is hosted.

Reproduction

To reproduce this vulnerability, an authenticated user must send a POST request to the '/conversation/ajax' endpoint. The request must include the 'attachments_all' and 'attachments' POST parameters, which can be crafted to exploit the deserialization vulnerability. The 'Helper::decrypt()' function will then be invoked insecurely, allowing for the creation and manipulation of arbitrary objects, ultimately leading to remote code execution.

Remediation

Users can upgrade to FreeScout version 1.8.186 or later, where this vulnerability has been patched.