Zumba Json Serializer Unrestricted PHP Object Deserialization Vulnerability Allowing Remote Code Execution

A vulnerability exists in Zumba Json Serializer versions prior to 3.2.3, allowing for unrestricted deserialization of PHP objects from JSON. The issue arises because the deserializer instantiates any class specified in the '@type' field without restrictions. This behavior can be exploited by an attacker to instantiate arbitrary classes within the application, particularly if those classes have dangerous magic methods like '__wakeup()' or '__destruct()'. Such exploitation could lead to PHP Object Injection and potentially remote code execution, depending on the application's context and available gadget chains. The vulnerability is similar to PHP's native 'unserialize()' function when used without the 'allowed_classes' restriction.

Impact

Exploitation of this vulnerability allows arbitrary PHP classes to be instantiated via the '@type' field during JSON deserialization. This could lead to PHP Object Injection, with the possibility of remote code execution, data exfiltration, file manipulation, or a denial-of-service condition, depending on the application's context and the classes involved.

Reproduction

To reproduce this vulnerability, first ensure you have a vulnerable version of the Zumba Json Serializer library (prior to 3.2.3). Then, create a JSON payload that includes an '@type' field specifying a class that exists in the application's autoloader and has a magic method like '__wakeup()' or '__destruct()' that could be exploited. Pass this payload into the 'JsonSerializer::unserialize()' method. If the class is instantiated and its magic method is triggered, the vulnerability has been successfully exploited.

Remediation

Upgrade to Zumba Json Serializer version 3.2.3 or later. After upgrading, configure the serializer to restrict which classes can be instantiated during deserialization by using the 'setAllowedClasses()' method. If an immediate upgrade isn't possible, avoid deserializing untrusted JSON with 'JsonSerializer::unserialize()', validate and sanitize all JSON input before deserialization, and disable '@type'-based object instantiation in application logic where possible.