OpenSTAManager Remote Code Execution Vulnerability via Insecure Deserialization in OAuth2

A remote code execution vulnerability has been identified in OpenSTAManager versions prior to 2.10.2. The issue arises in the oauth2.php file, which is an unauthenticated endpoint. It allows attackers to manipulate the state parameter to inject malicious serialized objects into the access_token field. During the OAuth2 configuration process, the application unserializes the access_token without any class restrictions, enabling the execution of arbitrary commands on the server as the www-data user.

Impact

Exploitation of this vulnerability allows for unauthorized remote code execution on the server.

Reproduction

The vulnerability can be reproduced by first exploiting an arbitrary SQL injection in the 'Aggiornamenti' module to inject a serialized PHP object into the 'zz_oauth2' table. After the payload is injected, a GET request can be sent to 'oauth2.php' with the injected state value, triggering the deserialization of the payload and executing the injected command on the server.

Remediation

Users are advised to update to OpenSTAManager version 2.10.2 or later, where this vulnerability has been patched.