Locutus Prototype Injection Vulnerability in Unserialize Function Allows Property Injection and Method Override

A prototype injection vulnerability has been identified in the Locutus library, specifically in the 'unserialize()' function within 'locutus/php/var/unserialize'. This vulnerability exists in versions prior to 3.0.25. The issue arises because the 'unserialize()' function assigns deserialized keys to plain objects using bracket notation, without filtering the '__proto__' key. When a PHP serialized payload includes '__proto__' as a key, it triggers JavaScript's '__proto__' setter, allowing an attacker to inject properties into the deserialized object. This injection can be exploited to override built-in methods, such as 'hasOwnProperty', leading to a denial-of-service condition. The vulnerability is distinct from a similar issue in the 'parse_str' function, as 'unserialize' lacked any mitigation.

Impact

Exploitation of this vulnerability allows for property injection via the '__proto__' key, which can be used to manipulate the deserialized object's prototype. This injection is propagated as real own properties through 'for...in' loops, and can disrupt the functionality of built-in methods by overriding them with non-function values, causing errors when the methods are called on the object.

Reproduction

The vulnerability can be reproduced by using the 'unserialize' function to deserialize a PHP serialized string that includes '__proto__' as a key. This can be done by crafting a payload that uses the '__proto__' key to inject properties into the deserialized object. After deserialization, the injected properties can be accessed, demonstrating the successful exploitation of the vulnerability. Additionally, deserializing an object of type 'stdClass' with the same '__proto__' injection payload also triggers the vulnerability, further confirming its presence.

Remediation

Users can upgrade to Locutus version 3.0.25 or later, where this vulnerability has been patched. The fix involves modifying the 'unserialize()' function to treat '__proto__', 'constructor', and 'prototype' as dangerous keys, ensuring they are assigned as plain own properties without invoking the prototype setter. This change prevents the injection of properties that could be used to manipulate the object's prototype or override built-in methods.