Group-Office Insecure Deserialization Vulnerability in AbstractSettingsCollection Model Leading to Remote Code Execution

A vulnerability allowing remote code execution through insecure deserialization has been identified in Group-Office, an enterprise CRM and groupware tool. This issue affects versions prior to 6.8.156, 25.0.90, and 26.0.11. The vulnerability arises in the AbstractSettingsCollection model, where the _loadData() method blindly unserializes data without proper validation. An authenticated attacker can inject a serialized FileCookieJar object into a setting string, exploiting this deserialization flaw to perform arbitrary file writes, ultimately leading to remote code execution on the server.

Impact

Exploitation of this vulnerability allows authenticated users to execute arbitrary code on the server, potentially leading to a complete compromise of the server's integrity, confidentiality, and availability within the context of the web application process.

Reproduction

To reproduce this vulnerability, an authenticated user can inject a serialized FileCookieJar object into a setting string via the legacy HTTP controller endpoint 'index.php?r=core/saveSetting'. The injected object will be deserialized by the vulnerable '_loadData()' method in the AbstractSettingsCollection model, allowing for arbitrary file writes and remote code execution.

Remediation

Users can upgrade to Group-Office versions 6.8.156, 25.0.90, or 26.0.12 to address this vulnerability.