Laravel Framework Unserialize Token RCE (CVE-2018-15133)

ID AKB:B9816CF3-AC8B-49A8-B1B9-895BB26A15D7
Type attackerkb
Reporter AttackerKB
Modified 2020-02-13T00:00:00


In Laravel Framework through 5.5.40 and 5.6.x through 5.6.29, remote code execution might occur as a result of an unserialize call on a potentially untrusted X-XSRF-TOKEN value. This involves the decrypt method in Illuminate/Encryption/Encrypter.php and PendingBroadcast in gadgetchains/Laravel/RCE/3/chain.php in phpggc. The attacker must know the application key, which normally would never occur, but could happen if the attacker previously had privileged access or successfully accomplished a previous attack.

Recent assessments:

jrobles-r7 at July 12, 2019 5:33pm UTC reported:

The exploit depends on having a valid APP_KEY for the application. If the target Laravel Framework is vulnerable to CVE-2017-16894, then it would be possible to obtain the APP_KEY as an unauthenticated user. Also, if the environment has APP_DEBUG enabled, then it may be possible to retrieve the APP_KEY from error messages generated by Laravel Framework.
From Google searches, there appears to be several hosts that leak their APP_KEY.

Assessed Attacker Value: 4
Assessed Attacker Value: 5