OS Command Injection In Laravel Framework (CVE-2020-19316)

on

 NetbyteSEC Security Advisory - Laravel Framework OS Command Injection


=======================================================================
Title: Laravel Framework OS Command Injection
Advisory ID: <NBS-2021-0004>
Discovery Date: 2019-05-19
Author: Ramadhan Amizudin
=======================================================================

Product Description
------------------------
Laravel is a web application framework with expressive, elegant syntax. We’ve already
laid the foundation — freeing you to create without sweating the small things.
https://laravel.com/

Vulnerable Version
-----------------------
< 5.8.17

Vulnerability Description
------------------------------
1) OS Command Injection found in Filesystem Symlink API (CVE-2020-19316)
When passing crafted user input into the Storage::link() will trigger the vulnerability. Exploiting
this issue may allow attacker to execute OS Command with running application privilege.
This vulnerability affect Laravel installation on the Windows operating system only.

Proof of Concept
---------------------
For version 5.7.16
File: src/Illuminate/Filesystem/Filesystem.php
Line: 257
public function link($target, $link)
{
    if (! windows_os()) { // [1]
        return symlink($target, $link);
    }

    $mode = $this->isDirectory($target) ? 'J' : 'H'; 

    exec("mklink /{$mode} \"{$link}\" \"{$target}\""); // [2]
}
OS checking done at [1], if the current OS is not windows the execution will continue.
Finally the variable reach [2] code path, which take variable into exec function without any escape.
Because the Filesystem API is mapped into Storage facade, we can demonstrate the vulnerability
by using this vulnerable code in the controller

Storage::link($request->input('target_folder'), $request->input('link_name'));

Mitigation
-------------
The vulnerability is patched on version 5.8.17 and above. Please update your laravel to the latest version.

Timeline
-----------
2019-05-10 | Contact Laravel Security Contact (Taylor Otwell) via taylor[at]laravel.com
2019-05-14 | Laravel Version 5.8.17 released
2019-05-14 | Applied for CVE
2021-12-13 | CVE-2020-19316 Assigned
2021-12-16 | Advisory Published