CVE-2020-19316 - OS Command Injection In Laravel Framework

Original Advisory: https://notes.netbytesec.com/2021/12/os-command-injection-in-laravel.html

Product Description

Laravel is a web application framework with expressive, elegant syntax. We’ve already laid the foundation — freeing you to create without sweating the small things.
https://laravel.com/

Vulnerable Version

< 5.8.17

Vulnerability Description

1) OS Command Injection found in Filesystem Symlink API (CVE-2020-19316)

When passing crafted user input into the Storage::link()` will trigger the vulnerability. Exploiting this issue may allow attacker to execute OS Command with running application privilege. This vulnerability affect Laravel installation on the Windows operating system only.

Proof of Concept

File: src/Illuminate/Filesystem/Filesystem.php
Line: 257

public function link($target, $link)
{
    if (! windows_os()) { // [1]
        return symlink($target, $link);
    }

    $mode = $this->isDirectory($target) ? 'J' : 'H'; 

    exec("mklink /{$mode} \"{$link}\" \"{$target}\""); // [2]

}

OS checking done at [1], if the current OS is not windows the execution will continue. Finally the variable reach [2] code path, which take variable into exec function without any escape. Because the Filesystem API is mapped into Storage facade, we can demonstrate the vulnerability by using this vulnerable code in the controller

Storage::link($request->input('target_folder'), $request->input('link_name'));

Mitigation

The vulnerability is patched on version 5.8.17 and above. Please update your laravel to the latest version.

Timeline

2019-05-10 | Contact Laravel Security Contact (Taylor Otwell) via taylor[at]laravel.com 2019-05-14 | Laravel Version 5.8.17 released 2019-05-14 | Applied for CVE 2021-12-13 | CVE-2020-19316 Assigned 2021-12-16 | Advisory Published