CVE-2024-55556 Scanner

InvoiceShelf is a PHP-based open-source invoicing platform used by freelancers, small businesses, and developers who need to manage invoices and customer records. It is often deployed on self-hosted servers running Laravel as the backend framework. The application is designed to simplify client billing, recurring invoices, and payment tracking. It is popular in small-scale environments due to its simplicity and open accessibility. The software is usually run by users familiar with Laravel or basic PHP hosting environments. Deployments are frequently found in unmanaged VPS environments or cloud-based setups where Laravel configurations may remain default.

The vulnerability addressed in this scanner is an unauthenticated PHP deserialization issue in InvoiceShelf version 1.3.0 and below. This issue arises from Laravel’s cookie-based session management when used with a known APP_KEY. If an attacker has access to the APP_KEY (e.g., it remains default), they can craft a malicious session cookie to trigger deserialization logic. This leads to arbitrary object instantiation, which may result in remote code execution. The vulnerability is severe as it requires no authentication and can be triggered remotely. Laravel’s default behaviors partially mitigate the risk, but insecure deployments are still highly vulnerable. The root cause lies in unsafe handling of encrypted session values.

Technically, the vulnerability involves crafting a malicious session payload that triggers the deserialization of objects in Laravel's session storage. This is achieved by exploiting Laravel’s `Illuminate\Broadcasting\PendingBroadcast` and `Illuminate\Database\DatabaseManager` objects. Attackers can generate a fake encrypted session cookie if the APP_KEY is known or predictable. Once the server processes the tampered cookie, Laravel’s session middleware decodes and deserializes it, executing attacker-controlled code. The matcher looks for error traces like `Illuminate/Database/DatabaseManager.php` in the body and a 500 response to confirm the vulnerability’s effect. The `APP_KEY` plays a critical role in encryption/decryption of cookies, making its secrecy vital.

If successfully exploited, this vulnerability may result in full remote code execution on the server. This would allow attackers to upload malware, steal sensitive data, tamper with billing or client information, or pivot into internal networks. Due to its unauthenticated nature, the attack can be launched without user interaction. The attacker may gain persistent access by installing backdoors or altering application logic. Additionally, this could lead to full takeover of other co-hosted applications or virtual hosts. In production systems, such an exploit can result in total data breach or financial fraud.

REFERENCES

• https://www.synacktiv.com/en/advisories/crater-invoice-unauthenticated-remote-command-execution-when-appkey-known
• https://github.com/rapid7/metasploit-framework/pull/19950
• https://nvd.nist.gov/vuln/detail/CVE-2024-55556