A Bomgar-specific Vulnerability Report has been issued May 5, 2015, by CERT under CVE-2015-0935.
Bomgar Remote Support version 14.3.1 and possibly earlier versions deserialize untrusted data without sufficient validation. An unauthenticated attacker can inject arbitrary input to at least one vulnerable PHP file, and authenticated attackers can inject arbitrary input to multiple vulnerable PHP files. When malicious data is deserialized, arbitrary PHP code may be executed in the context of the PHP server process.
This is the same vulnerability which was reported against PHP under CVE-2014-3515.
A security vulnerability has been found in the Bomgar Remote Support Portal version 14.3.1 and earlier versions, which is the part of Bomgar’s appliance-based remote support software, deserialize untrusted data without verifying the validity of the resulting data.
“One way to exploit this vulnerability is by utilizing the Tracer class. It is used to write stack trace information to a log using a Logger instance, which wraps an instance of PEAR’s Log class. By using a Log_file instance as an instance of Log, it is possible to write the arbitrary data to the arbitrary file.” The researcher wrote in his blog post.