Vulnerability in Bomgar Remote Support Portal – PHP Object Injection

Security 4 Apr , 2015  


A Bomgar-specific Vulnerability Report has been issued May 5, 2015, by CERT under CVE-2015-0935.

Bomgar Remote Support version 14.3.1 and possibly earlier versions deserialize untrusted data without sufficient validation. An unauthenticated attacker can inject arbitrary input to at least one vulnerable PHP file, and authenticated attackers can inject arbitrary input to multiple vulnerable PHP files. When malicious data is deserialized, arbitrary PHP code may be executed in the context of the PHP server process.

This is the same vulnerability which was reported against PHP under CVE-2014-3515.


A security vulnerability has been found in the Bomgar Remote Support Portal version 14.3.1 and earlier versions, which is the part of Bomgar’s appliance-based remote support software,  deserialize untrusted data without verifying the validity of the resulting data.


The data can be exploited by both authenticated as well as unauthenticated attackers.
An unauthenticated attacker can inject arbitrary input at one point in vulnerable PHP file, while authenticated attacker can inject at multiple points.To exploit this vulnerability, the attacker has to find the appropriate classes with beneficial  effects,  if there is no classes with beneficial effects, it is not exploitable.

“One way to exploit this vulnerability is by utilizing the Tracer class. It is used to write stack trace information to a log using a Logger instance, which wraps an instance of PEAR’s Log class. By using a Log_file instance as an instance of Log, it is possible to write the arbitrary data to the arbitrary file.” The researcher wrote in his blog post.


, , ,