GHSA-534C-HCR7-67JG

Vulnerability from github – Published: 2024-09-17 18:36 – Updated: 2024-11-14 17:45
VLAI
Summary
Kimai has an XXE Leading to Local File Read
Details

Summary

Kimai uses PHPSpreadsheet for importing and exporting invoices. Recently, a CVE was identified in PHPSpreadsheet, which could lead to an XXE vulnerability.

Details

Exploitation requires an Administrator account, allowing the upload of an XLSX template containing the payload. The vulnerability is triggered by the following code snippet:

// https://github.com/kimai/kimai/blob/b1903ba18359be16dd32ea9c40377c486498f082/src/Invoice/Renderer/AbstractSpreadsheetRenderer.php#L41
public function render(InvoiceDocument $document, InvoiceModel $model): Response
{
    $spreadsheet = IOFactory::load($document->getFilename());
    $worksheet = $spreadsheet->getActiveSheet();
    $entries = $model->getCalculator()->getEntries();
    $sheetReplacer = $model->toArray();
    $invoiceItemCount = \count($entries);
    if ($invoiceItemCount > 1) {
        $this->addTemplateRows($worksheet, $invoiceItemCount);
    }
}

The IOFactory::load function utilizes simplexml_load_string, which has previously been demonstrated to be vulnerable to XXE attacks.

While this is not directly an XXE in Kimai, it does however impact the latest stable version.

PoC

By uploading a malicious XLSX template, the payload will be triggered every time an invoice is generated.

<?xml version="1.0" encoding='UTF-7' standalone="yes"?>
+ADw-!DOCTYPE foo [ <!ENTITY % xxe SYSTEM "php://filter/......." > %xxe;]>.....

For a better a visibility, I will upload both a: - Malicious template sample for testing - An exported invoice, showing the contents of target file during the export.

Impact

Local File Read / RCE in edge cases where phar:// can be utilized with gadget chains .

export.xlsx sample_template.xlsx

Show details on source website

{
  "affected": [
    {
      "database_specific": {
        "last_known_affected_version_range": "\u003c= 2.20.1"
      },
      "package": {
        "ecosystem": "Packagist",
        "name": "kimai/kimai"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "2.21.0"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [],
  "database_specific": {
    "cwe_ids": [
      "CWE-1395",
      "CWE-611"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2024-09-17T18:36:50Z",
    "nvd_published_at": null,
    "severity": "HIGH"
  },
  "details": "### Summary\nKimai uses [PHPSpreadsheet](https://github.com/PHPOffice/PhpSpreadsheet) for importing and exporting invoices. Recently, a [CVE](https://github.com/PHPOffice/PhpSpreadsheet/security/advisories/GHSA-ghg6-32f9-2jp7) was identified in PHPSpreadsheet, which could lead to an XXE vulnerability.\n\n\n### Details\n\nExploitation requires an Administrator account, allowing the upload of an `XLSX` template containing the payload. The vulnerability is triggered by the following code snippet:\n\n```php\n// https://github.com/kimai/kimai/blob/b1903ba18359be16dd32ea9c40377c486498f082/src/Invoice/Renderer/AbstractSpreadsheetRenderer.php#L41\npublic function render(InvoiceDocument $document, InvoiceModel $model): Response\n{\n    $spreadsheet = IOFactory::load($document-\u003egetFilename());\n    $worksheet = $spreadsheet-\u003egetActiveSheet();\n    $entries = $model-\u003egetCalculator()-\u003egetEntries();\n    $sheetReplacer = $model-\u003etoArray();\n    $invoiceItemCount = \\count($entries);\n    if ($invoiceItemCount \u003e 1) {\n        $this-\u003eaddTemplateRows($worksheet, $invoiceItemCount);\n    }\n}\n```\n\nThe `IOFactory::load` function utilizes `simplexml_load_string`, which has previously been demonstrated to be vulnerable to XXE attacks.\n\nWhile this is not directly an XXE in Kimai, it does however impact the latest stable version.\n\n \n### PoC\n\nBy uploading a malicious `XLSX` template, the payload will be triggered every time an invoice is generated.\n\n```xml\n\u003c?xml version=\"1.0\" encoding=\u0027UTF-7\u0027 standalone=\"yes\"?\u003e\n+ADw-!DOCTYPE foo [ \u003c!ENTITY % xxe SYSTEM \"php://filter/.......\" \u003e %xxe;]\u003e.....\n```\n\nFor a better a visibility, I will upload both a:\n- Malicious template sample for testing \n- An exported invoice, showing the contents of target file during the export. \n\n### Impact\nLocal File Read / RCE in edge cases where `phar://` can be utilized with [gadget chains](https://github.com/ambionics/phpggc) . \n\n\n[export.xlsx](https://github.com/user-attachments/files/16803913/export.xlsx)\n[sample_template.xlsx](https://github.com/user-attachments/files/16803916/sample_template.xlsx)\n",
  "id": "GHSA-534c-hcr7-67jg",
  "modified": "2024-11-14T17:45:16Z",
  "published": "2024-09-17T18:36:50Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/PHPOffice/PhpSpreadsheet/security/advisories/GHSA-ghg6-32f9-2jp7"
    },
    {
      "type": "WEB",
      "url": "https://github.com/kimai/kimai/security/advisories/GHSA-534c-hcr7-67jg"
    },
    {
      "type": "WEB",
      "url": "https://github.com/kimai/kimai/commit/3204dcb03e1003dba90178667a4667ce3edb87b5"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/kimai/kimai"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:N",
      "type": "CVSS_V3"
    },
    {
      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N",
      "type": "CVSS_V4"
    }
  ],
  "summary": "Kimai has an XXE Leading to Local File Read"
}



Log in or create an account to share your comment.




Tags
Taxonomy of the tags.


Loading…

Loading…

Loading…

Forecast uses a logistic model when the trend is rising, or an exponential decay model when the trend is falling. Fitted via linearized least squares.

Sightings

Author Source Type Date Other

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.

Loading…

Detection rules are retrieved from Rulezet.

Loading…

Loading…