About  Project Blog Resources

Resources

People often ask me "How did you learn how to hack?" The answer: by reading. This page is a collection of the blog posts and other articles that I have accumulated over the years of my journey. Enjoy!

RCE via Phar Deserialization in DomPDF- 959

TantoPosted 3 Years Ago
  • DomPDF is an HTML to PDF converter for PHP. In the past, a vulnerability was found that allowed for code execution in PHP. CSS font can be remotely loaded with any extension, leading to code execution if a user can access that specific file.
  • From the previous research, the author noted that the fix was to force font extensions to have .ttf. Additionally, it doesn't address the fact that arbitrary contents can be present in a font file or the arbitrary file upload issue. The author decided to look for a work around for the original patch.
  • In another previous vulnerability (CVE-2021-3838), the author noted that the phar:// URI could be put into any HTML elements. To fix this vulnerability, an allowlist of URIs was put into DomPDF.
  • Reviewing previous vulnerabilities in applications can be extremely beneficial. First, vulnerabilities tend to come in pairs. Second, only 75% of patches are sufficient, according to Natalie from Project Zero. This can be free vulnerabilities and help teach people where to look.
  • The code from the phar deserailization vulnerability was not sufficient. Even when the protocol is not in the allowlist, the code flow does NOT return. This means that the file content will still be gathered.
  • In the actual code for getting the file (getFileContent) still parses phar:// and file:// URIs. Because of the issue mentioned above, we can use the phar:// URI to trigger a deserialization vulnerability for code execution.
  • In the previous exploit, the isRemoteEnabled option has to be enabled in order to trigger the vulnerability. However, by caching the data:// URI in the CSS file, we can store this as a file. Then, in a second request, we can request the data file path as a phar file. This removes the need for the special flag to be enabled.
  • A polyglot tiff and phar (serialized PHP) had to be created for this. Lucky for us, PHP is really lenient with parsing. Since we can execute arbitrary PHP code, we now have remote code execution!
  • Overall, great blog post on real world vulnerability hunting. It was cool to see the improvement on previous exploits on DomPDF as well.

Maxwell DulinEmail me!TwitterGithubAdminBlog RSS FeedResources RSS Feed