TYPO3 Extension ke DomPDF – Remote Code Execution

• Exploit Database
• 115 阅读

• 作者： RedTeam Pentesting
  日期： 2014-12-02
• 类别：

  • webapps
  平台：

  • php
• 来源：https://www.exploit-db.com/exploits/35443/
• 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 128 129 130 131 132 133 134 135 136 137 138 139

  Advisory: Remote Code Execution in TYPO3 Extension ke_dompdf   During a penetration test RedTeam Pentesting discovered a remote code execution vulnerability in the TYPO3 extension ke_dompdf, which allows attackers to execute arbitrary PHP commands in the context of the webserver.     Details =======   Product: ke_dompdf TYPO3 extension Affected Versions: 0.0.3<= Fixed Versions: 0.0.5 Vulnerability Type: Remote Code Execution Security Risk: high Vendor URL: http://typo3.org/extensions/repository/view/ke_dompdf Vendor Status: fixed version released Advisory URL: https://www.redteam-pentesting.de/advisories/rt-sa-2014-007 Advisory Status: published CVE: CVE-2014-6235 CVE URL: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-6235     Introduction ============   "DomPDF library and a small pi1 to show how to use DomPDF to render the current typo3-page to pdf." (taken from the extension&apos;s description)     More Details ============   The TYPO3 extension ke_dompdf contains a version of the dompdf library including all files originally supplied with it. This includes an examples page, which contains different examples for HTML-entities rendered as a PDF.This page also allows users to enter their own HTML code into a text box to be rendered by the webserver using dompdf. dompdf also supports rendering of PHP files and the examples page also accepts PHP code tags, which are then executed and rendered into a PDF on the server.   Since those files are not protected in the TYPO3 extension directory, anyone can access this URL and execute arbitrary PHP code on the system. This behaviour was already fixed in the dompdf library, but the typo3 extension ke_dompdf supplies an old version of the library that still allows the execution of arbitrary PHP code.     Proof of Concept ================   Access examples.php on the vulnerable system: http://www.example.com/typo3conf/ext/ke_dompdf/res/dompdf/www/examples.php   Enter PHP code in the text box on the bottom of the page and click the submit button, for example:   ------------------------------------------------------------------------ <?php phpinfo() ?> ------------------------------------------------------------------------   The page will return a PDF file containing the output of the PHP code.     Workaround ==========   Remove the directory "www" containing the examples.php file or at least the examples.php file from the extensions&apos; directory.     Fix ===   Update to version 0.0.5 of the extension.     Security Risk =============   high     Timeline ========   2014-04-21 Vulnerability identified 2014-04-30 Customer approved disclosure to vendor 2014-05-06 CVE number requested 2014-05-10 CVE number assigned 2014-05-13 Vendor notified 2014-05-20 Vendor works with TYPO3 security team on a fix 2014-09-02 Vendor released fixed version [2] 2014-12-01 Advisory released     References ==========   The TYPO3 extension ke_dompdf contains an old version of the dompdf library, which contains an example file that can be used to execute arbitrary commands.This vulnerability was fixed in dompdf in 2010. The relevant change can be found in the github repository of dompdf:   [1] https://github.com/dompdf/dompdf/commit/ e75929ac6393653a56e84dffc9eac1ce3fb90216   TYPO3-EXT-SA-2014-010: Several vulnerabilities in third party extensions:   [2] http://typo3.org/teams/security/security-bulletins/typo3-extensions/ typo3-ext-sa-2014-010/     RedTeam Pentesting GmbH =======================   RedTeam Pentesting offers individual penetration tests, short pentests, performed by a team of specialised IT-security experts. Hereby, security weaknesses in company networks or products are uncovered and can be fixed immediately.   As there are only few experts in this field, RedTeam Pentesting wants to share its knowledge and enhance the public knowledge with research in security-related areas. The results are made available as public security advisories.   More information about RedTeam Pentesting can be found at https://www.redteam-pentesting.de.   -- RedTeam Pentesting GmbH Tel.: +49 241 510081-0 Dennewartstr. 25-27 Fax : +49 241 510081-99 52068 Aachenhttps://www.redteam-pentesting.de Germany Registergericht: Aachen HRB 14004 Geschäftsführer: Patrick Hof, Jens Liebchen