PhpSpreadsheet 1.5.0 XXE vulnerability reproduction and analysis-vulnerability warning-the black bar safety net

0x01 introduction
PhpSpreadsheet is a very popular pure PHP class library that allows you to easily read and write Excel, LibreOffic Calc and other spreadsheet file formats, is PHPExcel alternative. 2018 11 October 13, PhpSpreadsheet was broke presence of the XXE vulnerability, CVE-2018-19277), in the form of the extract file to insert the UTF-7 encoding of malicious xml payload, you can bypass PhpSpreadsheet library of security checks caused XXE attacks.

0x02 affect the scope of the
PhpSpreadsheet 1.5.0 and the following version

0x03 vulnerability reproduction
Since Office 2007 and later, Excel stores the file extension for xlsx, with respect to the previous older versions of the One X, substantially xlsx file is a compressed package. Create a new exploit. xlsx empty file, unzip exploit.xlsx
! [](/Article/UploadPic/2019-1/2019126144536468. png)
The following payload to UTF-7 encoding, 并替换掉xl/worksheets/sheet1.xml the.
xml version=“1.0” encoding=“UTF-8”?& gt;
%aaa;%ccc;%ddd;]>
After encoding the payload as shown below, Note be sure to modify the xml encoding the encoding of the value.
! [](/Article/UploadPic/2019-1/2019126144537126. png)
Execute zip-r …/exploit1.xlsx *进行重打包生成exploit1.xlsx; switch to the Web directory and use composer to install 1. 5. 0 version of the PhpSpreadsheet composer require phpoffice/phpspreadsheet=1.5.0, the 在同一目录下新建excel.php, the content is as follows:
error_reporting(-1);
require ‘vendor/autoload.php’;
$reader = PhpOfficePhpSpreadsheetIOFactory::createReader(‘Xlsx’); //create Xlsx to read the object
$reader->setReadDataOnly(TRUE);
$spreadsheet = $reader->load(‘exploit1.xlsx’); //加载excel表格文件exploit1.xlsx
?& gt;
Open, error message is prompted, access excel. php will see the warning information will help us quickly locate the problem function and where line.
! [](/Article/UploadPic/2019-1/2019126144537433. png)
Subsequently, in the ceye on the platform saw the parsing of the xml files when an external entity requests.
! [](/Article/UploadPic/2019-1/2019126144537454. png)

0x04 vulnerability analysis
Vulnerability analysis from our create excel. php start, file, line 4 calls the vendor/phpoffice/phpspreadsheet/src/PhpSpreadsheet/IOFactory. php createReader method, when the$readers in the array does not exist$readerType the key value, it will throw an exception.
! [](/Article/UploadPic/2019-1/2019126144537848. png)
Here the transfer of$readerType=‘Xlsx’, it returns the corresponding value for ReaderXlsx::class
! [](/Article/UploadPic/2019-1/2019126144537854. png)
The 77 row is created PhpOfficePhpSpreadsheetReaderXlsx object, and then returns to the$reader object and call the load method; 跟进到对应的类文件vendor/phpoffice/phpspreadsheet/src/PhpSpreadsheet/Reader/Xlsx.php in 389 lines define the load method, the method first calls the File class’s assertFile method to determine the form whether the file exists, and in the 402-403 calls the ZipArchive class open method to open exploit1. xlsx file is easy to call after extracting the sub-file.
! [](/Article/UploadPic/2019-1/2019126144537699. png)
Then the load method will be based on the decompressed file types one by one process, there is not an analysis, according to the warning information directly to the 760 line of the simplexml_load_string method, the method typically used for the XML string to load the object, if used improperly it can easily lead to XXE vulnerability. 这里先调用了getFromZipArchive方法处理xl/wordsheets/sheet1.xml, i.e., the insertion xxe payload of the xml file.
! [](/Article/UploadPic/2019-1/2019126144538499. png)
Follow up to getFromZipArchive, the method calls the ZipArchive::getFromName method, based on the file name from the compressed file to obtain corresponding file content and return.
! [](/Article/UploadPic/2019-1/2019126144538762. png)
Return Xlsx. php the 757 line, getFromZipArchive method’s return value also after the securityScan method of treatment, 跟进到Xlsx类的父类vendor/phpoffice/phpspreadsheet/src/PhpSpreadsheet/Reader/BaseReader.php that securityScan methods use regular expression matching/?, the It is because of the use of the UTF-7 encoding, the resulting string is encoded, thereby bypassing the securityScan method of the XXE attack the defense.
! [](/Article/UploadPic/2019-1/2019126144538422. png)

0x05 official patch analysis
Official in 2018 11 on 21 October released a patch to fix the vulnerability 创建了一个PHPOffice/PhpSpreadsheet/src/PhpSpreadsheet/Reader/Security/XmlScanner.php the xml content of the security check of the class file, in Xlsx. php constructor to instantiate the security class, then call the simplexml_load_string method of processing the xml content before, will call to the security class of the scan method to check whether the presence of the XXE attack.
! [](/Article/UploadPic/2019-1/2019126144538137. png)

[1] [2] next