TYPO3 Extension ke_dompdf 0.0.3 Remote Code Execution

2014-12-01T00:00:00
ID PACKETSTORM:129338
Type packetstorm
Reporter redteam-pentesting.de
Modified 2014-12-01T00:00:00

Description

                                        
                                            `Advisory: Remote Code Execution in TYPO3 Extension ke_dompdf  
  
During a penetration test RedTeam Pentesting discovered a remote code  
execution vulnerability in the TYPO3 extension ke_dompdf, which allows  
attackers to execute arbitrary PHP commands in the context of the  
webserver.   
  
  
Details  
=======  
  
Product: ke_dompdf TYPO3 extension  
Affected Versions: 0.0.3<=  
Fixed Versions: 0.0.5  
Vulnerability Type: Remote Code Execution  
Security Risk: high  
Vendor URL: http://typo3.org/extensions/repository/view/ke_dompdf  
Vendor Status: fixed version released  
Advisory URL: https://www.redteam-pentesting.de/advisories/rt-sa-2014-007  
Advisory Status: published  
CVE: CVE-2014-6235  
CVE URL: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-6235  
  
  
Introduction  
============  
  
"DomPDF library and a small pi1 to show how to use DomPDF to render the  
current typo3-page to pdf."  
(taken from the extension's description)  
  
  
More Details  
============  
  
The TYPO3 extension ke_dompdf contains a version of the dompdf library  
including all files originally supplied with it. This includes an  
examples page, which contains different examples for HTML-entities  
rendered as a PDF. This page also allows users to enter their own HTML  
code into a text box to be rendered by the webserver using dompdf.  
dompdf also supports rendering of PHP files and the examples page also  
accepts PHP code tags, which are then executed and rendered into a PDF  
on the server.  
  
Since those files are not protected in the TYPO3 extension directory,  
anyone can access this URL and execute arbitrary PHP code on the system.  
This behaviour was already fixed in the dompdf library, but the typo3  
extension ke_dompdf supplies an old version of the library that still  
allows the execution of arbitrary PHP code.  
  
  
Proof of Concept  
================  
  
Access examples.php on the vulnerable system:  
http://www.example.com/typo3conf/ext/ke_dompdf/res/dompdf/www/examples.php  
  
Enter PHP code in the text box on the bottom of the page and click the  
submit button, for example:  
  
------------------------------------------------------------------------  
<?php phpinfo() ?>  
------------------------------------------------------------------------  
  
The page will return a PDF file containing the output of the PHP code.  
  
  
Workaround  
==========  
  
Remove the directory "www" containing the examples.php file or at least  
the examples.php file from the extensions' directory.  
  
  
Fix  
===  
  
Update to version 0.0.5 of the extension.  
  
  
Security Risk  
=============  
  
high  
  
  
Timeline  
========  
  
2014-04-21 Vulnerability identified  
2014-04-30 Customer approved disclosure to vendor  
2014-05-06 CVE number requested  
2014-05-10 CVE number assigned  
2014-05-13 Vendor notified  
2014-05-20 Vendor works with TYPO3 security team on a fix  
2014-09-02 Vendor released fixed version [2]  
2014-12-01 Advisory released  
  
  
References  
==========  
  
The TYPO3 extension ke_dompdf contains an old version of the dompdf  
library, which contains an example file that can be used to execute  
arbitrary commands. This vulnerability was fixed in dompdf in 2010. The  
relevant change can be found in the github repository of dompdf:  
  
[1] https://github.com/dompdf/dompdf/commit/  
e75929ac6393653a56e84dffc9eac1ce3fb90216  
  
TYPO3-EXT-SA-2014-010: Several vulnerabilities in third party extensions:  
  
[2] http://typo3.org/teams/security/security-bulletins/typo3-extensions/  
typo3-ext-sa-2014-010/  
  
  
RedTeam Pentesting GmbH  
=======================  
  
RedTeam Pentesting offers individual penetration tests, short pentests,  
performed by a team of specialised IT-security experts. Hereby, security  
weaknesses in company networks or products are uncovered and can be  
fixed immediately.  
  
As there are only few experts in this field, RedTeam Pentesting wants to  
share its knowledge and enhance the public knowledge with research in  
security-related areas. The results are made available as public  
security advisories.  
  
More information about RedTeam Pentesting can be found at  
https://www.redteam-pentesting.de.  
  
--   
RedTeam Pentesting GmbH Tel.: +49 241 510081-0  
Dennewartstr. 25-27 Fax : +49 241 510081-99  
52068 Aachen https://www.redteam-pentesting.de  
Germany Registergericht: Aachen HRB 14004  
Geschäftsführer: Patrick Hof, Jens Liebchen  
`