GHSA-42hm-pq2f-3r7m

Описание

Product: Math Version: 0.2.0 CWE-ID: CWE-611: Improper Restriction of XML External Entity Reference CVSS vector v.4.0: 8.7 (AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N) CVSS vector v.3.1: 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N) Description: An attacker can create a special XML file, during which it processed, external entities are loaded, and it’s possible to read local server files.
Impact: Local server files reading Vulnerable component: The loadXML function with the unsafe LIBXML_DTDLOAD flag, the MathML class Exploitation conditions: The vulnerability applies only to reading a file in the MathML format. Mitigation: If there is no option to refuse using the LIBXML_DTDLOAD flag, it’s recommended to filter external entities through the implementation of the custom external entity loader function. Researcher: Aleksandr Zhurnakov (Positive Technologies)

Research

Zero-day vulnerability was discovered in the Math library in the detailed process of the XXE vulnerability research in PHP. Loading XML data, using the standard libxml extension and the LIBXML_DTDLOAD flag without additional filtration, leads to XXE.

Below are steps to reproduce the vulnerability.

1. Preparation:

• The payload was tested on the PHP versions >= 8.1.
• The composer manager is used to install the latest version of the Math library.
• PHP has to be configurated with Zlib support.
• The necessary requirements for the Math library must be installed.
• The netcat utility is used for demonstration exfiltration.

2. Make math directory and then moving into it.

3. Install the latest actual version of the library (Figure 1).

Figure 1. Installing the library

4. Create poc.xml file (Listing 1):

Listing 1. Creating poc.xml

5. Create math.php file (Listing 2):

Listing 2. Creating math.php

6. The payload (see the step 4) is set to exfiltrate the /etc/hostname file through http://127.0.0.1:9999/, so the listening socket is launched at the 9999 port (Figure 2)

Figure 2. Launching the listening socket

7. Execute php-script via console:

6 characters from the /etc/hostname file will be exfiltrated to the 9999 port in base64 format (Figure 3).

Figure 3. Characters exfiltration

Decode the received data from base64 removing the last M character (the payload feature) (Figure 4).

Figure 4. Data decoding

8. By changing the payload, the remaining file can be received.

Credits

Aleksandr Zhurnakov (Positive Technologies)