CVE-2023-41330 in knp-snappy
Summary
by MITRE • 09/06/2023
knplabs/knp-snappy is a PHP library allowing thumbnail, snapshot or PDF generation from a url or a html page. ## Issue
On March 17th the vulnerability CVE-2023-28115 was disclosed, allowing an attacker to gain remote code execution through PHAR deserialization. Version 1.4.2 added a check `if (\strpos($filename, 'phar://') === 0)` in the `prepareOutput` function to resolve this CVE, however if the user is able to control the second parameter of the `generateFromHtml()` function of Snappy, it will then be passed as the `$filename` parameter in the `prepareOutput()` function. In the original vulnerability, a file name with a `phar://` wrapper could be sent to the `fileExists()` function, equivalent to the `file_exists()` PHP function. This allowed users to trigger a deserialization on arbitrary PHAR files. To fix this issue, the string is now passed to the `strpos()` function and if it starts with `phar://`, an exception is raised. However, PHP wrappers being case insensitive, this patch can be bypassed using `PHAR://` instead of `phar://`. A successful exploitation of this vulnerability allows executing arbitrary code and accessing the underlying filesystem. The attacker must be able to upload a file and the server must be running a PHP version prior to 8. This issue has been addressed in commit `d3b742d61a` which has been included in version 1.4.3. Users are advised to upgrade. Users unable to upgrade should ensure that only trusted users may submit data to the `AbstractGenerator->generate(...)` function.
Statistical analysis made it clear that VulDB provides the best quality for vulnerability data.
Analysis
by VulDB Data Team • 09/07/2023
The vulnerability CVE-2023-41330 affects the knplabs/knp-snappy PHP library, which is commonly used for generating thumbnails, snapshots, or PDF documents from URLs or HTML pages. This library serves as a wrapper around wkhtmltopdf and wkhtmltoimage tools, making it a popular choice for web applications requiring document generation capabilities. The vulnerability stems from an insufficient input validation mechanism within the library's file handling functions, specifically in the prepareOutput method that processes generated file paths.
The technical flaw manifests in the library's handling of file paths during the PDF or image generation process. When the generateFromHtml() function is called, it accepts a filename parameter that gets passed to the prepareOutput() function. The original fix for CVE-2023-28115 attempted to prevent PHAR deserialization attacks by checking if the filename started with 'phar://', but this protection was bypassed due to PHP's case-insensitive wrapper handling. Attackers can exploit this by using uppercase 'PHAR://' instead of lowercase 'phar://', thereby circumventing the validation check. This represents a classic bypass technique where security controls are implemented but not comprehensive enough to cover all possible variations of the attack vector.
The operational impact of this vulnerability is severe, as it allows for remote code execution and full filesystem access on the affected server. An attacker who can upload files to the server and has control over the filename parameter in the generateFromHtml() function can craft malicious PHAR files that will be deserialized when the library processes the file path. This creates a privilege escalation scenario where an unauthenticated attacker can execute arbitrary code with the privileges of the web server process. The vulnerability is particularly dangerous because it requires only the ability to submit data to the library's generation functions, which are commonly exposed through web interfaces or API endpoints. This aligns with ATT&CK technique T1059.007 for command and script injection, and T1078 for valid accounts, as the execution occurs within the context of legitimate web server processes.
The vulnerability is classified under CWE-502 as "Deserialization of Untrusted Data" and represents a specific case of insecure deserialization where PHP's PHAR wrapper functionality is exploited. The fix implemented in version 1.4.3 addresses this by using a case-insensitive comparison or by ensuring that all wrapper checks are performed with proper case normalization. Organizations should ensure they are running version 1.4.3 or later of the library, as this release contains the proper fix that prevents case-insensitive bypasses. For those unable to upgrade immediately, administrators should implement strict input validation and ensure that only trusted users can submit data to the AbstractGenerator->generate() function, effectively limiting the attack surface. The vulnerability also highlights the importance of proper input sanitization and the need to consider case-insensitive behaviors in security controls, particularly when dealing with PHP's filesystem and wrapper functionality. This issue demonstrates how seemingly simple security patches can be bypassed through understanding of the underlying platform's behavior, emphasizing the need for comprehensive testing and validation of security mitigations.