CVE-2023-28115 - Snappy PHP Library PHAR Deserialization Vulnerability Prior to 1.4.2

The Snappy PHP library is a popular web utility for generating snapshots, thumbnails, or PDFs from URLs or HTML pages. However, versions prior to 1.4.2 of Snappy are at risk of a PHAR deserialization vulnerability. This vulnerability might lead to remote code execution (RCE) under specific conditions, such as when using known vulnerable frameworks like Laravel or Symfony, or unsecured developer code.

Summary of vulnerability

The core issue stems from Snappy's handling of the PHAR protocol, a type of archive format used in PHP. Due to a lack of checks on the protocol, the file_exists() function in Snappy can inadvertently lead to deserialization of an uploaded PHAR file. Consequently, an attacker could potentially instantiate arbitrary PHP object payloads, leading to remote code execution. This vulnerability can be exploited especially when Snappy is used with frameworks or developer code that exposes vulnerable POP chains.

The vulnerability can be triggered through the following code snippet in the Snappy PHP library

public function generateFromHtml($html, $output, array $options = [], $overwrite = false)
{
    if (false === $overwrite && file_exists($output)) {
        throw new FileAlreadyExistsException(sprintf('The file %s already exists and the overwrite option is not enabled.', $output));
    }

    // Rest of the function...
}

Key points of interest within this code

1. The $output parameter is used in the file_exists() function without any prior validation of the protocol.
2. If an attacker can control the value of $output, a malicious PHAR file can be injected and deserialized.

Links to original references

1. Release notes of Snappy v1.4.2: https://github.com/KnpLabs/snappy/releases/tag/v1.4.2
2. Snappy's GitHub repository with more information and documentation: https://github.com/KnpLabs/snappy

Exploit Details

To successfully exploit this vulnerability, an attacker would need to fulfill the following conditions:

Control the $output parameter of the generateFromHtml() function in Snappy.

Once these conditions are met, the attacker could potentially obtain remote code execution by leveraging Snappy's use of vulnerable POP chains in certain frameworks or developer code.

Mitigation

To safeguard against this vulnerability, ensure that you are using Snappy version 1.4.2 or higher. The developers behind Snappy have patched this vulnerability in the 1.4.2 release, thereby eliminating the risk of PHAR deserialization.

Additionally, make sure to adhere to best practices in web application security and thoroughly validate all input parameters to prevent potential attacks.

Conclusion

CVE-2023-28115 affects the Snappy PHP library and can lead to remote code execution due to a vulnerability in how the PHAR protocol is processed. This issue has been resolved in Snappy version 1.4.2, so users should ensure their installations are up-to-date. As always, follow good security practices and stay informed about the latest security updates for the libraries and frameworks in use to keep your web applications secure.

Timeline

Published on: 03/17/2023 22:15:00 UTC
Last modified on: 03/24/2023 16:40:00 UTC