{"id":13758,"date":"2018-11-04T14:19:37","date_gmt":"2018-11-04T22:19:37","guid":{"rendered":"http:\/\/www.palada.net\/index.php\/2018\/11\/04\/news-7525\/"},"modified":"2018-11-04T14:19:37","modified_gmt":"2018-11-04T22:19:37","slug":"news-7525","status":"publish","type":"post","link":"http:\/\/www.palada.net\/index.php\/2018\/11\/04\/news-7525\/","title":{"rendered":"SSD Advisory \u2013 Symfony Framework forward() Remote Code Execution"},"content":{"rendered":"

Credit to Author: SSD \/ Ori Nimron| Date: Sun, 04 Nov 2018 14:21:53 +0000<\/strong><\/p>\n

\n
\n

Vulnerability Summary<\/strong>
The following advisory describes a vulnerability found in Symfony 3.4 – a PHP framework that is used to create websites and web applications. Built on top of the Symfony Components. Under certain conditions, the Symfony framework can be abused to trigger RCE in the HttpKernel (http-kernel) component, while forward() is considered by the vendor as an equivalent to eval() (in its security implications) – there is no mentioning of this in the current documentation.<\/p>\n

Vendor Response<\/strong>
“As previously noted, unless there is something we are missing, the forward() method itself does not have a security vulnerability, but you believe having public methods that accept callables as arguments is in itself a security vulnerability. The forward() method allows you to pass a callable to it which, like many methods in many libraries including many common functions in PHP core such as array_filter (https:\/\/secure.php.net\/manual\/en\/function.array-filter.php), if you pass untrusted user input into it, then it could result in remote code execution.<\/p>\n

As with SQL queries, outputting data onto a page, using callables or using eval(), if you pass untrusted user input into them, it can result in security issues whether it be remote code execution, SQL injection or an XSS issue. As a framework, Symfony will attempt to aid users to write more secure code and provide tools for this, but a framework cannot assume complete and total responsibility as developers can always write insecure code and should always be aware of how they use unvalidated user input.<\/p>\n

As I hope I’ve explained we do not believe this to be a security vulnerability, but if you believe we are still missing something, please do let us know.”<\/p>\n

We disagree with this assessment, looking up examples of how to use forward(), there is no mentioning by anyone that you should filter user provided data as it may trigger a code execution vulnerability (unlike eval() equivalent or SQL statements equivalent examples), we therefore believe its prudent to publicly announce this issue.<\/p>\n

Credit<\/strong>
Independent security researcher, Calum Hutton, have reported this vulnerability to Beyond Security’s SecuriTeam Secure Disclosure program.
<\/span>
Affected systems<\/strong>
Symfony Framework 3.4.* Running on Linux Systems.<\/p>\n

Vulnerability Details<\/strong>
The vulnerability occurs when the untrusted user data is passed into the forward() function provided by the frameworks AbstractController class. If this function is called in application code with untrusted user input, the application is potentially at risk of this issue.<\/p>\n

Symfony allows for controllers to be any PHP callable (https:\/\/symfony.com\/doc\/current\/controller.html#a-simple-controller) which gives great flexibity to the developer, but also potentially unforeseen consequences. Because of this, the string ‘system’ would be considered a valid controller, as it is a valid callable and would resolve to the builtin system() function. Symfony would successfully resolve and instantiate the controller instance and attempt to resolve the arguments required to call the new controller from the provided arguments and request context. This would normally fail (depending on the names, and number of arguments), causing the entire controller resolution to fail. One array that is searched for appropriate argument names during argument resolution is the path array passed into the AbstractController::forward() function.<\/p>\n

Hence, by controlling the first (controller name\/callable) and at least partially the second (path array) parameters of the AbstractController::forward() function, it is possible to call arbitrary PHP functions leading to RCE.<\/p>\n

How to Exploit<\/strong>
One way developers might introduce parameters into the path array to pass on to the forwarded controller is through named URL route parameters. Consider the following route definition:
forward:<\/p>\n

\t\t<\/p>\n

\n
<\/span> \t\t\t<\/p>\n
\n
\n
<\/div>\n<\/div>\n
\n
<\/div>\n<\/div>\n
\n
<\/div>\n<\/div>\n
\n
<\/div>\n<\/div>\n
\n
<\/div>\n<\/div>\n
\n
<\/div>\n<\/div>\n<\/div>\n<\/div>\n
<\/div>\n