DOMPDF XSS to RCE, Chrome Leaking Envrionment Vars, and cr8escape
Great bounty for a fairly simple bug, the
Trivial instance of client-sided validation, in this case to enforce a timeout they were using the device’s time. So by changing the time on the device you can make more attempts at the pin.
With HTML injection they could inject content, but with a configuration option
$isRemoteEnabled the renderer wouldn’t fetch remote file. This setting wasn’t respected for remote fonts downloaded because of an injected
src:url(...) CSS rule. These fonts would be downloaded (on versions before 0.8.5) to
lib/fonts the filename would be slightly modified in a deterministic way, and the extension would remain unchanged. The file did need to be loadable by
php-font-lib but that is all.
So by injecting PHP code into a font’s copyright section, and then navigating to the font’s file directly code execution on the server could be gained.
There are two huge red flags to me here:
- Storing everything under the webroot is a bad idea, especially user controlled content.
- Storing arbitrary content with an attacker influenced name. In this case they already had a lookup system to find the appropiate font files, so keeping the font names (and extension) is unnecessary. By not giving control of the filename and using a truely random name, even given poor security around the webroot would have made it difficult to exploit.
Simple container escape compared to several we’ve covered in the past, the
sysctls passed into the
pinns utility are delimited by a
+ which can be maliciously included in a value to inject otherwise blocked
sysctls. There is some minimal validation on the
sysctls being passed in to ensure the keys don’t match any sensitive keys, however an attacker can set a value to
+sensitive.key=othervalue to smuggle in a blocked option.
Smuggling in a
kernel.core_pattern could be used to execute an arbitrary file as root on the host to handle a crash dump. This would require a fairly privileged attacker who is able to deploy pods but may not have underlying access to the host system. It could also be useful as part of a chain.