[Dompdf] RCE via Polyglot phar/ttf File

We discussed this vulnerability during Episode 157 on 10 October 2022

This vulnerability builds on/is complicated by two past issues. The first being an RCE via caching of remote font files, we discussed this vulnerability on Episode 129. The core issue was that Dompdf would download remote font files and save them locally with the original file extension. So basically the ability to upload a .php file onto the server which may then be executed by the server. The second issue was that phar:// urls could be used in HTML element src attributes, and would be interpreted.

The patch for the first issue was just to ensure it only downloaded valid TrueType Font files and forced the .ttf extension, and wouldn’t download files by default. The second issue was patched by creating an allow list of protocols and phar:// being blocked by default. They found the patch for the second bug was insufficient in the registerFont(). It would check the allowlist and issue a warning, but it would continue executing even if the scheme was not allowed.

So they could get Dompdf to read a phar://, but they still needed to get one saved. They were able to use a data: URI with the font-face src attribute to save a file locally without downloading. The last remaining trick would be to generate a phar:// that was also a valid TTF.