[Dompdf] RCE via Polyglot phar/ttf File
This vulnerability builds on/is complicated by two past issues. The first being an RCE via caching of remote font files, we discussed this vulnerability on Episode 129. The core issue was that Dompdf would download remote font files and save them locally with the original file extension. So basically the ability to upload a .php
file onto the server which may then be executed by the server. The second issue was that phar://
urls could be used in HTML element src
attributes, and would be interpreted.
The patch for the first issue was just to ensure it only downloaded valid TrueType Font files and forced the .ttf
extension, and wouldn’t download files by default. The second issue was patched by creating an allow list of protocols and phar://
being blocked by default. They found the patch for the second bug was insufficient in the registerFont()
. It would check the allowlist and issue a warning, but it would continue executing even if the scheme was not allowed.
So they could get Dompdf to read a phar://
, but they still needed to get one saved. They were able to use a data:
URI with the font-face src
attribute to save a file locally without downloading. The last remaining trick would be to generate a phar://
that was also a valid TTF.