GHSA-9436-3gmp-4f53

Source

https://github.com/advisories/GHSA-9436-3gmp-4f53

Import Source

https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2023/07/GHSA-9436-3gmp-4f53/GHSA-9436-3gmp-4f53.json

JSON Data

https://api.osv.dev/v1/vulns/GHSA-9436-3gmp-4f53

Aliases

CVE-2023-37897

Published

2023-07-19T22:11:07Z

Modified

2024-02-16T08:16:43.971294Z

Severity

7.2 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H CVSS Calculator

Summary

grav Server-side Template Injection (SSTI) mitigation bypass

Details

Summary

The fix for SSTI using |map, |filter and |reduce twigs implemented in the commit 71bbed1 introduces bypass of the denylist due to incorrect return value from isDangerousFunction(), which allows to execute the payload prepending double backslash (\\)

Details

The isDangerousFunction() check in version 1.7.42 and onwards retuns false value instead of true when the \ symbol is found in the $name.

...
        if (strpos($name, "\\") !== false) {
            return false;
        }

        if (in_array($name, $commandExecutionFunctions)) {
            return true;
        }
...

Based on the code where the function is used, it is expected that any dangerous condition would return true

    /**
     * @param Environment $env
     * @param array $array
     * @param callable|string $arrow
     * @return array|CallbackFilterIterator
     * @throws RuntimeError
     */
    function mapFunc(Environment $env, $array, $arrow)
    {
        if (!$arrow instanceof \Closure && !is_string($arrow) || Utils::isDangerousFunction($arrow)) {
            throw new RuntimeError('Twig |map("' . $arrow . '") is not allowed.');
    }

when |map('\system') is used in the malicious payload, the single backslash is dropped prior to reaching strpos($name, '\\') check, thus $name variable already has no backslash, and the command is blacklisted because it reaches the if (in_array($name, $commandExecutionFunctions)) { validation step.

However if |map('\\system') is used (i.e. double backslash), then the strpos($name, "\\") !== false takes effect, and isDangerousFunction() returns false , in which case the RuntimeError is not generated, and blacklist is bypassed leading to code execution.

Exploit Conditions

This vulnerability can be exploited if the attacker has access to:

an Administrator account, or
a non-administrator, user account that has Admin panel access and Create/Update page permissions

Steps to reproduce

Log in to Grav Admin using an administrator account.
Navigate to Accounts > Add, and ensure that the following permissions are assigned when creating a new low-privileged user:
- Login to Admin - Allowed
- Page Update - Allowed
Log out of Grav Admin
Login using the account created in step 2.
Choose Pages -> Home
Click the Advanced tab and select the checkbox beside Twig to ensure that Twig processing is enabled for the modified webpage.
Under the Content tab, insert the following payload within the editor: {{ ['id'] | map('\\system') | join() }}
Click the Preview button. Observe that the output of the id shell command is returned in the preview.

Mitigation

diff --git a/system/src/Grav/Common/Utils.php b/system/src/Grav/Common/Utils.php
index 2f121bbe3..7b267cd0f 100644
--- a/system/src/Grav/Common/Utils.php
+++ b/system/src/Grav/Common/Utils.php
@@ -2069,7 +2069,7 @@ abstract class Utils
         }

         if (strpos($name, "\\") !== false) {
-            return false;
+            return true;
         }

         if (in_array($name, $commandExecutionFunctions)) {

Database specific

{
    "nvd_published_at": "2023-07-18T21:15:15Z",
    "cwe_ids": [
        "CWE-393",
        "CWE-74"
    ],
    "severity": "HIGH",
    "github_reviewed": true,
    "github_reviewed_at": "2023-07-19T22:11:07Z"
}

References

Affected packages

Packagist / getgrav/grav

Package

Name: getgrav/grav
Purl: pkg:composer/getgrav/grav

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

1.7.42.2

Affected versions

0.*

0.8.0

0.9.0

0.9.1

0.9.2

0.9.3

0.9.4

0.9.5

0.9.6

0.9.7

0.9.8

0.9.9

0.9.10

0.9.11

0.9.12

0.9.13

0.9.14

0.9.15

0.9.16

0.9.17

0.9.18

0.9.19

0.9.20

0.9.21

0.9.22

0.9.23

0.9.24

0.9.25

0.9.26

0.9.27

0.9.28

0.9.29

0.9.30

0.9.31

0.9.32

0.9.33

0.9.34

0.9.35

0.9.36

0.9.37

0.9.38

0.9.39

0.9.40

0.9.41

0.9.42

0.9.43

0.9.44

0.9.45

1.*

1.0.0-rc.1

1.0.0-rc.2

1.0.0-rc.3

1.0.0-rc.4

1.0.0-rc.5

1.0.0-rc.6

1.0.0

1.0.1

1.0.2

1.0.3

1.0.4

1.0.5

1.0.6

1.0.7

1.0.8

1.0.9

1.0.10

1.1.0-beta.1

1.1.0-beta.2

1.1.0-beta.3

1.1.0-beta.4

1.1.0-beta.5

1.1.0-rc.1

1.1.0-rc.2

1.1.0-rc.3

1.1.0

1.1.1

1.1.2

1.1.3

1.1.4

1.1.5

1.1.6

1.1.7

1.1.8

1.1.9-rc.1

1.1.9-rc.2

1.1.9-rc.3

1.1.9

1.1.10

1.1.11

1.1.12

1.1.13

1.1.14

1.1.15

1.1.16

1.1.17

1.2.0-rc.1

1.2.0-rc.2

1.2.0-rc.3

1.2.0

1.2.1

1.2.2

1.2.3

1.2.4

1.3.0-rc.1

1.3.0-rc.2

1.3.0-rc.3

1.3.0-rc.4

1.3.0-rc.5

1.3.0

1.3.1

1.3.2

1.3.3

1.3.4

1.3.5

1.3.6

1.3.7

1.3.8

1.3.9

1.3.10

1.4.0-beta.1

1.4.0-beta.2

1.4.0-beta.3

1.4.0-rc.1

1.4.0-rc.2

1.4.0

1.4.1

1.4.2

1.4.3

1.4.4

1.4.5

1.4.6

1.4.7

1.4.8

1.5.0-beta.1

1.5.0-beta.2

1.5.0-rc.1

1.5.0

1.5.1

1.5.2

1.5.3

1.5.4

1.5.5

1.5.6

1.5.7

1.5.8

1.5.9

1.5.10

1.6.0-beta.1

1.6.0-beta.2

1.6.0-beta.3

1.6.0-beta.4

1.6.0-beta.5

1.6.0-beta.6

1.6.0-beta.7

1.6.0-beta.8

1.6.0-rc.1

1.6.0-rc.2

1.6.0-rc.3

1.6.0-rc.4

1.6.0

1.6.1

1.6.2

1.6.3

1.6.4

1.6.5

1.6.6

1.6.7

1.6.8

1.6.9

1.6.10

1.6.11

1.6.12

1.6.13

1.6.14

1.6.15

1.6.16

1.6.17

1.6.18

1.6.19

1.6.20

1.6.21

1.6.22

1.6.23

1.6.24

1.6.25

1.6.26

1.6.27

1.6.28

1.6.29

1.6.30

1.6.31

1.7.0-beta.1

1.7.0-beta.2

1.7.0-beta.3

1.7.0-beta.4

1.7.0-beta.5

1.7.0-beta.6

1.7.0-beta.7

1.7.0-beta.8

1.7.0-beta.9

1.7.0-beta.10

1.7.0-rc.1

1.7.0-rc.2

1.7.0-rc.3

1.7.0-rc.4

1.7.0-rc.5

1.7.0-rc.6

1.7.0-rc.7

1.7.0-rc.8

1.7.0-rc.9

1.7.0-rc.10

1.7.0-rc.11

1.7.0-rc.12

1.7.0-rc.13

1.7.0-rc.14

1.7.0-rc.15

1.7.0-rc.16

1.7.0-rc.17

1.7.0-rc.18

1.7.0-rc.19

1.7.0-rc.20

1.7.0

1.7.1

1.7.3

1.7.4

1.7.5

1.7.6

1.7.7

1.7.8

1.7.9

1.7.10

1.7.12

1.7.13

1.7.14

1.7.15

1.7.16

1.7.17

1.7.18

1.7.19

1.7.20

1.7.21

1.7.22

1.7.23

1.7.24

1.7.25

1.7.26

1.7.26.1

1.7.27

1.7.27.1

1.7.28

1.7.29

1.7.29.1

1.7.30

1.7.31

1.7.32

1.7.33

1.7.34

1.7.35

1.7.36

1.7.37

1.7.37.1

1.7.38

1.7.39

1.7.39.1

1.7.39.2

1.7.39.3

1.7.39.4

1.7.40

1.7.41

1.7.41.1

1.7.41.2

1.7.42

1.7.42.1

Database specific

{
    "last_known_affected_version_range": "<= 1.7.42.1"
}