Shulou(Shulou.com)05/31 Report--

This article introduces how the IKEA.com local file contains vulnerabilities and the ingenious use of PDF parsing, the content is very detailed, interested friends can refer to, I hope it can be helpful to you.

Background

Local file inclusion (LFI) vulnerabilities are one of the most dangerous types of vulnerabilities. Once it appears, an attacker may use it to read file source code or sensitive information, including malicious files, execute arbitrary code, and even control the server. Most LFI attacks are caused by code that dynamically loads images or other files. This vulnerability can occur if the requested file name or path is not properly validated.

IKEA.com

Ikea is one of the most powerful brands in the world; it is among the top 50 on the Forbes list. It is no exaggeration to say that everyone has at least one product from Ikea; I love IKEA! What about you? You can tell me your favorite Ikea products in the comments.

In addition to Ikea products, another place that deserves my praise is that they have a large number of well-designed websites and applications. For a better user experience, they also set up a bug reward program that allows us to safely infiltrate and test their platform and release it, as long as we comply with vulnerability disclosure rules. Next, let's give it a try.

Looking for a target.

Most of the time I start with enumerating subdomains, and Aquatone is one of my most commonly used enumeration tools. The tool looks for domains in different public domain databases and returns a list of active subdomains, including screenshots, etc. For more information about Aquatone, check out the Unrestricted File Upload (unlimited file upload vulnerability) in the Apple.com report.

Bathroom planner

After some searching, one of the subdomains of Bathroomplanner.IKEA.com caught my attention. This is an online planning tool provided by Ikea, mainly to provide customers with inspiration and off-the-shelf bathroom solutions. Through it, customers can find products and add them to their bathroom product list. In addition, you can send a product list via email or download it to your local store in PDF format. The generated PDF file contains some text and product picture information. As follows:

At this point, I have a question: how is this PDF generated?

Let's open burp to find out by intercepting traffic between the browser and the Ikea server. We open the home page and try to add the product to our list.

You can see that here are some very interesting fields:

Data: JSON blob containing product and picture codes, no file path

Shopping: the JSON blob that contains our product list, no file path

Pdf: a long string of characters whose content is unknown

Images: some base64-encoded pictures

Base64 decoding

When you see a long string of characters, be sure to check whether it is a Base64-encoded string. Base64 encoding is often used for data transfer of files. Here we recommend an online base64 string encoding and decoding website: http://decodebase64.com/

If we paste the string directly into the decoder, you will find an error in decoding; this is because the string contains invalid characters such as%. This also means that the string may also be URL-encoded, so let's do URL decoding before Base64 decoding. Similarly, we recommend an online URL decoding and coding website: https://meyerweb.com/eric/tools/dencoder/

After URL decoding and Base64 decoding, we get the following string:

This looks interesting. When we add the product to the list, it provides the Ikea Web server with some templates for generating PDF shopping lists.

What happens if we can include local server files in this PDF? Like pictures? Give it a try. I will

Added to the template, and encoded with Base64 and URL, replaced the pdf parameter in Burp Suite and Forward.

To make a long story short, it doesn't work. The PDF generator cannot recognize the file as a picture and will not parse it in the output.

Plan B: identify the PDF library and search for defects in the library

Maybe we can find another way to include files in PDF? First of all, we need to figure out what is the tool for generating PDF? We can get the answer through some unique strings in the Google search template.

The search results give us two choices, the node-html-pdf library or the mPDF library. After a quick glance at their documentation, I finally decided that the mPDF library was used in the project.

Identify security issues in mPDF

We immediately made a local copy of mPDF to check for security vulnerabilities. The best place to start is CHANGELOG, which developers usually use to track changes between versions.

You can see that on October 19th, 2017, mPDF changed the way they handled comment tags. So let's take a closer look at the tag in the document.

There is no mention of any relevant content contained in the file. Let's Google again to see if anyone else has found such a problem.

After reading h0ng10's vulnerability report, we learned that there was a serious security problem in the old version of mPDF, and attackers could include files by commenting.

After taking a closer look at the Github submission of the project, I found a piece of vulnerable mPDF code shown in it.

Therefore, we can change the template of PDF to try to include the tag and take advantage of it. Let's see if IKEA forgot to update the library to the latest version.

Utilization

We added the following tag to the template:

Use Burp Suite Repeater to send the new template and download the PDF file. Then use Foxit Reader to open the file and look for yellow comment marks.

Double-click the tag and we can open and view the file on the server!

IKEA.com allows users to manipulate PDF templates during shopping list export. The PDF library it uses includes a hidden feature that allows files to be embedded in PDF by adding specific tags to the template. This feature has been disabled in its latest version, but IKEA has not been updated in a timely manner, which leads to security problems.

Repair suggestion

Never allow users to manipulate PDF templates

Render a PDF with a shopping list on the client side, such as using jsPDF

Update to the latest version of the mPDF library and disable commenting code

On the IKEA.com local file contains vulnerabilities and how the ingenious use of PDF parsing is shared here, I hope the above content can be of some help to you, can learn more knowledge. If you think the article is good, you can share it for more people to see.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.