Server-Side Template Injection with Grav: CVE 2021–29440
Grav is a free Content Management Software (CMS) out on the market right now. It’s a file based web-platform that uses Twig processing on its pages. Twig runs unsandboxed, allowing for a distinct vulnerability to Server-Side Template Injection (SSTI). It’s worth noting that this vulnerability has been addressed in the 1.7.11 Grav update, however this remains a vulnerability on any earlier versions.
Severity
As can be seen, this vulnerability is fairly severe. This critical weak spot in the program can be replicated quite easily as well, which is the dangerous part.
Environment For Replicating Vulnerability
A few preliminary steps are required for reproducing the results of this vulnerability. The first step is downloading all prerequisites.
For this you will need:
- Web Server (I used apache with XAMPP)
- PHP 7.3.6 or higher
- Grav-admin 1.7.10 or earlier
- Kali Linux Virtual Machine (for ease of use)
Once these prerequisites have been obtained, setting up Grav on your web server is the first step.
The way I did this, using XAMPP, was to extract the grav-admin folder into the htdocs folder which is inside the XAMPP folder itself. This allows for connection to Grav through the localhost. Then start XAMPP and fire up Apache and MySQL.
When you have Grav setup and you have an admin account logged in, it should look something like this.
Replicating the Exploit
Now that we have Grav all set up, it’s time to exploit it.
The script for gaining a shell in order to inject code can be found on Exploit-DB here: https://www.exploit-db.com/exploits/49961
Time to spin up that Kali VM! The reason I like using Kali for this part is the preinstalled packages that Kali comes with, however this can be done on other operating systems as well.
Download the script from the link above, and customize the ‘username’ and ‘password’ strings in the beginning of the script to your custom username and password (This hard codes yes, but this does not have to be done with an admin account).
From there, gaining a shell is as simple as running the script!
After running the script, it’s then possible to inject code straight into Grav with this given shell.
Remediation & Final Thoughts
My number one suggestion for remediation of this vulnerability is to not allow access to the /admin path from untrusted sources. Luckily, this vulnerability has been addressed in the 1.7.11 update to Grav, as it obviously is seen as a severe weak-point that needed addressing.
This vulnerability was a pretty fun one to research, and went overall pretty smoothly as soon as Grav got put together. This can definitely be looked at as a bad thing however, as if it’s easy for me to figure out I can only imagine others also won’t have as hard of a time doing so.
Other Resources
This CVE can be referenced on the NIST website here.
SonarSource also has a great in-depth writeup about this vulnerability, written by Thomas Chauchefoin. Thanks Thomas for the great piece on this one!
Another shout out to Enox for uploading the script to exploit-db!
