ID CVE-2018-1000888
Summary PEAR Archive_Tar version 1.4.3 and earlier contains a CWE-502, CWE-915 vulnerability in the Archive_Tar class. There are several file operations with `$v_header['filename']` as parameter (such as file_exists, is_file, is_dir, etc). When extract is called without a specific prefix path, we can trigger unserialization by crafting a tar file with `phar://[path_to_malicious_phar_file]` as path. Object injection can be used to trigger destruct in the loaded PHP classes, e.g. the Archive_Tar class itself. With Archive_Tar object injection, arbitrary file deletion can occur because `@unlink($this->_temp_tarname)` is called. If another class with useful gadget is loaded, it may possible to cause remote code execution that can result in files being deleted or possibly modified. This vulnerability appears to have been fixed in 1.4.4.
References
Vulnerable Configurations
  • cpe:2.3:a:php:pear_archive_tar:1.4.3
    cpe:2.3:a:php:pear_archive_tar:1.4.3
  • Canonical Ubuntu Linux 16.04 LTS (Long-Term Support)
    cpe:2.3:o:canonical:ubuntu_linux:16.04:-:-:-:lts
  • Canonical Ubuntu Linux 18.04 LTS Edition
    cpe:2.3:o:canonical:ubuntu_linux:18.04:-:-:-:lts
  • Canonical Ubuntu Linux 18.10
    cpe:2.3:o:canonical:ubuntu_linux:18.10
  • Debian Linux 8.0 (Jessie)
    cpe:2.3:o:debian:debian_linux:8.0
  • Debian Linux 9.0
    cpe:2.3:o:debian:debian_linux:9.0
CVSS
Base: 6.8
Impact:
Exploitability:
CWE CWE-502
CAPEC
exploit-db via4
file exploits/php/webapps/46108.txt
id EDB-ID:46108
last seen 2019-01-10
modified 2019-01-10
platform php
port
published 2019-01-10
reporter Exploit-DB
source https://www.exploit-db.com/download/46108
title PEAR Archive_Tar < 1.4.4 - PHP Object Injection
type webapps
nessus via4
  • NASL family Debian Local Security Checks
    NASL id DEBIAN_DSA-4378.NASL
    description Fariskhi Vidyan discovered that the PEAR Archive_Tar package for handling tar files in PHP is prone to a PHP object injection vulnerability, potentially allowing a remote attacker to execute arbitrary code.
    last seen 2019-02-21
    modified 2019-02-12
    plugin id 121486
    published 2019-01-31
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=121486
    title Debian DSA-4378-1 : php-pear - security update
  • NASL family Amazon Linux Local Security Checks
    NASL id AL2_ALAS-2019-1159.NASL
    description PEAR Archive_Tar version 1.4.3 and earlier contains a CWE-502, CWE-915 vulnerability in the Archive_Tar class. There are several file operations with `$v_header['filename']` as parameter (such as file_exists, is_file, is_dir, etc). When extract is called without a specific prefix path, we can trigger unserialization by crafting a tar file with `phar://[path_to_malicious_phar_file]` as path. Object injection can be used to trigger destruct in the loaded PHP classes, e.g. the Archive_Tar class itself. With Archive_Tar object injection, arbitrary file deletion can occur because `@unlink($this->_temp_tarname)` is called. If another class with useful gadget is loaded, it may possible to cause remote code execution that can result in files being deleted or possibly modified. This vulnerability appears to have been fixed in 1.4.4.(CVE-2018-1000888)
    last seen 2019-02-21
    modified 2019-02-14
    plugin id 122160
    published 2019-02-14
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=122160
    title Amazon Linux 2 : php-pear (ALAS-2019-1159)
  • NASL family Debian Local Security Checks
    NASL id DEBIAN_DLA-1674.NASL
    description php-pear in php5 contains CWE-502 (Deserialization of Untrusted Data) and CWE-915 (Improperly Controlled Modification of Dynamically-Determined Object Attributes) vulnerabilities in its Archive_Tar class. When extract is called without a specific prefix path, can trigger unserialization by crafting a tar file with `phar://[path_to_malicious_phar_file]` as path. Object injection can be used to trigger destruct in the loaded PHP classes, all with possible remote code execution that can result in files being deleted or possibly modified. For Debian 8 'Jessie', this problem has been fixed in version 5.6.39+dfsg-0+deb8u2. We recommend that you upgrade your php5 packages. NOTE: Tenable Network Security has extracted the preceding description block directly from the DLA security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen 2019-02-21
    modified 2019-02-12
    plugin id 122101
    published 2019-02-12
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=122101
    title Debian DLA-1674-1 : php5 security update
  • NASL family CGI abuses
    NASL id DRUPAL_8_6_6.NASL
    description According to its self-reported version, the instance of Drupal running on the remote web server is 7.x prior to 7.62, 8.5.x prior to 8.5.9, or 8.6.x prior to 8.6.6. It is, therefore, affected by multiple phar handling vulnerabilities. An unauthenticated attacker could leverage these vulnerabilities to potentially perform remote code execution attacks and gain access in the context the web server user.
    last seen 2019-02-21
    modified 2019-01-24
    plugin id 121214
    published 2019-01-16
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=121214
    title Drupal 7.x < 7.62 / 8.5.x < 8.5.9 / 8.6.x < 8.6.6 Multiple Vulnerabilities (SA-CORE-2019-001, SA-CORE-2019-002)
  • NASL family Ubuntu Local Security Checks
    NASL id UBUNTU_USN-3857-1.NASL
    description Fariskhi Vidyan discovered that PEAR Archive_Tar incorrectly handled certain archive paths. A remote attacker could possibly use this issue to execute arbitrary code. Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen 2019-02-21
    modified 2019-02-12
    plugin id 121187
    published 2019-01-15
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=121187
    title Ubuntu 16.04 LTS / 18.04 LTS / 18.10 : php-pear vulnerability (USN-3857-1)
packetstorm via4
data source https://packetstormsecurity.com/files/download/151094/peararchivetar-inject.txt
id PACKETSTORM:151094
last seen 2019-01-11
published 2019-01-10
reporter farisv
source https://packetstormsecurity.com/files/151094/PEAR-Archive_Tar-PHP-Object-Injection.html
title PEAR Archive_Tar PHP Object Injection
refmap via4
confirm
debian DSA-4378
exploit-db 46108
misc
mlist [debian-lts-announce] 20190212 [SECURITY] [DLA 1674-1] php5 security update
ubuntu USN-3857-1
Last major update 28-12-2018 - 11:29
Published 28-12-2018 - 11:29
Last modified 05-03-2019 - 10:17
Back to Top