CVE-2018-1000888

PEAR Archive_Tar version 1.4.3 and earlier contains a CWE-502, CWE-915 vulnerability in the Archive_Tar class. There are several file operations with `$v_header['filename']` as parameter (such as file_exists, is_file, is_dir, etc). When extract is called without a specific prefix path, we can trigger unserialization by crafting a tar file with `phar://[path_to_malicious_phar_file]` as path. Object injection can be used to trigger destruct in the loaded PHP classes, e.g. the Archive_Tar class itself. With Archive_Tar object injection, arbitrary file deletion can occur because `@unlink($this->_temp_tarname)` is called. If another class with useful gadget is loaded, it may possible to cause remote code execution that can result in files being deleted or possibly modified. This vulnerability appears to have been fixed in 1.4.4.
References
Link Resource
https://blog.ripstech.com/2018/new-php-exploitation-technique/ Exploit Third Party Advisory
https://cdn2.hubspot.net/hubfs/3853213/us-18-Thomas-It%27s-A-PHP-Unserialization-Vulnerability-Jim-But-Not-As-We-....pdf Exploit Technical Description Third Party Advisory
https://lists.debian.org/debian-lts-announce/2019/02/msg00020.html Third Party Advisory
https://pear.php.net/bugs/bug.php?id=23782 Broken Link Third Party Advisory
https://pear.php.net/package/Archive_Tar/download/ Broken Link Third Party Advisory
https://security.gentoo.org/glsa/202006-14
https://usn.ubuntu.com/3857-1/ Third Party Advisory
https://www.debian.org/security/2019/dsa-4378 Third Party Advisory
https://www.exploit-db.com/exploits/46108/ Exploit Third Party Advisory VDB Entry
https://blog.ripstech.com/2018/new-php-exploitation-technique/ Exploit Third Party Advisory
https://cdn2.hubspot.net/hubfs/3853213/us-18-Thomas-It%27s-A-PHP-Unserialization-Vulnerability-Jim-But-Not-As-We-....pdf Exploit Technical Description Third Party Advisory
https://lists.debian.org/debian-lts-announce/2019/02/msg00020.html Third Party Advisory
https://pear.php.net/bugs/bug.php?id=23782 Broken Link Third Party Advisory
https://pear.php.net/package/Archive_Tar/download/ Broken Link Third Party Advisory
https://security.gentoo.org/glsa/202006-14
https://usn.ubuntu.com/3857-1/ Third Party Advisory
https://www.debian.org/security/2019/dsa-4378 Third Party Advisory
https://www.exploit-db.com/exploits/46108/ Exploit Third Party Advisory VDB Entry
Configurations

Configuration 1 (hide)

cpe:2.3:a:php:pear_archive_tar:*:*:*:*:*:*:*:*

Configuration 2 (hide)

OR cpe:2.3:o:canonical:ubuntu_linux:16.04:*:*:*:lts:*:*:*
cpe:2.3:o:canonical:ubuntu_linux:18.04:*:*:*:lts:*:*:*
cpe:2.3:o:canonical:ubuntu_linux:18.10:*:*:*:*:*:*:*

Configuration 3 (hide)

OR cpe:2.3:o:debian:debian_linux:8.0:*:*:*:*:*:*:*
cpe:2.3:o:debian:debian_linux:9.0:*:*:*:*:*:*:*

History

21 Nov 2024, 03:40

Type Values Removed Values Added
References () https://blog.ripstech.com/2018/new-php-exploitation-technique/ - Exploit, Third Party Advisory () https://blog.ripstech.com/2018/new-php-exploitation-technique/ - Exploit, Third Party Advisory
References () https://cdn2.hubspot.net/hubfs/3853213/us-18-Thomas-It%27s-A-PHP-Unserialization-Vulnerability-Jim-But-Not-As-We-....pdf - Exploit, Technical Description, Third Party Advisory () https://cdn2.hubspot.net/hubfs/3853213/us-18-Thomas-It%27s-A-PHP-Unserialization-Vulnerability-Jim-But-Not-As-We-....pdf - Exploit, Technical Description, Third Party Advisory
References () https://lists.debian.org/debian-lts-announce/2019/02/msg00020.html - Third Party Advisory () https://lists.debian.org/debian-lts-announce/2019/02/msg00020.html - Third Party Advisory
References () https://pear.php.net/bugs/bug.php?id=23782 - Broken Link, Third Party Advisory () https://pear.php.net/bugs/bug.php?id=23782 - Broken Link, Third Party Advisory
References () https://pear.php.net/package/Archive_Tar/download/ - Broken Link, Third Party Advisory () https://pear.php.net/package/Archive_Tar/download/ - Broken Link, Third Party Advisory
References () https://security.gentoo.org/glsa/202006-14 - () https://security.gentoo.org/glsa/202006-14 -
References () https://usn.ubuntu.com/3857-1/ - Third Party Advisory () https://usn.ubuntu.com/3857-1/ - Third Party Advisory
References () https://www.debian.org/security/2019/dsa-4378 - Third Party Advisory () https://www.debian.org/security/2019/dsa-4378 - Third Party Advisory
References () https://www.exploit-db.com/exploits/46108/ - Exploit, Third Party Advisory, VDB Entry () https://www.exploit-db.com/exploits/46108/ - Exploit, Third Party Advisory, VDB Entry

Information

Published : 2018-12-28 16:29

Updated : 2024-11-21 03:40


NVD link : CVE-2018-1000888

Mitre link : CVE-2018-1000888

CVE.ORG link : CVE-2018-1000888


JSON object : View

Products Affected

debian

  • debian_linux

php

  • pear_archive_tar

canonical

  • ubuntu_linux
CWE
CWE-502

Deserialization of Untrusted Data