Vulnerabilities > CVE-2017-5677 - PHP Object Injection vulnerability in PEAR HTML_AJAX
Attack vector
NETWORK Attack complexity
LOW Privileges required
NONE Confidentiality impact
PARTIAL Integrity impact
PARTIAL Availability impact
PARTIAL Summary
PEAR HTML_AJAX 0.3.0 through 0.5.7 has a PHP Object Injection Vulnerability in the PHP Serializer. It allows remote code execution. In one viewpoint, the root cause is an incorrect regular expression.
Vulnerable Configurations
Seebug
| bulletinFamily | exploit |
| description | #### Software Link: https://pear.php.net/package/HTML_AJAX #### Affected Versions: All versions from 0.3.0 to 0.5.7. #### Vulnerability Description: The vulnerable code is located within the HTML_AJAX_Serializer_PHP class defined into the /AJAX/Serializer/PHP.php script. Such a class uses the unserialize() PHP function with user-controlled input unless a class name which is not in the provided array of allowed classes is found within the serialized string. Class names are extracted by using the _getSerializedClassNames() method: ``` 68. function _getSerializedClassNames($string) { 69. // Strip any string representations (which might contain object syntax) 70. while (($pos = strpos($string, 's:')) !== false) { 71. $pos2 = strpos($string, ':', $pos + 2); 72. if ($pos2 === false) { 73. // invalidly serialized string 74. return false; 75. } 76. $end = $pos + 2 + substr($string, $pos + 2, $pos2) + 1; 77. $string = substr($string, 0, $pos) . substr($string, $end); 78. } 79. 80. // Pull out the class names 81. preg_match_all('/O:[0-9]+:"(.*)"/U', $string, $matches); 82. 83. // Make sure names are unique (same object serialized twice) 84. return array_unique($matches[1]); 85. } ``` By default the array of allowed classes is empty, meaning that no classes are allowed to be unserialized. However, due to the faulty regular expression used at line 81, it might be possible to bypass such a restriction by replacing "O:X" with "O:+X" from within the serialized string, where X is the length of the class name. This can be exploited by unauthenticated attackers to inject arbitrary PHP objects into the application scope, allowing to perform "POP chain" attacks or exploit memory corruption vulnerabilities within the PHP's serialization internals, potentially leading to execution of arbitrary code on the web server. #### Solution: Update to version 0.5.8 or disable the PHP Serializer. #### Disclosure Timeline: * [19/01/2017] - Issue reported to https://pear.php.net/bugs/bug.php?id=21165 * [01/02/2017] - CVE number requested * [01/02/2017] - CVE number assigned * [02/02/2017] - Version 0.5.8 released: http://blog.pear.php.net/2017/02/02/security * [06/02/2017] - Public disclosure #### CVE Reference: The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CVE-2017-5677 to this vulnerability. #### Credits: Vulnerability discovered by Egidio Romano. #### Original Advisory: http://karmainsecurity.com/KIS-2017-01 |
| id | SSV:92662 |
| last seen | 2017-11-19 |
| modified | 2017-02-08 |
| published | 2017-02-08 |
| reporter | Root |
| title | PEAR HTML_AJAX <= 0.5.7 (PHP Serializer) PHP object injection vulnerability |
References
- http://blog.pear.php.net/2017/02/02/security-html_ajax-058/
- http://karmainsecurity.com/KIS-2017-01
- http://seclists.org/fulldisclosure/2017/Feb/12
- http://www.securityfocus.com/bid/96044
- https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=f5acb5adcd195f9a06b732794cb0de7620def646
- https://pear.php.net/bugs/bug.php?id=21165