CVE-2018-1000888

  1. OpenCVE
  2. Vulnerabilities (CVE)
  3. CVE-2018-1000888
PEAR Archive_Tar version 1.4.3 and earlier contains a CWE-502, CWE-915 vulnerability in the Archive_Tar class. There are several file operations with `$v_header['filename']` as parameter (such as file_exists, is_file, is_dir, etc). When extract is called without a specific prefix path, we can trigger unserialization by crafting a tar file with `phar://[path_to_malicious_phar_file]` as path. Object injection can be used to trigger destruct in the loaded PHP classes, e.g. the Archive_Tar class itself. With Archive_Tar object injection, arbitrary file deletion can occur because `@unlink($this->_temp_tarname)` is called. If another class with useful gadget is loaded, it may possible to cause remote code execution that can result in files being deleted or possibly modified. This vulnerability appears to have been fixed in 1.4.4.

8.8 /10

CVSS v3 : HIGH

V3 Legend

Vector : AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

Exploitability : 2.8 / Impact : 5.9

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction REQUIRED

Confidentiality Impact HIGH

Integrity Impact HIGH

Availability Impact HIGH

Scope UNCHANGED

6.8 /10

CVSS v2.0 : MEDIUM

V2 Legend

Vector : AV:N/AC:M/Au:N/C:P/I:P/A:P

Exploitability : 8.6 / Impact : 6.4

Access Vector NETWORK

Access Complexity MEDIUM

Authentication NONE

Confidentiality Impact PARTIAL

Integrity Impact PARTIAL

Availability Impact PARTIAL

References
Link Resource
https://blog.ripstech.com/2018/new-php-exploitation-technique/ Exploit Third Party Advisory
https://cdn2.hubspot.net/hubfs/3853213/us-18-Thomas-It%27s-A-PHP-Unserialization-Vulnerability-Jim-But-Not-As-We-....pdf Exploit Technical Description Third Party Advisory
https://lists.debian.org/debian-lts-announce/2019/02/msg00020.html Third Party Advisory
https://pear.php.net/bugs/bug.php?id=23782 Broken Link Third Party Advisory
https://pear.php.net/package/Archive_Tar/download/ Broken Link Third Party Advisory
https://security.gentoo.org/glsa/202006-14
https://usn.ubuntu.com/3857-1/ Third Party Advisory
https://www.debian.org/security/2019/dsa-4378 Third Party Advisory
https://www.exploit-db.com/exploits/46108/ Exploit Third Party Advisory VDB Entry
Configurations

Configuration 1 (hide)

cpe:2.3:a:php:pear_archive_tar:*:*:*:*:*:*:*:*

Configuration 2 (hide)

OR cpe:2.3:o:canonical:ubuntu_linux:16.04:*:*:*:lts:*:*:*
cpe:2.3:o:canonical:ubuntu_linux:18.04:*:*:*:lts:*:*:*
cpe:2.3:o:canonical:ubuntu_linux:18.10:*:*:*:*:*:*:*

Configuration 3 (hide)

OR cpe:2.3:o:debian:debian_linux:8.0:*:*:*:*:*:*:*
cpe:2.3:o:debian:debian_linux:9.0:*:*:*:*:*:*:*
History

No history.

Information

Published : 2018-12-28 16:29

Updated : 2023-12-10 12:44

NVD link : CVE-2018-1000888

Mitre link : CVE-2018-1000888

CVE.ORG link : CVE-2018-1000888

JSON object : View

Products Affected

canonical

  • ubuntu_linux

php

  • pear_archive_tar

debian

  • debian_linux
CWE
CWE-502

Deserialization of Untrusted Data