Vulnerability Details : CVE-2018-1000888
Public exploit exists!
PEAR Archive_Tar version 1.4.3 and earlier contains a CWE-502, CWE-915 vulnerability in the Archive_Tar class. There are several file operations with `$v_header['filename']` as parameter (such as file_exists, is_file, is_dir, etc). When extract is called without a specific prefix path, we can trigger unserialization by crafting a tar file with `phar://[path_to_malicious_phar_file]` as path. Object injection can be used to trigger destruct in the loaded PHP classes, e.g. the Archive_Tar class itself. With Archive_Tar object injection, arbitrary file deletion can occur because `@unlink($this->_temp_tarname)` is called. If another class with useful gadget is loaded, it may possible to cause remote code execution that can result in files being deleted or possibly modified. This vulnerability appears to have been fixed in 1.4.4.
Vulnerability category: Execute code
Exploit prediction scoring system (EPSS) score for CVE-2018-1000888
Probability of exploitation activity in the next 30 days: 0.51%
Percentile, the proportion of vulnerabilities that are scored at or less: ~ 76 % EPSS Score History EPSS FAQ
CVSS scores for CVE-2018-1000888
Base Score | Base Severity | CVSS Vector | Exploitability Score | Impact Score | Score Source |
---|---|---|---|---|---|
6.8
|
MEDIUM | AV:N/AC:M/Au:N/C:P/I:P/A:P |
8.6
|
6.4
|
NIST |
8.8
|
HIGH | CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H |
2.8
|
5.9
|
NIST |
CWE ids for CVE-2018-1000888
-
The product deserializes untrusted data without sufficiently verifying that the resulting data will be valid.Assigned by: nvd@nist.gov (Primary)
References for CVE-2018-1000888
-
https://pear.php.net/bugs/bug.php?id=23782
Bug #23782 :: Prevent phar:// files from being extractedBroken Link;Third Party Advisory
-
https://security.gentoo.org/glsa/202006-14
PEAR Archive_Tar: Remote code execution vulnerability (GLSA 202006-14) — Gentoo security
-
https://www.debian.org/security/2019/dsa-4378
Debian -- Security Information -- DSA-4378-1 php-pearThird Party Advisory
-
https://lists.debian.org/debian-lts-announce/2019/02/msg00020.html
[SECURITY] [DLA 1674-1] php5 security updateThird Party Advisory
-
https://cdn2.hubspot.net/hubfs/3853213/us-18-Thomas-It%27s-A-PHP-Unserialization-Vulnerability-Jim-But-Not-As-We-....pdf
Exploit;Technical Description;Third Party Advisory
-
https://www.exploit-db.com/exploits/46108/
PEAR Archive_Tar < 1.4.4 - PHP Object InjectionExploit;Third Party Advisory;VDB Entry
-
https://blog.ripstech.com/2018/new-php-exploitation-technique/
What is Phar DeserializationExploit;Third Party Advisory
-
https://pear.php.net/package/Archive_Tar/download/
Archive_TarBroken Link;Third Party Advisory
-
https://usn.ubuntu.com/3857-1/
USN-3857-1: PEAR vulnerability | Ubuntu security noticesThird Party Advisory
Products affected by CVE-2018-1000888
- cpe:2.3:o:debian:debian_linux:8.0:*:*:*:*:*:*:*
- cpe:2.3:o:debian:debian_linux:9.0:*:*:*:*:*:*:*
- cpe:2.3:a:php:pear_archive_tar:*:*:*:*:*:*:*:*
- cpe:2.3:o:canonical:ubuntu_linux:16.04:*:*:*:lts:*:*:*
- cpe:2.3:o:canonical:ubuntu_linux:18.04:*:*:*:lts:*:*:*
- cpe:2.3:o:canonical:ubuntu_linux:18.10:*:*:*:*:*:*:*