cbcvebase.
CVE-2018-1000888
published 2018-12-28

CVE-2018-1000888: PEAR Archive_Tar version 1.4.3 and earlier contains a CWE-502, CWE-915 vulnerability in the Archive_Tar class. There are several file operations with…

PriorityP266high8.8CVSS 3.0
AVNACLPRNUIRSUCHIHAH
EXPLOIT
EPSS
18.29%
96.9th percentile
PEAR Archive_Tar version 1.4.3 and earlier contains a CWE-502, CWE-915 vulnerability in the Archive_Tar class. There are several file operations with `$v_header['filename']` as parameter (such as file_exists, is_file, is_dir, etc). When extract is called without a specific prefix path, we can trigger unserialization by crafting a tar file with `phar://[path_to_malicious_phar_file]` as path. Object injection can be used to trigger destruct in the loaded PHP classes, e.g. the Archive_Tar class itself. With Archive_Tar object injection, arbitrary file deletion can occur because `@unlink($this->_temp_tarname)` is called. If another class with useful gadget is loaded, it may possible to cause remote code execution that can result in files being deleted or possibly modified. This vulnerability appears to have been fixed in 1.4.4.

Affected

20 ranges
VendorProductVersion rangeFixed in
canonicalubuntu_linux
canonicalubuntu_linux
canonicalubuntu_linux
debiandebian_linux
debiandebian_linux
debianphp-pear< php-pear 1:1.10.6+submodules+notgz-1.1 (bookworm)php-pear 1:1.10.6+submodules+notgz-1.1 (bookworm)
drupalcore>= 8.0.0 < 8.5.98.5.9
drupalcore>= 8.6.0 < 8.6.68.6.6
drupaldrupal>= 7.0 < 7.627.62
drupaldrupal>= 7.0.0 < 7.62.07.62.0
drupaldrupal>= 8.0.0 < 8.5.98.5.9
drupaldrupal>= 8.5.0 < 8.5.98.5.9
drupaldrupal>= 8.6.0 < 8.6.68.6.6
drupaldrupal>= 8.6.0 < 8.6.68.6.6
drupaldrupal_core
drupaldrupal_core>= 7.x < 7.627.62
drupaldrupal_core>= 8.5.x < 8.5.98.5.9
drupaldrupal_core>= 8.6.x < 8.6.6.8.6.6.
peararchive_tar>= 0 < 1.4.41.4.4
phppear_archive_tar<= 1.4.3

Detection & IOCsextracted from sources · hover to see the quote

urlhttp://download.pear.php.net/package/Archive_Tar-1.4.3.tgz
pathphar://exploit.phar
filenameexploit.phar
filenameexploit.tar
urlhttps://github.com/pear/Archive_Tar/commit/59ace120ac5ceb5f0d36e40e48e1884de1badf76
  • Detect tar archives containing entries with a 'phar://' scheme path as the filename, which is the trigger for PHP unserialization via Archive_Tar's extract() method.
  • Monitor for PHP processes invoking unlink() on temporary tar filenames immediately after tar/phar extraction operations, which may indicate Archive_Tar destructor-based object injection.
  • Inspect tar archive entry filenames ($v_header['filename']) for 'phar://' prefixes during file operations such as file_exists, is_file, is_dir — these are the code paths exploited.
  • ·The vulnerability is only exploitable when Archive_Tar's extract() is called WITHOUT a specific prefix path; supplying a prefix path prevents the phar:// unserialization trigger.
  • ·Remote code execution (beyond arbitrary file deletion) requires that another class with a useful gadget chain is loaded in the PHP runtime alongside Archive_Tar.
  • ·Drupal installations are only impacted in configurations that use the PEAR Archive_Tar library; not all Drupal configurations are affected.

CVSS provenance

nvdv3.08.8HIGHCVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
nvdv2.06.8MEDIUMAV:N/AC:M/Au:N/C:P/I:P/A:P
ghsa8.8HIGH
osv8.8HIGH
vendor_debian8.8HIGH
vendor_redhat8.8HIGH
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.