CVE-2018-17057
published 2018-09-14CVE-2018-17057: An issue was discovered in TCPDF before 6.2.22. Attackers can trigger deserialization of arbitrary data via the phar:// wrapper.
PriorityP272critical9.8CVSS 3.0
AVNACLPRNUINSUCHIHAH
EXPLOIT
EPSS
26.17%
97.7th percentile
An issue was discovered in TCPDF before 6.2.22. Attackers can trigger deserialization of arbitrary data via the phar:// wrapper.
Affected
11 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| debian | tcpdf | < tcpdf 6.2.26+dfsg-1 (bookworm) | tcpdf 6.2.26+dfsg-1 (bookworm) |
| fooman | tcpdf | >= 0 < 6.2.22 | 6.2.22 |
| la-haute-societe | tcpdf | >= 0 < 6.2.22 | 6.2.22 |
| limesurvey | limesurvey | < 3.16.0 | 3.16.0 |
| spoonity | tcpdf | >= 0 < 6.2.22 | 6.2.22 |
| tcpdf_project | tcpdf | >= 0 < 6.2.26+dfsg-1 | 6.2.26+dfsg-1 |
| tcpdf_project | tcpdf | >= 0 < 6.2.26+dfsg-1 | 6.2.26+dfsg-1 |
| tcpdf_project | tcpdf | >= 0 < 6.2.26+dfsg-1 | 6.2.26+dfsg-1 |
| tcpdf_project | tcpdf | >= 0 < 6.2.26+dfsg-1 | 6.2.26+dfsg-1 |
| tecnick | tcpdf | < 6.2.22 | 6.2.22 |
| tecnickcom | tcpdf | >= 0 < 6.2.22 | 6.2.22 |
Detection & IOCsextracted from sources · hover to see the quote
bytes↗
\x3c\x3f\x70\x68\x70\x20\x5f\x5f\x48\x41\x4c\x54\x5f\x43\x4f\x4d\x50\x49\x4c\x45\x52\x28\x29\x3b\x20\x3f\x3e
- →Monitor HTTP POST requests to /third_party/kcfinder/browse.php with file uploads containing PHAR magic bytes (<?php __HALT_COMPILER();) disguised as image files (e.g., .jpg extension). ↗
- →Detect phar:// stream wrapper usage in file path parameters passed to TCPDF, which triggers PHP object deserialization. ↗
- →Alert on the exploit chain: authenticated login → survey creation → KCFinder file upload → PDF export via /index.php/admin/export/sa/quexml/surveyid/ in LimeSurvey, which is the delivery mechanism for the TCPDF phar deserialization. ↗
- →Detect injection of a malicious 'link' tag pointing to a local phar archive within PDF-rendered content (e.g., invoice fields), which triggers phar:// deserialization when TCPDF reads the file. ↗
- →Look for presence of shell.php in the web root following a successful exploit, indicating post-exploitation webshell deployment. ↗
- ·The exploit requires valid authenticated credentials to LimeSurvey; unauthenticated exploitation is not directly possible via this exploit chain. ↗
- ·The vulnerability is fixed in TCPDF 6.2.22 and later; Debian packages fixed in 6.2.26+dfsg-1. ↗
CVSS provenance
nvdv3.09.8CRITICALCVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.07.5HIGHAV:N/AC:L/Au:N/C:P/I:P/A:P
osv9.8CRITICAL
vendor_debian9.8CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
OSV
TCPDF vulnerable to attackers triggering deserialization of arbitrary data
osv·2022-10-06
CVE-2018-17057 [CRITICAL] TCPDF vulnerable to attackers triggering deserialization of arbitrary data
TCPDF vulnerable to attackers triggering deserialization of arbitrary data
An issue was discovered in TCPDF before 6.2.22. Attackers can trigger deserialization of arbitrary data via the `phar://` wrapper.
GHSA
TCPDF vulnerable to attackers triggering deserialization of arbitrary data
ghsa·2022-10-06
CVE-2018-17057 [CRITICAL] CWE-502 TCPDF vulnerable to attackers triggering deserialization of arbitrary data
TCPDF vulnerable to attackers triggering deserialization of arbitrary data
An issue was discovered in TCPDF before 6.2.22. Attackers can trigger deserialization of arbitrary data via the `phar://` wrapper.
OSV
CVE-2018-17057: An issue was discovered in TCPDF before 6
osv·2018-09-14·CVSS 9.8
CVE-2018-17057 [CRITICAL] CVE-2018-17057: An issue was discovered in TCPDF before 6
An issue was discovered in TCPDF before 6.2.22. Attackers can trigger deserialization of arbitrary data via the phar:// wrapper.
Debian
CVE-2018-17057: tcpdf - An issue was discovered in TCPDF before 6.2.22. Attackers can trigger deserializ...
vendor_debian·2018·CVSS 9.8
CVE-2018-17057 [CRITICAL] CVE-2018-17057: tcpdf - An issue was discovered in TCPDF before 6.2.22. Attackers can trigger deserializ...
An issue was discovered in TCPDF before 6.2.22. Attackers can trigger deserialization of arbitrary data via the phar:// wrapper.
Scope: local
bookworm: resolved (fixed in 6.2.26+dfsg-1)
bullseye: resolved (fixed in 6.2.26+dfsg-1)
forky: resolved (fixed in 6.2.26+dfsg-1)
sid: resolved (fixed in 6.2.26+dfsg-1)
trixie: resolved (fixed in 6.2.26+dfsg-1)
No detection rules found.
Bugzilla
CVE-2018-17057 php-tcpdf: phar deserialization in TCPDF might lead to RCE
bugzilla·2019-04-02·CVSS 9.8
CVE-2018-17057 [CRITICAL] CVE-2018-17057 php-tcpdf: phar deserialization in TCPDF might lead to RCE
CVE-2018-17057 php-tcpdf: phar deserialization in TCPDF might lead to RCE
PDF creation script is vulnerable to Cross-Site Scripting (or "Code Injection") issues through which an attacker can inject arbitrary HTML code. For example during an invoice creation, an attacker can use its information written on the invoice to insert a malicious "link" tag pointing to a local phar archive and trigger a PHP Object Injection through the phar:// scheme once the web application reads that file.
References:
https://seclists.org/fulldisclosure/2019/Mar/36
Discussion:
Created php-tcpdf tracking bugs for this issue:
Affects: epel-all [bug 1695301]
Affects: fedora-all [bug 1695300]
---
This CVE Bugzilla entry is for community support informational purposes only as it does not affect a package in a
Bugzilla
CVE-2018-17057 php-tcpdf: phar deserialization in TCPDF might lead to RCE [epel-all]
bugzilla·2019-04-02·CVSS 9.8
CVE-2018-17057 [CRITICAL] CVE-2018-17057 php-tcpdf: phar deserialization in TCPDF might lead to RCE [epel-all]
CVE-2018-17057 php-tcpdf: phar deserialization in TCPDF might lead to RCE [epel-all]
This is an automatically created tracking bug! It was created to ensure
that one or more security vulnerabilities are fixed in affected versions
of epel-all.
For comments that are specific to the vulnerability please use bugs filed
against the "Security Response" product referenced in the "Blocks" field.
For more information see:
http://fedoraproject.org/wiki/Security/TrackingBugs
When submitting as an update, use the fedpkg template provided in the next
comment(s). This will include the bug IDs of this tracking bug as well as
the relevant top-level CVE bugs.
Please also mention the CVE IDs being fixed in the RPM changelog and the
fedpkg commit message.
NOTE: this issue affects multiple supported ver
Bugzilla
CVE-2018-17057 php-tcpdf: phar deserialization in TCPDF might lead to RCE [fedora-all]
bugzilla·2019-04-02·CVSS 9.8
CVE-2018-17057 [CRITICAL] CVE-2018-17057 php-tcpdf: phar deserialization in TCPDF might lead to RCE [fedora-all]
CVE-2018-17057 php-tcpdf: phar deserialization in TCPDF might lead to RCE [fedora-all]
This is an automatically created tracking bug! It was created to ensure
that one or more security vulnerabilities are fixed in affected versions
of fedora-all.
For comments that are specific to the vulnerability please use bugs filed
against the "Security Response" product referenced in the "Blocks" field.
For more information see:
http://fedoraproject.org/wiki/Security/TrackingBugs
When submitting as an update, use the fedpkg template provided in the next
comment(s). This will include the bug IDs of this tracking bug as well as
the relevant top-level CVE bugs.
Please also mention the CVE IDs being fixed in the RPM changelog and the
fedpkg commit message.
NOTE: this issue affects multiple supported
http://packetstormsecurity.com/files/152200/TCPDF-6.2.19-Deserialization-Remote-Code-Execution.htmlhttp://packetstormsecurity.com/files/152360/LimeSurvey-Deserialization-Remote-Code-Execution.htmlhttp://seclists.org/fulldisclosure/2019/Mar/36https://contao.org/en/news/security-vulnerability-cve-2018-17057.htmlhttps://github.com/LimeSurvey/LimeSurvey/commit/1cdd78d27697b3150bb44aaa7af1a81062a591a5https://github.com/tecnickcom/TCPDF/commit/1861e33fe05f653b67d070f7c106463e7a5c26edhttps://www.exploit-db.com/exploits/46634/http://packetstormsecurity.com/files/152200/TCPDF-6.2.19-Deserialization-Remote-Code-Execution.htmlhttp://packetstormsecurity.com/files/152360/LimeSurvey-Deserialization-Remote-Code-Execution.htmlhttp://seclists.org/fulldisclosure/2019/Mar/36https://contao.org/en/news/security-vulnerability-cve-2018-17057.htmlhttps://github.com/LimeSurvey/LimeSurvey/commit/1cdd78d27697b3150bb44aaa7af1a81062a591a5https://github.com/tecnickcom/TCPDF/commit/1861e33fe05f653b67d070f7c106463e7a5c26edhttps://www.exploit-db.com/exploits/46634/
2018-09-14
Published