cbcvebase.
CVE-2018-17057
published 2018-09-14

CVE-2018-17057: An issue was discovered in TCPDF before 6.2.22. Attackers can trigger deserialization of arbitrary data via the phar:// wrapper.

PriorityP272critical9.8CVSS 3.0
AVNACLPRNUINSUCHIHAH
EXPLOIT
EPSS
26.17%
97.7th percentile
An issue was discovered in TCPDF before 6.2.22. Attackers can trigger deserialization of arbitrary data via the phar:// wrapper.

Affected

11 ranges
VendorProductVersion rangeFixed in
debiantcpdf< tcpdf 6.2.26+dfsg-1 (bookworm)tcpdf 6.2.26+dfsg-1 (bookworm)
foomantcpdf>= 0 < 6.2.226.2.22
la-haute-societetcpdf>= 0 < 6.2.226.2.22
limesurveylimesurvey< 3.16.03.16.0
spoonitytcpdf>= 0 < 6.2.226.2.22
tcpdf_projecttcpdf>= 0 < 6.2.26+dfsg-16.2.26+dfsg-1
tcpdf_projecttcpdf>= 0 < 6.2.26+dfsg-16.2.26+dfsg-1
tcpdf_projecttcpdf>= 0 < 6.2.26+dfsg-16.2.26+dfsg-1
tcpdf_projecttcpdf>= 0 < 6.2.26+dfsg-16.2.26+dfsg-1
tecnicktcpdf< 6.2.226.2.22
tecnickcomtcpdf>= 0 < 6.2.226.2.22

Detection & IOCsextracted from sources · hover to see the quote

filenamemalicious.jpg
filenameshell.php
path/index.php/admin/authentication/sa/login
path/index.php/admin/survey/sa/newsurvey
path/index.php/admin/survey/sa/insert
path/third_party/kcfinder/browse.php
path/index.php/admin/export/sa/quexml/surveyid/
path/tmp/exploit.jpg
commandphar:// wrapper deserialization trigger via TCPDF image path
bytes
\x3c\x3f\x70\x68\x70\x20\x5f\x5f\x48\x41\x4c\x54\x5f\x43\x4f\x4d\x50\x49\x4c\x45\x52\x28\x29\x3b\x20\x3f\x3e
  • Monitor HTTP POST requests to /third_party/kcfinder/browse.php with file uploads containing PHAR magic bytes (<?php __HALT_COMPILER();) disguised as image files (e.g., .jpg extension).
  • Detect phar:// stream wrapper usage in file path parameters passed to TCPDF, which triggers PHP object deserialization.
  • Alert on the exploit chain: authenticated login → survey creation → KCFinder file upload → PDF export via /index.php/admin/export/sa/quexml/surveyid/ in LimeSurvey, which is the delivery mechanism for the TCPDF phar deserialization.
  • Detect injection of a malicious 'link' tag pointing to a local phar archive within PDF-rendered content (e.g., invoice fields), which triggers phar:// deserialization when TCPDF reads the file.
  • Look for presence of shell.php in the web root following a successful exploit, indicating post-exploitation webshell deployment.
  • ·The exploit requires valid authenticated credentials to LimeSurvey; unauthenticated exploitation is not directly possible via this exploit chain.
  • ·The vulnerability is fixed in TCPDF 6.2.22 and later; Debian packages fixed in 6.2.26+dfsg-1.

CVSS provenance

nvdv3.09.8CRITICALCVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.07.5HIGHAV:N/AC:L/Au:N/C:P/I:P/A:P
osv9.8CRITICAL
vendor_debian9.8CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.