PHP Phar deserialization protection mechanism bypass

Image
Decorative image
Published : 10/05/2019

Reference:
Advisory #2019-012

Version:
1.0

Affected software:
Drupal 7 7.67
Drupal 8.6 8.6.16
Drupal 8.7 8.7.1
Joomla 3.9.3 - 3.9.5
Typo3 2 2.1.1
Typo3 3 3.1.1

Type:
Arbitrary code execution

CVE/CVSS:
CVE-2019-11831 - CVE Score: 9.8

Sources

https://nvd.nist.gov/vuln/detail/CVE-2019-11831#VulnChangeHistorySection
https://threatpost.com/drupal-typo3-joomla-phar-flaw/144526/
https://www.securityweek.com/phar-vulnerabilities-patched-drupal-typo3

Risks

An attacker can bypass a deserialization protection mechanism in the PharStreamWrapper by using a directory traversal and execute arbitrary code via a maliciously crafted phar file.

Description

Developers using PHP can use Phar (PHP Archive) to distribute their project. It moves all the files into a single archive.

The PharStreamWrapper can be abused to execute arbitrary code. A protection mechanism has been put in place but it doesn’t check for directory traversal such as phar:///path/bad.phar/../good.phar.

Recommended Actions

CERT.be recommends system administrators to update their product to the latest version:

  • Drupal version 8.7.1
  • Drupal version 8.6.16
  • Drupal version 7.67

https://www.drupal.org/sa-core-2019-007
 

  • Typo3 version 2.1.1
  • Typo3 version 3.1.1

https://typo3.org/article/typo3-956-and-8725-security-releases-published/
 

  • Joomla version 3.9.6

https://developer.joomla.org/security-centre/781-%2020190502-core-by-passing-protection-of-phar-stream-wrapper-interceptor.html

References