File Operation Induced Unserialization via the “phar://” Stream Wrapper
- CMSs (WordPress and Typo 3 confirmed)
- Other PHP applications that uses the “phar://” Stream Wrapper
According to Secarma Labs (2018), the vulnerability lies in the process of converting PHP objects into strings (called serialization), and then converting them back into PHP objects (unserialization). This vulnerability attack focuses on the behavior of the "phar://" wrapper.
The research paper presented by Secarma Labs state that exploiting instances of this issue consists of two stages.
- Place a valid Phar archive containing the payload object onto the target’s local file system.
- Trigger a file operation on a “phar://” path referring to the file.
To make the attack work, a user ( WordPress users that have privileges to upload and modify media items ) would need to log in and upload a booby-trapped file to the target application, then trigger a file operation through a crafted file name (that accesses the file through the phar:// stream wrapper), causing the target application to "unserialize" metadata contained in the file. That metadata can contain malicious commands, which are executed because of the deserialization.
According to Secarma Labs “This meta-data is unserialized when a Phar archive is first accessed by any file operation. This opens the door to unserialization attacks whenever a file operation occurs on a path whose beginning is controlled by an attacker. This is true for both direct file operations (such as "file_exists") and indirect operations such as those that occur during external entity processing within XML (i.e. when an XXE vulnerability is being exploited).”
The core vulnerability within WordPress is the wp_get_attachment_thumb_file function in /wpincludes/post.php.
Secarma Labs also revealed that an attacker can also exploit this vulnerability by using a JPEG image, originally a Phar archive converted into valid JPEG by modifying its first 100 bytes. Once the crafted thumbnail uploaded on the targeted WordPress server, the attacker can use another function to call the same image file as a Phar archive using the "phar://" stream wrapper, eventually executing the arbitrary code when the program deserializes the metadata.
At the BSides technical cybersecurity conference in Manchester, Secarma researcher Sam Thomas said the bug permits attackers to exploit the WordPress PHP framework, resulting in a full system compromise.
According to Secarma, the CMS provider was made aware of the security issue in February 2017, but "is yet to take action." There are no WordPress updates or patches that mitigates this error. However, the Cybersecurity team at the National Data Management Authority advises that all WordPress administrators enforce strong passwords on users that have privileges to upload and modify media on the website to prevent hackers from gaining access to those accounts to prevent this vulnerability. Also, be on the lookout for a WordPress patch for this vulnerability.
Soni (2018) explains that PHP comes with several built-in wrappers for various URL-style protocols to be used with filesystem functions. The vulnerability is related to the ‘phar://’ stream wrapper that allows access to files inside a local archive”. WordPress framework flaw involves thumbnail processing which allows an attacker to reach a 'file_exists' call with control of the start of the parameter". “The techniques presented here demonstrate it is possible to abuse the “phar://” stream wrapper to induce unserialization in a wide range of scenarios. It is well known from previous work that it’s possible to exploit unserialization of attacker-controlled data to achieve code execution or other malicious outcomes,” wrote Secarma Labs in the paper.
- Sam Thomas, File Operation Induced Unserialization via the “phar://” Stream Wrapper. Secarma Labs (2018) https://cdn2.hubspot.net/hubfs/3853213/us-18-Thomas-It's-A-PHP-Unserialization-Vulnerability-Jim-But-Not-As-We-....pdf?
- Wang Wei, New PHP Code Execution Attack Puts WordPress Sites at Risk, (2018) https://thehackernews.com/2018/08/php-deserialization-wordpress.html
- John Leyden, So phar, so FUD: PHP flaw puts WordPress sites at risk of hacks: But claims of 'complete system compromise' are a little extreme, (2018). https://www.theregister.co.uk/2018/08/20/php_unserialisation_wordpress_vuln/
- Virendra Soni, PHP vulnerability in WordPress leaves countless websites open to cyberattacks, (2018). https://www.dailyhostnews.com/php-vulnerability-in-wordpress/