The flaws potentially expose web applications written in the popular language to cyber attacks, including websites running CMSs like WordPress and Typo3.
The expert discovered that an attacker can use low-risk functions against Phar archives to trigger deserialization attack without requiring the use of unserialize() function. Phar archives are similar to Java JAR archives but are specific for PHP applications. A Phar application or library could be distributed in a single file.
Phar files include metadata in a serialized format. The data is unserialized for every file operation function (fopen, file_exists, file_get_contents, etc.) on the archive file.
“Typically, these archives are used to hold self-extracting or self-contained applications, in the same
way that a Jar archive can be executed a Phar archive contains an executable stub containing PHP
code. To get to the crux of the issue at hand, Phar archives can also contain meta-data, and:
“Meta-data can be any PHP variable that can be serialized.” wrote Thomas.
This meta-data is unserialized when a Phar archive is first accessed by any(!) file operation. This
opens the door to unserialization attacks whenever a file operation occurs on a path whose
beginning is controlled by an attacker. This is true for both direct file operations (such as
“file_exists”) and indirect operations such as those that occur during external entity processing
within XML (i.e. when an XXE vulnerability is being exploited).”
Thomas demonstrated at the Black Hat hacking conference how to trigger the flaws to hack WordPress sites using an author account and take full control over the underlying web server.
Thomas explained that it is possible to carry out the attack by converting a Phar archive in a JPEG image, an operation that is possible by modifying its first 100 bytes.
“The way certain thumbnail functionality within the application works enables an attacker with the
privileges to upload and modify media items to gain sufficient control of the parameter used in a
“file_exists” call to cause unserialization to occur.” explained the researcher.
“The core vulnerability is within the wp_get_attachment_thumb_file function in /wpincludes/post.php:”
Once uploaded the malicious thumbnail on the targeted server running the WordPress website the attacker can use another function to call the image file as a Phar archive using the “phar://” stream wrapper.
“It is possible to reach this function through an XMLRPC call to the “wp.getMediaItem” method, with
an arbitrary value for $imagedata[‘thumb’] and a partially controlled value for $file.
$file is returned by get_attached_file also from /wp-includes/post.php” continues the analysis.
Thomas reported his findings to the WordPress security team on 28th February 2017l. WordPress released a security update that did not solve the problem completely.
The researcher also reported the flaw to Typo3 on 9th June 2018, and the issue was fixed with the release of the versions 7.6.30, 8.7.17 and 9.3.