Thursday, March 28, 2024

15-Year-old Security Vulnerability In The PEAR PHP Repository Permits Supply Chain Attack

PEAR PHP repository has been found to contain a 15-year-old security vulnerability that could provide an attacker with the ability to carry out a supply chain attack on the system.

The attacker could also obtain unauthorized access to perform arbitrary acts such as publishing rogue packages and executing arbitrary code in addition to the supply chain attack.

PEAR is a framework for distributing PHP components in a reusable and modular form. 

Flaw in the PEAR PHP repository

This vulnerability potentially showed a way for the threat actors with low-level skills to exploit a critical component of the PHP supply chain to cause major trouble.

When the feature was originally implemented, one of the problems was introduced by a code commit (made in March 2007) that used a cryptographically insecure PHP function called “mt_rand()”.

The threat actors could also be able to discover a valid password reset token within less than 50 attempts with this functionality.

The PEAR client itself, Console_Getopt, Archive_Tar, and Mail rank as the most popular packages downloaded from pear.php.net, with over 285 million packages downloaded in total.

In spite of Composer’s large market share, PEAR packages continue to be downloaded thousands of times each month.

Here’s what Thomas Chauchefoin, the vulnerability researcher at SonarSource stated:-

“An attacker exploiting the first one could take over any developer account and publish malicious releases, while the second bug would allow the attacker to gain persistent access to the central PEAR server.”

However, SonarSource’s security analysts have identified two security flaws that can be exploited for over 15 years. While here below we have mentioned them and also presented the proof of concept as well:-

  • Successful exploitation of the first flaw would allow malicious releases to be published from any developer account.
  • While by exploiting the second flaw, the threat actors can gain persistent access to the PEAR server hosted by the central PEAR server.

There is a source code project called pearweb, which can be found on GitHub and it is the source code behind pear.php.net. 

Researchers have discovered that the pearweb pulled the dependency Archive_Tar in an old version (1.4.7, rather than its latest version 1.4.14), and therefore missed out on several other features while deploying the pearweb on their test virtual machine.

An older version of Archive_Tar is known to contain a directory traversal vulnerability that can potentially lead to arbitrary code execution. This vulnerability has been tracked as “CVE-2020-36193” across a number of versions.

There have been two malicious attacks detected in the PHP supply chain in less than a year, making it the second time issues have been discovered.

While in late April 2021, critical vulnerabilities were divulged in the Composer PHP package manager that could enable an adversary to execute arbitrary commands.

The Composer PHP package manager, which includes the PHP programming language and a large number of additional modules, was found to be vulnerable to critical vulnerabilities in late April 2021.

You can follow us on Linkedin, Twitter, Facebook for daily Cybersecurity and hacking news updates.

Website

Latest articles

GoPlus’s Latest Report Highlights How Blockchain Communities Are Leveraging Critical API Security Data To Mitigate Web3 Threats

GoPlus Labs, the leading Web3 security infrastructure provider, has unveiled a groundbreaking report highlighting...

Wireshark 4.2.4 Released: What’s New!

Wireshark stands as the undisputed leader, offering unparalleled tools for troubleshooting, analysis, development, and...

Zoom Unveils AI-Powered All-In-One AI Work Workplace

Zoom has taken a monumental leap forward by introducing Zoom Workplace, an all-encompassing AI-powered...

iPhone Users Beware! Darcula Phishing Service Attacking Via iMessage

Phishing allows hackers to exploit human vulnerabilities and trick users into revealing sensitive information...

2 Chrome Zero-Days Exploited at Pwn2Own 2024: Patch Now

Google has announced a crucial update to its Chrome browser, addressing several vulnerabilities, including...

The Moon Malware Hacked 6,000 ASUS Routers in 72hours to Use for Proxy

Black Lotus Labs discovered a multi-year campaign by TheMoon malware targeting vulnerable routers and...
Balaji
Balaji
BALAJI is an Ex-Security Researcher (Threat Research Labs) at Comodo Cybersecurity. Editor-in-Chief & Co-Founder - Cyber Security News & GBHackers On Security.

Mitigating Vulnerability Types & 0-day Threats

Mitigating Vulnerability & 0-day Threats

Alert Fatigue that helps no one as security teams need to triage 100s of vulnerabilities.

  • The problem of vulnerability fatigue today
  • Difference between CVSS-specific vulnerability vs risk-based vulnerability
  • Evaluating vulnerabilities based on the business impact/risk
  • Automation to reduce alert fatigue and enhance security posture significantly

Related Articles