Monday, June 24, 2024

15-Year-old Security Vulnerability In The PEAR PHP Repository Permits Supply Chain Attack

PEAR PHP repository has been found to contain a 15-year-old security vulnerability that could provide an attacker with the ability to carry out a supply chain attack on the system.

The attacker could also obtain unauthorized access to perform arbitrary acts such as publishing rogue packages and executing arbitrary code in addition to the supply chain attack.

PEAR is a framework for distributing PHP components in a reusable and modular form. 

Flaw in the PEAR PHP repository

This vulnerability potentially showed a way for the threat actors with low-level skills to exploit a critical component of the PHP supply chain to cause major trouble.

When the feature was originally implemented, one of the problems was introduced by a code commit (made in March 2007) that used a cryptographically insecure PHP function called “mt_rand()”.

The threat actors could also be able to discover a valid password reset token within less than 50 attempts with this functionality.

The PEAR client itself, Console_Getopt, Archive_Tar, and Mail rank as the most popular packages downloaded from pear.php.net, with over 285 million packages downloaded in total.

In spite of Composer’s large market share, PEAR packages continue to be downloaded thousands of times each month.

Here’s what Thomas Chauchefoin, the vulnerability researcher at SonarSource stated:-

“An attacker exploiting the first one could take over any developer account and publish malicious releases, while the second bug would allow the attacker to gain persistent access to the central PEAR server.”

However, SonarSource’s security analysts have identified two security flaws that can be exploited for over 15 years. While here below we have mentioned them and also presented the proof of concept as well:-

  • Successful exploitation of the first flaw would allow malicious releases to be published from any developer account.
  • While by exploiting the second flaw, the threat actors can gain persistent access to the PEAR server hosted by the central PEAR server.

There is a source code project called pearweb, which can be found on GitHub and it is the source code behind pear.php.net. 

Researchers have discovered that the pearweb pulled the dependency Archive_Tar in an old version (1.4.7, rather than its latest version 1.4.14), and therefore missed out on several other features while deploying the pearweb on their test virtual machine.

An older version of Archive_Tar is known to contain a directory traversal vulnerability that can potentially lead to arbitrary code execution. This vulnerability has been tracked as “CVE-2020-36193” across a number of versions.

There have been two malicious attacks detected in the PHP supply chain in less than a year, making it the second time issues have been discovered.

While in late April 2021, critical vulnerabilities were divulged in the Composer PHP package manager that could enable an adversary to execute arbitrary commands.

The Composer PHP package manager, which includes the PHP programming language and a large number of additional modules, was found to be vulnerable to critical vulnerabilities in late April 2021.

You can follow us on LinkedinTwitterFacebook for daily Cybersecurity and hacking news updates.

Website

Latest articles

Threat Actor Claiming a 0-day in Linux LPE Via GRUB bootloader

A new threat actor has emerged, claiming a zero-day vulnerability in the Linux GRUB...

LockBit Ransomware Group Claims Hack of US Federal Reserve

The notorious LockBit ransomware group has claimed responsibility for hacking the U.S. Federal Reserve,...

Microsoft Power BI Vulnerability Let Attackers Access Organizations Sensitive Data

A vulnerability in Microsoft Power BI allows unauthorized users to access sensitive data underlying...

Consulting Companies to Pay $11 Million Failing Cybersecurity Requirements

Two consulting companies, Guidehouse Inc. and Nan McKay and Associates, have agreed to pay...

New RAT Malware SneakyChef & SugarGhost Attack Windows Systems

Talos Intelligence has uncovered a sophisticated cyber campaign attributed to the threat actor SneakyChef....

Chinese Winnti Group Intensifies Financially Motivated Attacks

Hackers are increasingly executing financially motivated attacks and all due to the lucrative potential...

PrestaShop Website Under Injection Attack Via Facebook Module

A critical vulnerability has been discovered in the "Facebook" module (pkfacebook) from Promokit.eu for...
Balaji
Balaji
BALAJI is an Ex-Security Researcher (Threat Research Labs) at Comodo Cybersecurity. Editor-in-Chief & Co-Founder - Cyber Security News & GBHackers On Security.

Free Webinar

API Vulnerability Scanning

71% of the internet traffic comes from APIs so APIs have become soft targets for hackers.Securing APIs is a simple workflow provided you find API specific vulnerabilities and protect them.In the upcoming webinar, join Vivek Gopalan, VP of Products at Indusface as he takes you through the fundamentals of API vulnerability scanning..
Key takeaways include:

  • Scan API endpoints for OWASP API Top 10 vulnerabilities
  • Perform API penetration testing for business logic vulnerabilities
  • Prioritize the most critical vulnerabilities with AcuRisQ
  • Workflow automation for this entire process

Related Articles