PEAR PHP repository has been found to contain a 15-year-old security vulnerability that could provide an attacker with the ability to carry out a supply chain attack on the system.
The attacker could also obtain unauthorized access to perform arbitrary acts such as publishing rogue packages and executing arbitrary code in addition to the supply chain attack.
PEAR is a framework for distributing PHP components in a reusable and modular form.
Flaw in the PEAR PHP repository
This vulnerability potentially showed a way for the threat actors with low-level skills to exploit a critical component of the PHP supply chain to cause major trouble.
When the feature was originally implemented, one of the problems was introduced by a code commit (made in March 2007) that used a cryptographically insecure PHP function called “mt_rand()”.
The threat actors could also be able to discover a valid password reset token within less than 50 attempts with this functionality.
The PEAR client itself, Console_Getopt, Archive_Tar, and Mail rank as the most popular packages downloaded from pear.php.net, with over 285 million packages downloaded in total.
In spite of Composer’s large market share, PEAR packages continue to be downloaded thousands of times each month.
Here’s what Thomas Chauchefoin, the vulnerability researcher at SonarSource stated:-
“An attacker exploiting the first one could take over any developer account and publish malicious releases, while the second bug would allow the attacker to gain persistent access to the central PEAR server.”
However, SonarSource’s security analysts have identified two security flaws that can be exploited for over 15 years. While here below we have mentioned them and also presented the proof of concept as well:-
- Successful exploitation of the first flaw would allow malicious releases to be published from any developer account.
- While by exploiting the second flaw, the threat actors can gain persistent access to the PEAR server hosted by the central PEAR server.
There is a source code project called pearweb, which can be found on GitHub and it is the source code behind pear.php.net.
Researchers have discovered that the pearweb pulled the dependency Archive_Tar in an old version (1.4.7, rather than its latest version 1.4.14), and therefore missed out on several other features while deploying the pearweb on their test virtual machine.
An older version of Archive_Tar is known to contain a directory traversal vulnerability that can potentially lead to arbitrary code execution. This vulnerability has been tracked as “CVE-2020-36193” across a number of versions.
There have been two malicious attacks detected in the PHP supply chain in less than a year, making it the second time issues have been discovered.
While in late April 2021, critical vulnerabilities were divulged in the Composer PHP package manager that could enable an adversary to execute arbitrary commands.
