A security researcher has discovered a high-severity bug in a popular PHP library that could enable attackers to run remote code on web servers.
The researcher, who calls himself Polict, discovered another way to exploit a bug in the PHP programming language that was originally reported at Black Hat in 2018. The new version of the bug affects TCPDF, a common PHP library used to make PDF files.
The bug relies on deserialization. When programmers want to store or transmit information readable by a program, they often serialize it by transforming it into strings or binary data. This is equivalent to packaging it in a box for easy shipment. Deserialization unpacks what’s in the box so that a software program can use it.
PHP has a command to deserialize data, but it comes with a health warning: Developers should only deserialize content that they trust. However, in 2018 security researcher Sam Thomas found a way to make PHP deserialize content without calling the function at all.
The attack uses a feature of Phar (PHP Archive) files. Phar files have a serialized metadata section meant to contain information about the file. If an attacker can upload a Phar with malicious metadata and get a website to run a file handling operation like
file_get_contents on it, they can run arbitrary code.
The flaw was exploitable in several applications including TCPDF. A web developer might use this PDF library to take input via a web form and then convert the completed form into a downloadable PDF document, for example.
Thomas was able to exploit this vulnerability in TCPDF by using uploading a Phar file posing as an image. PHP would the attempt to process it using its
file_exists function, which would trigger the deserialization.
That flaw was fixed in September 2018, but then Polict found an alternative form of delivery. An attacker can deliver the evil code using a cross-site scripting (XSS) flaw, which enables an attacker to inject arbitrary HTML code onto a web site.
TCPDF includes a function called
writeHTML, which takes HTML code and renders it in the PDF. Putting a link tag into that HTML enables the attack to point the PHP interpreter to a Phar file with its malicious metadata, which is then deserialized.
Although Polict blogged about the flaw on 17 March 2019, he disclosed the information privately to the TCPDF developers in September, and the problem was fixed that month. As long as you’re using TCPDF version 6.2.22 or above, you’ll be safe from it.
The bug has been given the name CVE-2018-17057.