TYPO3-PSA-2019-007: By-passing protection of Phar Stream Wrapper Interceptor

Categories: Development Created by Oliver Hader
It has been discovered that the protection against insecure deserialization can be by-passed in Phar Stream Wrapper component.
  • Release Date: May 8, 2019
  • Component Type: PharStreamWrapper (package typo3/phar-stream-wrapper)
  • Impact: By-passing protection against insecure deserialization
  • Affected Versions: 2.0.0-2.1.0 and 3.0.0-3.1.0 of the package
  • CVE: CVE-2019-11831

Problem Description

Insecure deserialization is a vulnerability which occurs when untrusted data is used to abuse the logic of an application. In July 2018, the vulnerability of insecure deserialization when executing Phar archives was addressed by removing the known attack vector in the TYPO3 core. For more details read the corresponding TYPO3 advisory.

In order to intercept file invocations like file_exists or stat on compromised Phar archives the base name has to be determined and checked before allowing to be handled by PHP Phar stream handling. In the example below the base name is /path/bad.phar and /phar-content.txt is some file bundled in that archive.

<?php
$userSubmittedPath = 'phar:///path/bad.phar/phar-content.txt';
file_exists($userSubmittedPath);

The current implementation is vulnerable to path traversal leading to scenarios where the Phar archive to be assessed is not the actual (compromised) file.

<?php
// Helper::determineBaseFile(
//    'phar:///path/bad.phar/../good.phar'
// )
// is incorrectly resolved to
// base name '/path/good.phar'
// ... which is used in order to allow invocation
if ($interceptor->assert('/path/good.phar')) {
    $wrapper->invokeInternalStreamWrapper(
      'stat',
      'phar:///path/bad.phar/../good.phar'
    );
}

Solution

The Phar Stream Wrapper package is not using internal path resolving and traversing mechanism in Helper:: getCanonicalPath() anymore.

The Phar Stream Wrapper package is available for any PHP driven project for download.

Users who downloaded the previous version are advised to upgrade to versions 3.1.1 (for PHP v7.0 and later) and 2.1.1 (for PHP v5.3 and later) to keep their projects safe. This also has been addressed already in recent TYPO3 releases of versions 8.7.25 LTS and 9.5.6 LTS.

Severity

The final severity assessment has to be done in the component making use of the Phar Stream Wrapper package and depends on the interceptor strategy that has been used. In case file invocations on user submitted paths are allowed at least insecure deserialization is possible. Depending on the specific implementation in the using components this could lead to higher impact scores concerning confidentiality, integrity and availability.

Download

Please either upgrade to versions v3.1.1 and v2.1.1 manually or ensure Composer dependencies are raised to the mentioned new versions.

Credits

Thanks to Daniel le Gall who reported this issue in the scope of the EU-FOSSA project and to TYPO3 security team member Oliver Hader who fixed the issue.

General Advice

Follow the recommendations that are given in the TYPO3 Security Guide. Please subscribe to the typo3-announce mailing list.