New PHP Phar Deserialization Attack Leaves Wordpress Sites Vulnerable

It seems almost every day we are hearing news of data breaches and cyber attacks of major corporations around the world despite their best efforts to keep ahead of the curve. Many times these attacks come not just from foreign governments but from small band of bandits or even single individuals. Just last month, we had the case of Apple’s mainframe hacked by a teenager in Australia. Cyber attacks are far more prevalent than most people realize and it behoves us to keep up to date on the latest vulnerabilities. One of the latest revelations is with PHP through an object injection vulnerability that poses a risk to WordPress websites.
 
Sam Thomas, a security researcher at Secarma, has revealed that a technique of using Phar wrappers, a type of PHP stream wrappers, can trigger a deserialization, leaving the web server open to malicious inputs. Stream wrappers are used in PHP to make data work like a stream in URL type protocols and a stream is no more complicated than a sequence of data. So opening a stream is basically gaining access to theat data. In a case of ftp, it is the tcp network connection and in the case of local files, it is a file descriptor. In the cases of remote file inclusion attacks, the “ftp://” and “http://” are often used.
 
In the case of the “phar://” wrapper, it allows access to files inside of a local drive, specifically phar archives. These archives are similar to Jar archives in which are self-contained applications which includes an executable stub that contains metadata in php code. When a phar archive is accessed by a file operation such as “fopen”, “file_exists” or “file_get_contents”, the metadata becomes deserialized.  
 
The attack is relatively simple, upload a valid Phar archive file that contains malicious payload into the target file system and access the archive through a “phar://” stream wrapper using a file operation function. Mr. Thomas has even shown that the exploit can be done with a JPEG image; a Phar archive converted into a JPEG file by modifying the first 100 bytes.
 
In the case with Wordpress, when a hacker uses the “file_exists” call, they are able to get control of parameters and upload privileges to cause an unserialization. Mr. Thomas describes, “ The core vulnerability is within the wp_get_attachment_thumb_file function in /wpincludes/post.php:”
 

The full explanation of the execution and exploitation of the above code is detailed in Secarma’s report, link provided here: https://blog.secarma.co.uk/labs/near-phar-dangerous-unserialization-wherever-you-are
 
The details of this finding was reported with WordPress Security but the problem was not fully addressed in their newest updates.