Supply Chain Issues in The PHP Package Management PEAR

For 15 years, supply chain issues in the PHP package management PEAR went unnoticed.

PEAR was vulnerable to attack due to a cryptographic vulnerability and a problem in an out-of-date dependency. According to security experts, attackers could have caused havoc on the PHP ecosystem by exploiting a pair of long-standing vulnerabilities in package management PEAR that was just recently fixed.

In a blog post, Thomas Chauchefoin, a vulnerability researcher at Swiss security firm SonarSource, disclosed that a bug stemming from inadequate entropy on the password reset mechanism put PEAR developer accounts in danger of criminal takeover. 

After poisoning the PHP ecosystem with malicious versions of existing packages, attackers might exploit a separate vulnerability in an older version of a packaged dependency to get persistent access to the central PEAR server.

The two-pronged attack scenario has been explained in a video by SonarSource.

With the rise to dominance of rival PHP package management Composer, whose main repository SonarSource exposed a similarly significant vulnerability last year, PEAR has fallen out of favor.

However, the most popular PEAR programs — the PEAR client, Console Getopt, Archive Tar, and Mail – continue to receive thousands of downloads each month.

The unknown supply chain vulnerabilities “may have been readily found and exploited by threat actors with just minimum technical competence, causing significant disruption and security breaches throughout the world.”

Weak PRNG

Even though the approach is old and inadequate for producing cryptographically safe values, PEAR’s password reset function utilizes mt rand() to produce random numbers.

“The final value is simply based on two unknowns, which are the result of mt rand() and time(),” Chauchefoin said after the values were concatenated and hashed using md5().

The first cannot supply a significant number of values (10), but the attacker can readily approximate the second.

In addition, pear.php.net’s HTTP server includes a Date header to its answers, which is limited to only a few values (5).”

According to the researchers, attackers might get a valid password reset token after 50 tries.

Even if the first problem was repaired, the other bug provided a backdoor for continuous assaults. Changing access records might also help them cover their trails.

The weakness was discovered when pearweb removed Archive Tar version 1.4.7, which was vulnerable to CVE-2020-36193, a directory traversal flaw that might lead to remote code execution (RCE) on PEAR. On July 30, 2021, SonarSource notified the PEAR maintainers of the flaws. They were fixed in pearweb version 1.32, which was published on March 13, and affected all earlier versions. According to Chauchefoin, the defects’ persistence in PEAR’s source for over 15 years raises “issues about the absence of security contributions [audits] from organizations relying on it.”

“Consider switching to Composer, where the contributor community is more active and the same packages are accessible,” they recommended to PEAR users.