PsySH CWD Configuration Poisoning Vulnerability Leading to Local Privilege Escalation
Vulnerability
A vulnerability in PsySH, a runtime developer console for PHP, allows for local privilege escalation through a CWD configuration poisoning issue. Prior to versions 0.11.23 and 0.12.19, PsySH automatically executed a `.psysh.php` file from the Current Working Directory on startup. If an attacker could write to a directory that a victim later used as their CWD when launching PsySH, they could execute arbitrary code in the victim's context. This issue is particularly concerning when PsySH is run with elevated privileges, such as root, as it allows for unauthorized access to those privileges. The vulnerability also affects downstream consumers that embed PsySH, like Laravel Tinker, when invoked from an attacker-writable CWD.
Impact
Exploitation of this vulnerability allows for arbitrary code execution in the context of the user running PsySH. If that user has elevated privileges, such as root, it results in local privilege escalation.
Reproduction
To reproduce this vulnerability, a low-privileged user can create a malicious `.psysh.php` file in an attacker-writable directory, such as `/tmp`. This file can contain PHP code that, when executed, performs actions like writing to a file. Once the malicious file is in place, a privileged user can be tricked into starting PsySH from the same directory, which will automatically load and execute the malicious code. After exiting PsySH, the privileged actions performed by the malicious code can be verified, such as checking for a file created by the exploited command.
Remediation
Users should upgrade to PsySH versions 0.11.23 or 0.12.19, both of which address this vulnerability. After upgrading, PsySH requires explicit trust before loading local configuration files, binaries, or Composer autoloads from untrusted projects. This can be managed with the `trustProject` configuration option, the `--trust-project` or `--no-trust-project` CLI flags, or the `PSYSH_TRUST_PROJECT` environment variable.
Vulnerability Rating
Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.