1 / 42

PHP SuperGlobals : Supersized Trouble

PHP SuperGlobals : Supersized Trouble. Shelly Hershkovitz, Senior Security Analyst, Imperva. Shelly Hershkovitz. Senior Security Analyst at Imperva L eads the efforts to capture and analyze hacking activities Responsible for number of Imperva’s HII reports

ling
Download Presentation

PHP SuperGlobals : Supersized Trouble

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. PHP SuperGlobals: Supersized Trouble Shelly Hershkovitz, Senior Security Analyst, Imperva

  2. Shelly Hershkovitz • Senior Security Analyst at Imperva • Leads the efforts to capture and analyze hacking activities • Responsible for number of Imperva’s HII reports • Experienced in machine learning and computer vision • Holds BA in Computer Science & M.Sc degree in Bio-Medical Engineering

  3. How it all began… Blabla… CVE-2011-2505 Honeypots

  4. Agenda • Introduction • Relevant PHP background • An Anatomy of a Modern Web Exploit • Abusing SuperGlobals • Demo • Additional PHP SuperGlobal Attacks • In the wild • Summary & Conclusions • Q&A

  5. Introduction Relevant PHP background

  6. Breadth and Depth of PHP - I • The most popular server-side programming language in the world: • And goes from strength to strength

  7. Breadth and Depth of PHP – II • The most popular web applications are powered by PHP http://www.alexa.com/topsites

  8. Outline – PHP Background SuperGlobals Session Management Serialization

  9. PHP SuperGlobals • “Local” versus “global” scopes • Global variables • Cross-function communication • *ANY* function may change them • SuperGlobals: • Predefined array variables • Available in all scopes • SuperGlobals: cookies, sessions, environment, etc.

  10. PHP SuperGlobal list

  11. External Variable Modification • MITRE Common Weakness Enumeration: CWE-473 • “A PHP application does not properly protect against the modification of variables from external sources, such as query parameters or cookies”. • SuperGlobalsare a natural target: • Exist in every PHP application • Provide access to the server’s core functionality

  12. Serialization • The process of saving data stored in memory to file is called “serialization” • The process of loading data stored in file to memory is called “deserialization” __sleep() __wakeup() http://www.studytonight.com/java/images/Serialization-deserialization.JPG

  13. PHP Session Management • New user: • Unique identifier for the session. • A cookie called PHPSESSID is sent to the user with this identifier. • A file is created on the server, for example: sess_1q8jkgkoetd3dprcb3n7mpmc4o26eili. • Resuming session data.

  14. An Anatomy of a Modern Web Exploit Exploiting SuperGlobals

  15. Outline • PHPMyAdmin • CVE-2011-2505 • CVE-2010-3065 • Attack Flow • Demo • Attacks on the wild

  16. PHPMyAdmin (PMA) • The most popular MySQL administration tool for PHP • Often is bundled by default in LAMP (Linux, Apache, MySQL, PHP) installations

  17. Outline – PHP Background CVE-2011-2505 SuperGlobals CVE-2010-3065 Serialization Session Management

  18. CVE-2011-2505: PhpMyAdmin Vulnerability • Parses a given query string to local scope • _SESSION variables are saved in the session’s file on the server http://www.super.com/somePage?_SESSION[username]=bad_stuff username|s:9:"bad_stuff";

  19. CVE-2011-2505: PhpMyAdmin Vulnerability • PhpMyAdmin’s Unset session functionality • Parse_str() : parses the given query string and stores the variables in the current scope. • Session_write_close(): Makes Session data persistent throughout the entire user’s session.

  20. CVE-2011-2505: Exploit • An attacker can now • Craft a malicious query string with the _SESSION SuperGlobal • Injected _SESSION value overrides the session’s original values • New values are saved to local file

  21. CVE-2010-3065 PHP Vulnerability & Exploit • Discovered by Stefan Esser- Late 2010 • Attacker can write data to the _SESSION in *ANY* format, if the session variable name starts with ‘!’

  22. Serialization • The process of saving data stored in memory to file is called “serialization” • The process of loading data stored in file to memory is called “deserialization” __sleep() __wakeup() http://www.studytonight.com/java/images/Serialization-deserialization.JPG

  23. PMA Session deserialization: Vulnerability • On session deserialization, the load() function is called • Eval is evil! • Can be used to execute unexpected code

  24. Attack Flow • An attacker sends the 1st request to receive a cookie • An attacker sends the 2nd request, _SESSION holds: • 1. Malicious code • 2. PMA_Config serialized object with source=session file path • PHP saves the session’s information to local file • An attacker sends the 3rd request • PHP deserializePMA_Configwhich calls __wakeup(), which calls load(), which calls eval(source=session file)

  25. The Exploit Code on the Web

  26. Attack Flow • An attacker sends the 1st request to receive a cookie • An attacker sends the 2nd request, _SESSION holds: • 1. Malicious code • 2. PMA_Config serialized object with source=session file path • PHP saves the session’s information to local file • An attacker sends the 3rd request • PHP unserializePMA_Configwhich calls __wakeup(), which calls load(), which calls eval(source=session file)

  27. Guessing Session Filename • Luckily for the attacker, the location of the session file is predictable • Session File name consists of • The “sess_” prefix • The session identifier – known to the user/attacker • File’s path is predictable • default values

  28. Guessing Session Filename: in the wild • Multiple guesses for path the same session file (“sess_19qq…”)

  29. The Final Exploit • Now the attackers can, *FINALLY*,get their code evaluated • /phpMyAdmin/index.php?session_to_unset=123&token=86498ff0a666f808df76ffaabee9b7a3& _SESSION[!bla]=|xxx|a:1:{i:0;O:10:"PMA_Config":1:{s:6:“source";s:59:"/var/lib/php5/sess_6a3e0376fbfe9797081a 3ee202ef1ca85c451a62";}}& _SESSION[payload]=<?phpphpinfo(); ?>

  30. Demo

  31. PMA SuperGlobal Attacks in the wild • Attacks source is a hacked server • Attacks (at least) two other servers • Attacks persist over half a year

  32. A Modern Exploit Summary: Research • Sophisticated research • Combines multiple vulnerabilities and issues in multiple domains • PHPMyAdmin (PMA) • PHP internals

  33. A Modern Exploit Summary: Development • Exploit packed in a single, “click once” PHP script • Automates the different attack stages • Can be launched from infected servers to infect others

  34. PHP SuperGlobal Attacks In the wild

  35. SuperGlobal Attacks Targets • RFI (Remote File Inclusion): trying to overwrite “_Server[document_root]” to point to external resource

  36. SuperGlobal Attacks Targets • Part of general scanning against the site – Nikto, Acunetix, Nessus • Intrusion Detection System filter evasion: an alternative way to represent HTTP query parameters • “_REQUEST[Itemid]=1” request parameter is equivalent to “Itemid=1” • However, it evades a naïve IDS signature that blacklists “Itemid=1”

  37. SuperGlobal Attacks Targets • During May 2013 • 3.5K requests that manipulated PHP SuperGlobal variables. • 27 different attack sources • 24 web applications as targets

  38. Targeted SuperGlobal • Some SuperGlobals are more targeted than others • The more targeted SuperGlobals provide access to more sensitive resources

  39. Summary & Conclusions

  40. Third-Party Code Perils • PHPMyAdmin: • Popular utility installation • Often bundled with other applications • Even if PMA is not used, the server is exposed to code execution attacks!! • Administrators might not be aware to all bundled software • An “opt out” security model is needed • Optional solution is Web Application Firewall (WAF) with constant updates of security content.

  41. Conclusions • Establish a positive security model • Use layered security mechanisms • Beware of third-party code perils • Block SuperGlobal parameters in requests

  42. More information in HII:http://www.imperva.com/resources/hacker_intelligence.asp Q&A

More Related