php superglobals : supersized trouble

1 © 2013 Imperva, Inc. All rights reserved.

PHP SuperGlobals: Supersized Trouble

Shelly Hershkovitz, Senior Security Analyst, Imperva

© 2013 Imperva, Inc. All rights reserved.

Shelly Hershkovitz

2

Senior Security Analyst at Imperva Leads the efforts to capture and analyze hacking

activities• Responsible for number of Imperva’s HII reports

Experienced in machine learning and computer vision Holds BA in Computer Science & M.Sc degree in Bio-

Medical Engineering

http://www.imperva.com/resources/hacker_intelligence.asp


How it all began…

3

Bla bla…CVE-2011-2505

Honeypots


Agenda

5

Introduction• Relevant PHP background

An Anatomy of a Modern Web Exploit• Abusing SuperGlobals

Demo Additional PHP SuperGlobal Attacks

• In the wild

Summary & Conclusions Q&A

© 2013 Imperva, Inc. All rights reserved.6

Introduction

Relevant PHP background


The most popular server-side programming language in the world:

And goes from strength to strength

Breadth and Depth of PHP - I


The most popular web applications are powered by PHP

Breadth and Depth of PHP – II

http://www.alexa.com/topsites


Outline – PHP Background

9

SuperGlobals

Serialization Session Management


PHP SuperGlobals

10

“Local” versus “global” scopes Global variables

• Cross-function communication• *ANY* function may change them

SuperGlobals:• Predefined array variables• Available in all scopes

SuperGlobals: cookies, sessions, environment, etc.


PHP SuperGlobal list

11

Variable Definition

1 GLOBALSReferences all variables

available in global scope

2 _SERVERServer and execution

environment information

3 _GET HTTP GET variables

4 _POST HTTP POST variables

5 _FILES HTTP File upload variables

6 _COOKIE HTTP Cookies

7 _SESSION Session variables

8 _REQUEST HTTP Request variables

9 _ENV Environment variables


External Variable Modification

12

MITRE Common Weakness Enumeration: CWE-473 “A PHP application does not properly protect against the

modification of variables from external sources, such as query parameters or cookies”.

SuperGlobals are a natural target:• Exist in every PHP application• Provide access to the server’s core functionality


Serialization

13

The process of saving data stored in memory to file is called “serialization”

The process of loading data stored in file to memory is called “deserialization”

http://www.studytonight.com/java/images/Serialization-deserialization.JPG

__sleep() __wakeup()



PHP Session Management

14

New user:• Unique identifier for the session.• A cookie called PHPSESSID is sent to the user with

this identifier. • A file is created on the server, for example:

sess_1q8jkgkoetd3dprcb3n7mpmc4o26eili. Resuming session data.


An Anatomy of a Modern Web Exploit

15

Exploiting SuperGlobals


Outline

16

PHPMyAdmin CVE-2011-2505 CVE-2010-3065 Attack Flow Demo Attacks on the wild


PHPMyAdmin (PMA)

17

The most popular MySQL administration tool for PHP Often is bundled by default in LAMP (Linux, Apache,

MySQL, PHP) installations


Outline – PHP Background

18

SuperGlobals CVE-2010-3065

Session ManagementSerialization

CVE-2011-2505


CVE-2011-2505: PhpMyAdmin Vulnerability

19

Parses a given query string to local scope _SESSION variables are saved in the session’s file on

the server

http://www.super.com/somePage?_SESSION[username]=bad_stuff

username|s:9:"bad_stuff";

http://10.1.9.119/super.php?d=1&_SESSION%5Busername%5D=bad_stuf




CVE-2011-2505: PhpMyAdmin Vulnerability

20

PhpMyAdmin’s Unset session functionality Parse_str() : parses the given query string and stores the

variables in the current scope. Session_write_close(): Makes Session data persistent

throughout the entire user’s session.


CVE-2011-2505: Exploit

21

An attacker can now • Craft a malicious query string with the _SESSION SuperGlobal • Injected _SESSION value overrides the session’s original values • New values are saved to local file


Discovered by Stefan Esser - Late 2010 Attacker can write data to the _SESSION in

*ANY* format, if the session variable name starts with ‘!’

CVE-2010-3065 PHP Vulnerability & Exploit

22


Serialization

23

The process of saving data stored in memory to file is called “serialization”

The process of loading data stored in file to memory is called “deserialization”


__sleep() __wakeup()



PMA Session deserialization: Vulnerability

24

On session deserialization, the load() function is called Eval is evil!

• Can be used to execute unexpected code


Attack Flow

25

An attacker sends the 1st request to receive a cookie

An attacker sends the 2nd request, _SESSION holds:1. Malicious code2. PMA_Config serialized object with source=session file path

PHP saves the session’s

information to local file

An attacker sends the 3rd request

PHP deserialize PMA_Config which calls __wakeup(), which calls load(),

which calls eval(source=sessio

n file)


The Exploit Code on the Web

26


Attack Flow

27

An attacker sends the 1st request to receive a cookie

An attacker sends the 2nd request, _SESSION holds:1. Malicious code2. PMA_Config serialized object with source=session file path

PHP saves the session’s information

to local file

An attacker sends the 3rd request

PHP unserialize PMA_Config which calls __wakeup(), which calls load(),

which calls eval(source=session

file)


Guessing Session Filename

28

Luckily for the attacker, the location of the session file is predictable

Session File name consists of• The “sess_” prefix• The session identifier – known to the user/attacker

File’s path is predictable• default values


Guessing Session Filename: in the wild

29

Multiple guesses for path the same session file (“sess_19qq…”)


The Final Exploit

30

Now the attackers can, *FINALLY*, get their code evaluated

/phpMyAdmin/index.php?session_to_unset=123&token=86498ff0a666f808df76ffaabee9b7a3&_SESSION[!bla]=|xxx|a:1:{i:0;O:10:"PMA_Config":1:{s:6:“source";s:59:"/var/lib/php5/sess_6a3e0376fbfe9797081a3ee202ef1ca85c451a62";}}&_SESSION[payload]=<?php phpinfo(); ?>


Demo

31


PMA SuperGlobal Attacks in the wild

32

Attacks source is a hacked server Attacks (at least) two other servers Attacks persist over half a year


A Modern Exploit Summary: Research

33

Sophisticated research Combines multiple vulnerabilities and issues in multiple

domains• PHPMyAdmin (PMA)• PHP internals


A Modern Exploit Summary: Development

34

Exploit packed in a single, “click once” PHP script Automates the different attack stages Can be launched from infected servers to infect others


PHP SuperGlobal Attacks

35

In the wild


SuperGlobal Attacks Targets

36

RFI (Remote File Inclusion): trying to overwrite “_Server[document_root]” to point to external resource



37

Part of general scanning against the site – Nikto, Acunetix, Nessus

Intrusion Detection System filter evasion: an alternative way to represent HTTP query parameters• “_REQUEST[Itemid]=1” request parameter is equivalent to

“Itemid=1” • However, it evades a naïve IDS signature that blacklists

“Itemid=1”



38

During May 2013 3.5K requests that manipulated PHP SuperGlobal

variables. 27 different attack sources 24 web applications as targets


Targeted SuperGlobal

39

Some SuperGlobals are more targeted than others The more targeted SuperGlobals provide access to more

sensitive resources

GLOBALS55%

ENV14%

SERVER14%

SESSION13%

REQUEST4%


Summary & Conclusions

40


Third-Party Code Perils

43

PHPMyAdmin:• Popular utility installation• Often bundled with other applications

Even if PMA is not used, the server is exposed to code execution attacks!!

Administrators might not be aware to all bundled software An “opt out” security model is needed Optional solution is Web Application Firewall (WAF) with

constant updates of security content.


Conclusions

46

Establish a positive security model Use layered security mechanisms Beware of third-party code perils Block SuperGlobal parameters in requests

php superglobals : supersized trouble

Documents

depth of php

php applicationprovide

deserialization http

envenvironment variables

modification of variables

popular web applications

computer science

global scope2