php new exploit techniques—phar://-bug warning-the black bar safety net

2018-08-20T00:00:00
ID MYHACK58:62201891218
Type myhack58
Reporter 佚名
Modified 2018-08-20T00:00:00

Description

Last week, in the United States the BlackHat conference to announce a for the PHP application to the new exploit. You can be in this article to understand it.

Summary From Secarma security researcher Sam Thomas discovered a new exploit way, you can not use the php function unserialize()is the premise, causing serious php object injection vulnerability. This new attack is his publication in the United States BlackHat conference speech, the speech topic is:”not known php deserialization loophole.” It can make an attacker be related to the severity of the bugs upgrade for remote code execution. We at RIPS code analysis engine has been added for this new type of attack detection.

Flow packaging Most of the PHP-file operation allows the use of various URL Protocol to access the path to the file: e.g. data://and zlib://or php://in. Some of which are usually for the use of remote file include vulnerability an attacker can use them to control file contains the full path. For example, for the web site source code is read or is used for code execution: include('php://filter/convert.base64-encode/resource=index.php'); include('data://text/plain;base64,cGhwaW5mbygpCg==');

Phar metadata But so far, no one is paying attention phar://in. Phar(PHP Archive file of interesting in that it contains a serialized format of the metadata. Let's create a Phar file, and add a contains some data objects as metadata: // create new Phar $phar = new Phar('test. phar'); $phar->startBuffering(); $phar->addFromString('test.txt', 'text'); $phar->setStub("); // add object of any class as meta data class AnyClass {} $object = new AnyClass; $object->data = 'rips'; $phar->setMetadata($object); $phar->stopBuffering(); Our newly created test. phar file now has the following content. We can see our object is stored as a serialized string. !

PHP object injection If now by phar://our existing Phar file to file operation, then the serialization of the metadata will be deserialized. This means that we in the metadata of the injected object will be loaded into the application. If this application has been named the class AnyClass, and has magic function__destruct()or__wakeup (), it will automatically call these methods. This means that we can in the code repository trigger any destructor or Wake-Up method. Worse, if the magic function we inject the data to operate, then this may lead to further vulnerabilities: class AnyClass { function __destruct() { echo $this->data; } } // output: rips include('phar://test. phar');

Exploit First, the attacker must be able to targetthe Web serveron the implant elaborate Phar file. And Sam Thomas found some information on how the Phar file hidden to JPG of good tips, so the common image upload functionality is sufficient. So far, an attacker who can control such as include (), fopen () and file_get_contents (), file()and other file operations function, can cause a serious vulnerability. Therefore, usually required in these functions prior to use to verify the user's input. However, the phar://in any file operation will trigger deserialization. For example, use file_exists()to simply check for file existence. These functions have always been considered unlikely to cause security issues, so has been protected well enough.

The use of RIPS for automatic detection Through the RIPS of the taint analysis, we can in the PHP file operation automatic detection of user input without filtering or verification of the information. Thus, we can detect the file deletion, disclosure, write, create, contains, and so on vulnerability. ! In addition, RIPS of context-sensitive string analysis enables us to accurately assess the file path is completely or only partially can be attacker-controlled, and whether it can be injected into the phar://in. Finally, the RIPS to be able to scan could lead to an object injection vulnerability, the shorter the attack chain. We at RIPS code analyzer adds a named Phar Deserialization of new vulnerability types, to detect this new type of code risk.

Reference links 1. https://github. com/s-n-t/presentations/blob/master/us-18-Thomas-It’s-A-PHP-Unserialization-Vulnerability-Jim-But-Not-As-We-Know-It. pdf 2.http://php.net/manual/wrappers.php 3.http://php.net/manual/phar.fileformat.manifestfile.php