PHP unserialization attacks have been well known for some time, but a new exploitation method explained last week at Black Hat USA in Las Vegas demonstrated that the attack surface for PHP unserialization is broader than originally thought.
"What I presented was basically a new way to start an unserialization attack," says Sam Thomas, director of research at Secarma Ltd. "In PHP, there's specific command called 'unserialize,' which starts unserialization, but actually it turns out that because of other stuff that goes into the core of PHP, there's another other way to trigger it."
Also known as deserialization, the process of unserialization happens when an application like PHP takes an object that's been encoded into a format that can be stored and transported easily — also known as being serialized — and converts it back into a "live" object.
When an application unserializes an object that's been maliciously created or manipulated, bad things can happen. In many instances this scenario opens up the application to remote code execution (RCE). It's a danger that is growing in prominence: last year, OWASP added insecure deserialization to its recently updated Top 10 list, and last year's massive Equifax breach was reportedly initiated through deserialization.
For his part, Thomas demonstrated that it is possible to take advantage of the way that PHP handles self-extracting files in what's called a Phar archive. These Phar archives can contain serialized metadata and any time any file operation accesses a Phar archive that metadata is unserialized.
So, if an attacker can get any Phar archive into the target's local file system with malformed metadata and trigger any operation to access that file - even to simply look up whether the file exists - then they can start an unserialization attack.
As a result, Thomas explained that a whole range of path-handling vulnerabilities that previously might have been considered low-risk information disclosure or server-side request forgery (SSRF) vulnerabilities can now be used at the speartip of an unserialization attack chain — often refered to as a gadget chain — to ultimately get to the attacker to RCE.
What Devs Can Do
He demonstrated last week several vulnerability and exploit examples on well-known PHP libraries and an as-yet unfixed issue in how WordPress handles thumbnail files that exemplify how this method of unserialization plays out in the real world.
"I've highlighted that the unserialization is exposed to a lot of vulnerabilities that might have previously been considered quite low-risk," he explains. "Issues which they might have thought were fixed with a configuration change or had been considered quite minor previously, might need to be reevaluated in the light of the attacks I demonstrated."
In a paper detailing his findings, Thomas recommends that developers avoid design patterns that can result in easily abused unserialization gadgets, and that IDS and IPS systems start instituting signatures that detect malicious Phar archives.
"The research continues a recent trend, in demonstrating that object (un)serialization is an integral part of several modern languages," he wrote. "We must constantly be aware of the security impact of such mechanisms being exposed to attacker-controlled data."
- Secure Code: You Are the Solution to Open Source’s Biggest Problem
- DevSecOps Gains Enterprise Traction
- Automating Kernel Exploitation for Better Flaw Remediation
- 6 Eye-Raising Third-Party Breaches
Learn from the industry's most knowledgeable CISOs and IT security experts in a setting that is conducive to interaction and conversation. Early bird rate ends August 31. Click for more info.