Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Application Security

8/15/2018
10:45 AM
Connect Directly
Twitter
RSS
E-Mail
50%
50%

New PHP Exploit Chain Highlights Dangers of Deserialization

PHP unserialization can be triggered by other vulnerabilities previously considered low-risk.

PHP unserialization attacks have been well known for some time, but a new exploitation method explained last week at Black Hat USA in Las Vegas demonstrated that the attack surface for PHP unserialization is broader than originally thought.  

"What I presented was basically a new way to start an unserialization attack," says Sam Thomas, director of research at Secarma Ltd. "In PHP, there's specific command called 'unserialize,' which starts unserialization, but actually it turns out that because of other stuff that goes into the core of PHP, there's another other way to trigger it."

Also known as deserialization, the process of unserialization happens when an application like PHP takes an object that's been encoded into a format that can be stored and transported easily — also known as being serialized — and converts it back into a "live" object.

When an application unserializes an object that's been maliciously created or manipulated, bad things can happen. In many instances this scenario opens up the application to remote code execution (RCE). It's a danger that is growing in prominence: last year, OWASP added insecure deserialization to its recently updated Top 10 list, and last year's massive Equifax breach was reportedly initiated through deserialization.

For his part, Thomas demonstrated that it is possible to take advantage of the way that PHP handles self-extracting files in what's called a Phar archive. These Phar archives can contain serialized metadata and any time any file operation accesses a Phar archive that metadata is unserialized.

So, if an attacker can get any Phar archive into the target's local file system with malformed metadata and trigger any operation to access that file - even to simply look up whether the file exists - then they can start an unserialization attack.

As a result, Thomas explained that a whole range of path-handling vulnerabilities that previously might have been considered low-risk information disclosure or server-side request forgery (SSRF) vulnerabilities can now be used at the speartip of an unserialization attack chain — often refered to as a gadget chain — to ultimately get to the attacker to RCE. 

What Devs Can Do

He demonstrated last week several vulnerability and exploit examples on well-known PHP libraries and an as-yet unfixed issue in how WordPress handles thumbnail files that exemplify how this method of unserialization plays out in the real world. 

"I've highlighted that the unserialization is exposed to a lot of vulnerabilities that might have previously been considered quite low-risk," he explains. "Issues which they might have thought were fixed with a configuration change or had been considered quite minor previously, might need to be reevaluated in the light of the attacks I demonstrated."

In a paper detailing his findings, Thomas recommends that developers avoid design patterns that can result in easily abused unserialization gadgets, and that IDS and IPS systems start instituting signatures that detect malicious Phar archives.

"The research continues a recent trend, in demonstrating that object (un)serialization is an integral part of several modern languages," he wrote. "We must constantly be aware of the security impact of such mechanisms being exposed to attacker-controlled data."

Related Content:

 

Learn from the industry's most knowledgeable CISOs and IT security experts in a setting that is conducive to interaction and conversation. Early bird rate ends August 31. Click for more info

Ericka Chickowski specializes in coverage of information technology and business innovation. She has focused on information security for the better part of a decade and regularly writes about the security industry as a contributor to Dark Reading.  View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Data Leak Week: Billions of Sensitive Files Exposed Online
Kelly Jackson Higgins, Executive Editor at Dark Reading,  12/10/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: Our Endpoint Protection system is a little outdated... 
Current Issue
The Year in Security: 2019
This Tech Digest provides a wrap up and overview of the year's top cybersecurity news stories. It was a year of new twists on old threats, with fears of another WannaCry-type worm and of a possible botnet army of Wi-Fi routers. But 2019 also underscored the risk of firmware and trusted security tools harboring dangerous holes that cybercriminals and nation-state hackers could readily abuse. Read more.
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-12420
PUBLISHED: 2019-12-12
In Apache SpamAssassin before 3.4.3, a message can be crafted in a way to use excessive resources. Upgrading to SA 3.4.3 as soon as possible is the recommended fix but details will not be shared publicly.
CVE-2019-16774
PUBLISHED: 2019-12-12
In phpfastcache before 5.1.3, there is a possible object injection vulnerability in cookie driver.
CVE-2018-11805
PUBLISHED: 2019-12-12
In Apache SpamAssassin before 3.4.3, nefarious CF files can be configured to run system commands without any output or errors. With this, exploits can be injected in a number of scenarios. In addition to upgrading to SA 3.4.3, we recommend that users should only use update channels or 3rd party .cf ...
CVE-2019-5061
PUBLISHED: 2019-12-12
An exploitable denial-of-service vulnerability exists in the hostapd 2.6, where an attacker could trigger AP to send IAPP location updates for stations, before the required authentication process has completed. This could lead to different denial of service scenarios, either by causing CAM table att...
CVE-2019-5062
PUBLISHED: 2019-12-12
An exploitable denial-of-service vulnerability exists in the 802.11w security state handling for hostapd 2.6 connected clients with valid 802.11w sessions. By simulating an incomplete new association, an attacker can trigger a deauthentication against stations using 802.11w, resulting in a denial of...