Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Application Security

8/15/2018
10:45 AM
Connect Directly
Twitter
RSS
E-Mail
50%
50%

New PHP Exploit Chain Highlights Dangers of Deserialization

PHP unserialization can be triggered by other vulnerabilities previously considered low-risk.

PHP unserialization attacks have been well known for some time, but a new exploitation method explained last week at Black Hat USA in Las Vegas demonstrated that the attack surface for PHP unserialization is broader than originally thought.  

"What I presented was basically a new way to start an unserialization attack," says Sam Thomas, director of research at Secarma Ltd. "In PHP, there's specific command called 'unserialize,' which starts unserialization, but actually it turns out that because of other stuff that goes into the core of PHP, there's another other way to trigger it."

Also known as deserialization, the process of unserialization happens when an application like PHP takes an object that's been encoded into a format that can be stored and transported easily — also known as being serialized — and converts it back into a "live" object.

When an application unserializes an object that's been maliciously created or manipulated, bad things can happen. In many instances this scenario opens up the application to remote code execution (RCE). It's a danger that is growing in prominence: last year, OWASP added insecure deserialization to its recently updated Top 10 list, and last year's massive Equifax breach was reportedly initiated through deserialization.

For his part, Thomas demonstrated that it is possible to take advantage of the way that PHP handles self-extracting files in what's called a Phar archive. These Phar archives can contain serialized metadata and any time any file operation accesses a Phar archive that metadata is unserialized.

So, if an attacker can get any Phar archive into the target's local file system with malformed metadata and trigger any operation to access that file - even to simply look up whether the file exists - then they can start an unserialization attack.

As a result, Thomas explained that a whole range of path-handling vulnerabilities that previously might have been considered low-risk information disclosure or server-side request forgery (SSRF) vulnerabilities can now be used at the speartip of an unserialization attack chain — often refered to as a gadget chain — to ultimately get to the attacker to RCE. 

What Devs Can Do

He demonstrated last week several vulnerability and exploit examples on well-known PHP libraries and an as-yet unfixed issue in how WordPress handles thumbnail files that exemplify how this method of unserialization plays out in the real world. 

"I've highlighted that the unserialization is exposed to a lot of vulnerabilities that might have previously been considered quite low-risk," he explains. "Issues which they might have thought were fixed with a configuration change or had been considered quite minor previously, might need to be reevaluated in the light of the attacks I demonstrated."

In a paper detailing his findings, Thomas recommends that developers avoid design patterns that can result in easily abused unserialization gadgets, and that IDS and IPS systems start instituting signatures that detect malicious Phar archives.

"The research continues a recent trend, in demonstrating that object (un)serialization is an integral part of several modern languages," he wrote. "We must constantly be aware of the security impact of such mechanisms being exposed to attacker-controlled data."

Related Content:

 

Learn from the industry's most knowledgeable CISOs and IT security experts in a setting that is conducive to interaction and conversation. Early bird rate ends August 31. Click for more info

Ericka Chickowski specializes in coverage of information technology and business innovation. She has focused on information security for the better part of a decade and regularly writes about the security industry as a contributor to Dark Reading.  View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
US Turning Up the Heat on North Korea's Cyber Threat Operations
Jai Vijayan, Contributing Writer,  9/16/2019
MITRE Releases 2019 List of Top 25 Software Weaknesses
Kelly Sheridan, Staff Editor, Dark Reading,  9/17/2019
7 Ways VPNs Can Turn from Ally to Threat
Curtis Franklin Jr., Senior Editor at Dark Reading,  9/21/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: This comment is waiting for review by our moderators.
Current Issue
7 Threats & Disruptive Forces Changing the Face of Cybersecurity
This Dark Reading Tech Digest gives an in-depth look at the biggest emerging threats and disruptive forces that are changing the face of cybersecurity today.
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-16703
PUBLISHED: 2019-09-23
admin/infolist_add.php in PHPMyWind 5.6 has stored XSS.
CVE-2019-16704
PUBLISHED: 2019-09-23
admin/infoclass_update.php in PHPMyWind 5.6 has stored XSS.
CVE-2019-16702
PUBLISHED: 2019-09-23
Integard Pro 2.2.0.9026 allows remote attackers to execute arbitrary code via a buffer overflow involving a long NoJs parameter to the /LoginAdmin URI.
CVE-2019-16695
PUBLISHED: 2019-09-22
phpIPAM 1.4 allows SQL injection via the app/admin/custom-fields/filter.php table parameter when action=add is used.
CVE-2019-16696
PUBLISHED: 2019-09-22
phpIPAM 1.4 allows SQL injection via the app/admin/custom-fields/edit.php table parameter when action=add is used.