Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Application Security

8/15/2018
10:45 AM
Connect Directly
Twitter
RSS
E-Mail
50%
50%

New PHP Exploit Chain Highlights Dangers of Deserialization

PHP unserialization can be triggered by other vulnerabilities previously considered low-risk.

PHP unserialization attacks have been well known for some time, but a new exploitation method explained last week at Black Hat USA in Las Vegas demonstrated that the attack surface for PHP unserialization is broader than originally thought.  

"What I presented was basically a new way to start an unserialization attack," says Sam Thomas, director of research at Secarma Ltd. "In PHP, there's specific command called 'unserialize,' which starts unserialization, but actually it turns out that because of other stuff that goes into the core of PHP, there's another other way to trigger it."

Also known as deserialization, the process of unserialization happens when an application like PHP takes an object that's been encoded into a format that can be stored and transported easily — also known as being serialized — and converts it back into a "live" object.

When an application unserializes an object that's been maliciously created or manipulated, bad things can happen. In many instances this scenario opens up the application to remote code execution (RCE). It's a danger that is growing in prominence: last year, OWASP added insecure deserialization to its recently updated Top 10 list, and last year's massive Equifax breach was reportedly initiated through deserialization.

For his part, Thomas demonstrated that it is possible to take advantage of the way that PHP handles self-extracting files in what's called a Phar archive. These Phar archives can contain serialized metadata and any time any file operation accesses a Phar archive that metadata is unserialized.

So, if an attacker can get any Phar archive into the target's local file system with malformed metadata and trigger any operation to access that file - even to simply look up whether the file exists - then they can start an unserialization attack.

As a result, Thomas explained that a whole range of path-handling vulnerabilities that previously might have been considered low-risk information disclosure or server-side request forgery (SSRF) vulnerabilities can now be used at the speartip of an unserialization attack chain — often refered to as a gadget chain — to ultimately get to the attacker to RCE. 

What Devs Can Do

He demonstrated last week several vulnerability and exploit examples on well-known PHP libraries and an as-yet unfixed issue in how WordPress handles thumbnail files that exemplify how this method of unserialization plays out in the real world. 

"I've highlighted that the unserialization is exposed to a lot of vulnerabilities that might have previously been considered quite low-risk," he explains. "Issues which they might have thought were fixed with a configuration change or had been considered quite minor previously, might need to be reevaluated in the light of the attacks I demonstrated."

In a paper detailing his findings, Thomas recommends that developers avoid design patterns that can result in easily abused unserialization gadgets, and that IDS and IPS systems start instituting signatures that detect malicious Phar archives.

"The research continues a recent trend, in demonstrating that object (un)serialization is an integral part of several modern languages," he wrote. "We must constantly be aware of the security impact of such mechanisms being exposed to attacker-controlled data."

Related Content:

 

Learn from the industry's most knowledgeable CISOs and IT security experts in a setting that is conducive to interaction and conversation. Early bird rate ends August 31. Click for more info

Ericka Chickowski specializes in coverage of information technology and business innovation. She has focused on information security for the better part of a decade and regularly writes about the security industry as a contributor to Dark Reading.  View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Black Hat Q&A: Hacking a '90s Sports Car
Black Hat Staff, ,  11/7/2019
The Cold Truth about Cyber Insurance
Chris Kennedy, CISO & VP Customer Success, AttackIQ,  11/7/2019
6 Small-Business Password Managers
Curtis Franklin Jr., Senior Editor at Dark Reading,  11/8/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
7 Threats & Disruptive Forces Changing the Face of Cybersecurity
This Dark Reading Tech Digest gives an in-depth look at the biggest emerging threats and disruptive forces that are changing the face of cybersecurity today.
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-15815
PUBLISHED: 2019-11-12
ZyXEL P-1302-T10D v3 devices with firmware version 2.00(ABBX.3) and earlier do not properly enforce access control and could allow an unauthorized user to access certain pages that require admin privileges.
CVE-2019-17360
PUBLISHED: 2019-11-12
A vulnerability in Hitachi Command Suite 7.x and 8.x before 8.7.0-00 allows an unauthenticated remote user to trigger a denial of service (DoS) condition because of Uncontrolled Resource Consumption.
CVE-2018-21026
PUBLISHED: 2019-11-12
A vulnerability in Hitachi Command Suite 7.x and 8.x before 8.6.5-00 allows an unauthenticated remote user to read internal information.
CVE-2012-1572
PUBLISHED: 2019-11-12
OpenStack Keystone: extremely long passwords can crash Keystone by exhausting stack space
CVE-2019-17234
PUBLISHED: 2019-11-12
includes/class-coming-soon-creator.php in the igniteup plugin through 3.4 for WordPress allows unauthenticated arbitrary file deletion.