PHP SuperGlobals: Supersized Trouble

© 2013 Imperva, Inc. All rights reserved.

PHP SuperGlobals: Supersized Trouble

Confidential 1

Tal Be’ery, Web Security Research Team Leader


Agenda

Confidential 2

§  Introduction •  Relevant PHP background

§ An anatomy of a modern web exploit •  Abusing SuperGlobals

§ Additional PHP SuperGlobal attacks •  In the wild

§ Summary & conclusions § Q&A


HII Reports

Confidential 3

§ Hacker Intelligence Initiative is focused at understanding how attackers are operating in practice •  A different approach from vulnerability research

§ Data set composition •  ~60 real world applications •  Anonymous Proxies

§ More than 24 months of data § Powerful analysis system

•  Combines analytic tools with drill down capabilities


Tal Be’ery,Web Research Team Leader

Confidential 4

§ Web Security Research Team Leader at Imperva § Holds MSc & BSc degree in CS/EE from TAU §  10+ years of experience in IS domain §  Facebook “white hat” § Speaker at RSA, BlackHat, AusCERT § Columnist for securityweek.com § CISSP


Introduction

Confidential 5

Relevant PHP Background


§  The most popular server-side programming language in the world:

§ And goes from strength to strength

Breadth and Depth of PHP - I

Confidential 6


§  The most popular web applications are powered by PHP

Breadth and Depth of PHP – II

http://www.alexa.com/topsites

Confidential 7


PHP SuperGlobals

Confidential 8

§ Most programing languages support different scopes for variables, primarily the “local” and the “global” scope.

§ Global variables •  Provide a simple channel for cross-function communication •  More risky, as *ANY* function may change them

§ PHP has several predefined variables that are called SuperGlobals.

§ SuperGlobals provide access to the server’s core functionality – cookies, sessions, environment, etc.

§ SuperGlobals variables are available to the PHP script in all scopes, with no need for explicit declaration.


PHP SuperGlobal List

Confidential 9

Variable Definition

1 GLOBALS References all variables

available in global scope

2 _SERVER Server and execution

environment information

3 _GET HTTP GET variables

4 _POST HTTP POST variables

5 _FILES HTTP File upload variables

6 _COOKIE HTTP Cookies

7 _SESSION Session variables

8 _REQUEST HTTP Request variables

9 _ENV Environment variables


External Variable Modification: A PHP Specific Weakness

Confidential 10

§ MITRE had assigned a specific CWE (Common Weakness Enumeration) code for the External Variable Modification weakness: CWE-473

§  “A PHP application does not properly protect against the modification of variables from external sources, such as query parameters or cookies”.

§ SuperGlobals are a natural target: •  Exist in every PHP application •  Provide access to the server’s core functionality


Anatomy of a Modern Web Exploit

Confidential 11

Exploiting SuperGlobals


PHPMyAdmin (PMA)

Confidential 12

§  The most popular MySQL administration tool for PHP § Often is bundled by default in LAMP (Linux, Apache,

MySQL, PHP) installations


CVE-2011-2505: PhpMyAdmin Vulnerability

Confidential 13

§ PhpMyAdmin’s Unset session functionality § Parse_str() : parses the given query string and stores the

variables in the current scope. As a result, *ALL* request variables are imported into the function’s local scope.

§ Session_write_close(): Makes Session data persistent throughout the entire user’s session. Session data is implicitly written to a local file on the server.


CVE-2011-2505: Exploit

Confidential 14

§ An attacker can now •  Craft a malicious query string with the _SESSION SuperGlobal •  Injected _SESSION value overrides the session’s original values •  New values are saved to local file


Serialization Explained

Confidential 15

§  The process of saving data stored in memory to file is called “serialization”

§  The process of loading data stored in file to memory is called “deserialization”

Source: http://www.studytonight.com/java/images/Serialization-deserialization.JPG


§ Discovered by Stefan Esser - Late 2010 § Attacker can write data to the session in

*ANY* format, if the session variable name starts with ‘!’

CVE-2010-3065 PHP Vulnerability & Exploit

Confidential 16


PMA Session Deserialization: Vulnerability

Confidential 17

§ On session deserialization, the load() function is called § Eval is evil!

•  Can be used to execute unexpected code

§ But in order to exploit, attackers need to first specify a valid source (= session filename )


Guessing Session Filename: Theory

Confidential 18

§  Luckily for the attacker, the location of the session file is predictable

§ Session file name consists of •  The “sess_” prefix •  The session identifier – known to the user/attacker

§  File’s path is predictable •  default values


Guessing Session Filename: In the Wild

Confidential 19

§ Multiple guesses for path the same session file (“sess_19qq…”)


The Final Exploit

Confidential 20

§ Now the attackers can, *FINALLY*, get their code evaluated

§  /phpMyAdmin/index.php?session_to_unset=123&

token=86498ff0a666f808df76ffaabee9b7a3& _SESSION[!bla]=|xxx|a:1:{i:0;O:10:"PMA_Config":1:

{s:6:“source";s:59:"/var/lib/php5/sess_6a3e0376fbfe9797081a

3ee202ef1ca85c451a62";}}& _SESSION[payload]=<?php phpinfo(); ?>


Exploit Result

Confidential 21

§ Arbitrary PHP code is executed


PMA SuperGlobal Attacks In the Wild

Confidential 22

§ Attacks source is a hacked server § Attacks (at least) two other servers § Attacks persist over half a year


A Modern Exploit Summary: Research

Confidential 23

§ Sophisticated research § Combines multiple vulnerabilities and issues in multiple

domains •  PHPMyAdmin (PMA) •  PHP internals


A Modern Exploit Summary: Development

Confidential 24

§ Exploit packed in a single, “click once” PHP script § Automates the different attack stages § Can be launched from infected servers to infect others


Additional PHP SuperGlobal Attacks

Confidential 25

In the Wild


SuperGlobal Attacks Targets – I

Confidential 26

§ Specific vulnerabilities exploit – such as the previously discussed PMA attack

§ RFI (Remote File Inclusion): trying to overwrite “Server[document_root]” to point to external resource


SuperGlobal Attacks Targets – II

Confidential 27

§ Part of general scanning against the site – Nikto, Acunetix, Nessus

§  IDS filter evasion: SuperGlobal Provide an alternative way to represent HTTP query parameters •  “_REQUEST[Itemid]=1” request parameter is equivalent to

“Itemid=1” in every way •  However, it evades a naïve IDS signature that blacklists

“Itemid=1” •  We have seen these evasion technique applied on several CVEs


SuperGlobals In the Wild

Confidential 28

§ During May 2013: §  3.5K requests that manipulated PHP SuperGlobal

variables. §  27 different attack sources §  24 web applications as targets


Targeted SuperGlobal

Confidential 29

§ Some SuperGlobals are more targeted than others §  The more targeted SuperGlobals provide access to more

sensitive resources

GLOBALS 55%

ENV 14%

SERVER 14%

SESSION 13%

REQUEST 4%


Summary & Conclusions

Confidential 30


The Importance of a Positive Security Model

Confidential 31

§  The essence of the external variable manipulation weakness: the attacker has the ability to send out external parameters with the same name of internal variables, and thus override the value of the latter.

§ External parameters are not part of the standard interface of the targeted application

§ Blocking all of the internal variables’ names might be difficult with a negative security approach

§ But trivial with a positive security mechanism that specifies the allowed parameter names for each resource


Layered Application Layer Mechanisms

Confidential 32

§ Bad news: attackers can create a complex exploit by combining several vulnerabilities together

§ Good news: it’s enough to break one of the links in the kill chain to break the chain altogether .

§ Application layer solution that combines multiple detection mechanisms: •  Positive security model •  Negative security model for generic issues (generic directory

traversal protection for this case) •  Specific CVE detection, is crucial for effective mitigations of such

complex attacks.


Third-Party Code Perils

Confidential 33

§ Attackers target popular applications such as the PhpMyAdmin (PMA) utility installation.

§ PMA is often bundled with other applications. § Having this vulnerable utility present on the server, even

if it is not being used, exposes the server to code execution attacks.

§ Since administrators are not necessarily aware of all the bundled software, an “opt out” security model is needed.

§ A way to achieve such an “opt out” security model is by deploying a Web Application Firewall (WAF) with constant updates of security content.


SuperGlobal Parameters In Requests Should Be Blocked

Confidential 34

§  There is no reason for these parameters to be present in valid requests, they should be banned.

§  Imperva’s WAF customers received a content update to their Web Application Firewall on January 15th 2013.


Summing Up

Confidential 35

§ Establish a positive security model § Use layered application layer security mechanisms § Beware of third-party code perils § Block SuperGlobal parameters in requests


Webinar Materials

Confidential 36

Post-Webinar Discussions

Answers to Attendee

Questions

Webinar Recording Link Join Group

Join Imperva LinkedIn Group, Imperva Data Security Direct, for…

http://www.linkedin.com/groups?home=&gid=3849609


www.imperva.com

Confidential 37

PHP SuperGlobals: Supersized Trouble

Technology

Transcript of PHP SuperGlobals: Supersized Trouble