PHP SuperGlobals: Supersized Trouble
-
Upload
imperva -
Category
Technology
-
view
498 -
download
0
Transcript of PHP SuperGlobals: Supersized Trouble
© 2013 Imperva, Inc. All rights reserved.
PHP SuperGlobals: Supersized Trouble
Confidential 1
Tal Be’ery, Web Security Research Team Leader
© 2013 Imperva, Inc. All rights reserved.
Agenda
Confidential 2
§ Introduction • Relevant PHP background
§ An anatomy of a modern web exploit • Abusing SuperGlobals
§ Additional PHP SuperGlobal attacks • In the wild
§ Summary & conclusions § Q&A
© 2013 Imperva, Inc. All rights reserved.
HII Reports
Confidential 3
§ Hacker Intelligence Initiative is focused at understanding how attackers are operating in practice • A different approach from vulnerability research
§ Data set composition • ~60 real world applications • Anonymous Proxies
§ More than 24 months of data § Powerful analysis system
• Combines analytic tools with drill down capabilities
© 2013 Imperva, Inc. All rights reserved.
Tal Be’ery,Web Research Team Leader
Confidential 4
§ Web Security Research Team Leader at Imperva § Holds MSc & BSc degree in CS/EE from TAU § 10+ years of experience in IS domain § Facebook “white hat” § Speaker at RSA, BlackHat, AusCERT § Columnist for securityweek.com § CISSP
© 2013 Imperva, Inc. All rights reserved.
Introduction
Confidential 5
Relevant PHP Background
© 2013 Imperva, Inc. All rights reserved.
§ The most popular server-side programming language in the world:
§ And goes from strength to strength
Breadth and Depth of PHP - I
Confidential 6
© 2013 Imperva, Inc. All rights reserved.
§ The most popular web applications are powered by PHP
Breadth and Depth of PHP – II
http://www.alexa.com/topsites
Confidential 7
© 2013 Imperva, Inc. All rights reserved.
PHP SuperGlobals
Confidential 8
§ Most programing languages support different scopes for variables, primarily the “local” and the “global” scope.
§ Global variables • Provide a simple channel for cross-function communication • More risky, as *ANY* function may change them
§ PHP has several predefined variables that are called SuperGlobals.
§ SuperGlobals provide access to the server’s core functionality – cookies, sessions, environment, etc.
§ SuperGlobals variables are available to the PHP script in all scopes, with no need for explicit declaration.
© 2013 Imperva, Inc. All rights reserved.
PHP SuperGlobal List
Confidential 9
Variable Definition
1 GLOBALS References all variables
available in global scope
2 _SERVER Server and execution
environment information
3 _GET HTTP GET variables
4 _POST HTTP POST variables
5 _FILES HTTP File upload variables
6 _COOKIE HTTP Cookies
7 _SESSION Session variables
8 _REQUEST HTTP Request variables
9 _ENV Environment variables
© 2013 Imperva, Inc. All rights reserved.
External Variable Modification: A PHP Specific Weakness
Confidential 10
§ MITRE had assigned a specific CWE (Common Weakness Enumeration) code for the External Variable Modification weakness: CWE-473
§ “A PHP application does not properly protect against the modification of variables from external sources, such as query parameters or cookies”.
§ SuperGlobals are a natural target: • Exist in every PHP application • Provide access to the server’s core functionality
© 2013 Imperva, Inc. All rights reserved.
Anatomy of a Modern Web Exploit
Confidential 11
Exploiting SuperGlobals
© 2013 Imperva, Inc. All rights reserved.
PHPMyAdmin (PMA)
Confidential 12
§ The most popular MySQL administration tool for PHP § Often is bundled by default in LAMP (Linux, Apache,
MySQL, PHP) installations
© 2013 Imperva, Inc. All rights reserved.
CVE-2011-2505: PhpMyAdmin Vulnerability
Confidential 13
§ PhpMyAdmin’s Unset session functionality § Parse_str() : parses the given query string and stores the
variables in the current scope. As a result, *ALL* request variables are imported into the function’s local scope.
§ Session_write_close(): Makes Session data persistent throughout the entire user’s session. Session data is implicitly written to a local file on the server.
© 2013 Imperva, Inc. All rights reserved.
CVE-2011-2505: Exploit
Confidential 14
§ An attacker can now • Craft a malicious query string with the _SESSION SuperGlobal • Injected _SESSION value overrides the session’s original values • New values are saved to local file
© 2013 Imperva, Inc. All rights reserved.
Serialization Explained
Confidential 15
§ The process of saving data stored in memory to file is called “serialization”
§ The process of loading data stored in file to memory is called “deserialization”
Source: http://www.studytonight.com/java/images/Serialization-deserialization.JPG
© 2013 Imperva, Inc. All rights reserved.
§ Discovered by Stefan Esser - Late 2010 § Attacker can write data to the session in
*ANY* format, if the session variable name starts with ‘!’
CVE-2010-3065 PHP Vulnerability & Exploit
Confidential 16
© 2013 Imperva, Inc. All rights reserved.
PMA Session Deserialization: Vulnerability
Confidential 17
§ On session deserialization, the load() function is called § Eval is evil!
• Can be used to execute unexpected code
§ But in order to exploit, attackers need to first specify a valid source (= session filename )
© 2013 Imperva, Inc. All rights reserved.
Guessing Session Filename: Theory
Confidential 18
§ Luckily for the attacker, the location of the session file is predictable
§ Session file name consists of • The “sess_” prefix • The session identifier – known to the user/attacker
§ File’s path is predictable • default values
© 2013 Imperva, Inc. All rights reserved.
Guessing Session Filename: In the Wild
Confidential 19
§ Multiple guesses for path the same session file (“sess_19qq…”)
© 2013 Imperva, Inc. All rights reserved.
The Final Exploit
Confidential 20
§ Now the attackers can, *FINALLY*, get their code evaluated
§ /phpMyAdmin/index.php?session_to_unset=123&
token=86498ff0a666f808df76ffaabee9b7a3& _SESSION[!bla]=|xxx|a:1:{i:0;O:10:"PMA_Config":1:
{s:6:“source";s:59:"/var/lib/php5/sess_6a3e0376fbfe9797081a
3ee202ef1ca85c451a62";}}& _SESSION[payload]=<?php phpinfo(); ?>
© 2013 Imperva, Inc. All rights reserved.
Exploit Result
Confidential 21
§ Arbitrary PHP code is executed
© 2013 Imperva, Inc. All rights reserved.
PMA SuperGlobal Attacks In the Wild
Confidential 22
§ Attacks source is a hacked server § Attacks (at least) two other servers § Attacks persist over half a year
© 2013 Imperva, Inc. All rights reserved.
A Modern Exploit Summary: Research
Confidential 23
§ Sophisticated research § Combines multiple vulnerabilities and issues in multiple
domains • PHPMyAdmin (PMA) • PHP internals
© 2013 Imperva, Inc. All rights reserved.
A Modern Exploit Summary: Development
Confidential 24
§ Exploit packed in a single, “click once” PHP script § Automates the different attack stages § Can be launched from infected servers to infect others
© 2013 Imperva, Inc. All rights reserved.
Additional PHP SuperGlobal Attacks
Confidential 25
In the Wild
© 2013 Imperva, Inc. All rights reserved.
SuperGlobal Attacks Targets – I
Confidential 26
§ Specific vulnerabilities exploit – such as the previously discussed PMA attack
§ RFI (Remote File Inclusion): trying to overwrite “Server[document_root]” to point to external resource
© 2013 Imperva, Inc. All rights reserved.
SuperGlobal Attacks Targets – II
Confidential 27
§ Part of general scanning against the site – Nikto, Acunetix, Nessus
§ IDS filter evasion: SuperGlobal Provide an alternative way to represent HTTP query parameters • “_REQUEST[Itemid]=1” request parameter is equivalent to
“Itemid=1” in every way • However, it evades a naïve IDS signature that blacklists
“Itemid=1” • We have seen these evasion technique applied on several CVEs
© 2013 Imperva, Inc. All rights reserved.
SuperGlobals In the Wild
Confidential 28
§ During May 2013: § 3.5K requests that manipulated PHP SuperGlobal
variables. § 27 different attack sources § 24 web applications as targets
© 2013 Imperva, Inc. All rights reserved.
Targeted SuperGlobal
Confidential 29
§ Some SuperGlobals are more targeted than others § The more targeted SuperGlobals provide access to more
sensitive resources
GLOBALS 55%
ENV 14%
SERVER 14%
SESSION 13%
REQUEST 4%
© 2013 Imperva, Inc. All rights reserved.
Summary & Conclusions
Confidential 30
© 2013 Imperva, Inc. All rights reserved.
The Importance of a Positive Security Model
Confidential 31
§ The essence of the external variable manipulation weakness: the attacker has the ability to send out external parameters with the same name of internal variables, and thus override the value of the latter.
§ External parameters are not part of the standard interface of the targeted application
§ Blocking all of the internal variables’ names might be difficult with a negative security approach
§ But trivial with a positive security mechanism that specifies the allowed parameter names for each resource
© 2013 Imperva, Inc. All rights reserved.
Layered Application Layer Mechanisms
Confidential 32
§ Bad news: attackers can create a complex exploit by combining several vulnerabilities together
§ Good news: it’s enough to break one of the links in the kill chain to break the chain altogether .
§ Application layer solution that combines multiple detection mechanisms: • Positive security model • Negative security model for generic issues (generic directory
traversal protection for this case) • Specific CVE detection, is crucial for effective mitigations of such
complex attacks.
© 2013 Imperva, Inc. All rights reserved.
Third-Party Code Perils
Confidential 33
§ Attackers target popular applications such as the PhpMyAdmin (PMA) utility installation.
§ PMA is often bundled with other applications. § Having this vulnerable utility present on the server, even
if it is not being used, exposes the server to code execution attacks.
§ Since administrators are not necessarily aware of all the bundled software, an “opt out” security model is needed.
§ A way to achieve such an “opt out” security model is by deploying a Web Application Firewall (WAF) with constant updates of security content.
© 2013 Imperva, Inc. All rights reserved.
SuperGlobal Parameters In Requests Should Be Blocked
Confidential 34
§ There is no reason for these parameters to be present in valid requests, they should be banned.
§ Imperva’s WAF customers received a content update to their Web Application Firewall on January 15th 2013.
© 2013 Imperva, Inc. All rights reserved.
Summing Up
Confidential 35
§ Establish a positive security model § Use layered application layer security mechanisms § Beware of third-party code perils § Block SuperGlobal parameters in requests
© 2013 Imperva, Inc. All rights reserved.
Webinar Materials
Confidential 36
Post-Webinar Discussions
Answers to Attendee
Questions
Webinar Recording Link Join Group
Join Imperva LinkedIn Group, Imperva Data Security Direct, for…
© 2013 Imperva, Inc. All rights reserved.
www.imperva.com
Confidential 37