Add to collection(s) Add to saved
  1. Engineering & Technology
  2. Computer Science

presentation

PHP SuperGlobals: Supersized Trouble
Shelly Hershkovitz, Senior Security Analyst, Imperva
1
© 2013 Imperva, Inc. All rights reserved.
Shelly Hershkovitz
 Senior Security Analyst at Imperva
 Leads the efforts to capture and analyze hacking
activities
• Responsible for number of Imperva’s HII reports
 Experienced in machine learning and computer vision
 Holds BA in Computer Science & M.Sc degree in BioMedical Engineering
2
© 2013 Imperva, Inc. All rights reserved.
How it all began…
Bla bla…
CVE-2011-2505
Honeypots
3
© 2013 Imperva, Inc. All rights reserved.
Agenda
 Introduction
• Relevant PHP background
 An Anatomy of a Modern Web Exploit
• Abusing SuperGlobals
 Demo
 Additional PHP SuperGlobal Attacks
• In the wild
 Summary & Conclusions
 Q&A
5
© 2013 Imperva, Inc. All rights reserved.
Introduction
Relevant PHP background
6
© 2013 Imperva, Inc. All rights reserved.
Breadth and Depth of PHP - I
 The most popular server-side programming language in
the world:
 And goes from strength to strength
© 2013 Imperva, Inc. All rights reserved.
Breadth and Depth of PHP – II
 The most popular web applications are powered by PHP
http://www.alexa.com/topsites
© 2013 Imperva, Inc. All rights reserved.
Outline – PHP Background
SuperGlobals
Serialization
9
© 2013 Imperva, Inc. All rights reserved.
Session
Management
PHP SuperGlobals
 “Local” versus “global” scopes
 Global variables
• Cross-function communication
• *ANY* function may change them
 SuperGlobals:
• Predefined array variables
• Available in all scopes
 SuperGlobals: cookies, sessions, environment, etc.
10
© 2013 Imperva, Inc. All rights reserved.
PHP SuperGlobal list
Variable
Definition
References all variables
1
GLOBALS
available in global scope
Server and execution
2
_SERVER
environment information
11
3
_GET
HTTP GET variables
4
_POST
HTTP POST variables
5
_FILES
HTTP File upload variables
6
_COOKIE
HTTP Cookies
7
_SESSION
Session variables
8
_REQUEST
HTTP Request variables
9
_ENV
Environment variables
© 2013 Imperva, Inc. All rights reserved.
External Variable Modification
 MITRE Common Weakness Enumeration: CWE-473
 “A PHP application does not properly protect against the
modification of variables from external sources, such as
query parameters or cookies”.
 SuperGlobals are a natural target:
• Exist in every PHP application
• Provide access to the server’s core functionality
12
© 2013 Imperva, Inc. All rights reserved.
Serialization
 The process of saving data stored in memory to file is
called “serialization”
 The process of loading data stored in file to memory is
called “deserialization”
__sleep()
http://www.studytonight.com/java/images/Serialization-deserialization.JPG
13
© 2013 Imperva, Inc. All rights reserved.
__wakeup()
PHP Session Management
 New user:
• Unique identifier for the session.
• A cookie called PHPSESSID is sent to the user with
this identifier.
• A file is created on the server, for example:
sess_1q8jkgkoetd3dprcb3n7mpmc4o26eili.
 Resuming session data.
14
© 2013 Imperva, Inc. All rights reserved.
An Anatomy of a Modern Web Exploit
Exploiting SuperGlobals
15
© 2013 Imperva, Inc. All rights reserved.
Outline
 PHPMyAdmin
 CVE-2011-2505
 CVE-2010-3065
 Attack Flow
 Demo
 Attacks on the wild
16
© 2013 Imperva, Inc. All rights reserved.
PHPMyAdmin (PMA)
 The most popular MySQL administration tool for PHP
 Often is bundled by default in LAMP (Linux, Apache,
MySQL, PHP) installations
17
© 2013 Imperva, Inc. All rights reserved.
Outline – PHP Background
CVE-2011-2505
SuperGlobals
Serialization
18
© 2013 Imperva, Inc. All rights reserved.
CVE-2010-3065
Session
Management
CVE-2011-2505: PhpMyAdmin Vulnerability
 Parses a given query string to local scope
 _SESSION variables are saved in the session’s file on
the server
http://www.super.com/somePage?_SESSION[username]=
bad_stuff
username|s:9:"bad_stuff";
19
© 2013 Imperva, Inc. All rights reserved.
CVE-2011-2505: PhpMyAdmin Vulnerability
 PhpMyAdmin’s Unset session functionality
 Parse_str() : parses the given query string and stores the
variables in the current scope.
 Session_write_close(): Makes Session data persistent
throughout the entire user’s session.
20
© 2013 Imperva, Inc. All rights reserved.
CVE-2011-2505: Exploit
 An attacker can now
• Craft a malicious query string with the _SESSION SuperGlobal
• Injected _SESSION value overrides the session’s original values
• New values are saved to local file
21
© 2013 Imperva, Inc. All rights reserved.
CVE-2010-3065 PHP Vulnerability & Exploit
 Discovered by Stefan Esser - Late 2010
 Attacker can write data to the _SESSION in
*ANY* format, if the session variable name
starts with ‘!’
22
© 2013 Imperva, Inc. All rights reserved.
Serialization
 The process of saving data stored in memory to file is
called “serialization”
 The process of loading data stored in file to memory is
called “deserialization”
__sleep()
http://www.studytonight.com/java/images/Serialization-deserialization.JPG
23
© 2013 Imperva, Inc. All rights reserved.
__wakeup()
PMA Session deserialization: Vulnerability
 On session deserialization, the load() function is called
 Eval is evil!
• Can be used to execute unexpected code
24
© 2013 Imperva, Inc. All rights reserved.
Attack Flow
An attacker sends
the 1st request to
receive a cookie
25
An attacker sends
the 2nd request,
_SESSION holds:
1. Malicious code
2. PMA_Config
serialized object
with
source=session file
path
© 2013 Imperva, Inc. All rights reserved.
PHP saves the
session’s
information to local
file
An attacker sends
the 3rd request
PHP deserialize
PMA_Config which
calls __wakeup(),
which calls load(),
which calls
eval(source=sessio
n file)
The Exploit Code on the Web
26
© 2013 Imperva, Inc. All rights reserved.
Attack Flow
An attacker sends
the 1st request to
receive a cookie
27
An attacker sends
the 2nd request,
_SESSION holds:
1. Malicious code
2. PMA_Config
serialized object with
source=session file
path
© 2013 Imperva, Inc. All rights reserved.
PHP saves the
session’s information
to local file
An attacker sends
the 3rd request
PHP unserialize
PMA_Config which
calls __wakeup(),
which calls load(),
which calls
eval(source=session
file)
Guessing Session Filename
 Luckily for the attacker, the location of the session file is
predictable
 Session File name consists of
• The “sess_” prefix
• The session identifier – known to the user/attacker
 File’s path is predictable
• default values
28
© 2013 Imperva, Inc. All rights reserved.
Guessing Session Filename: in the wild
 Multiple guesses for path the same session file
(“sess_19qq…”)
29
© 2013 Imperva, Inc. All rights reserved.
The Final Exploit
 Now the attackers can, *FINALLY*, get their code
evaluated
 /phpMyAdmin/index.php?session_to_unset=123&
token=86498ff0a666f808df76ffaabee9b7a3&
_SESSION[!bla]=|xxx|a:1:{i:0;O:10:"PMA_Config":1:{
s:6:“source";s:59:"/var/lib/php5/sess_6a3e0376fbfe97970
81a 3ee202ef1ca85c451a62";}}&
_SESSION[payload]=<?php phpinfo(); ?>
30
© 2013 Imperva, Inc. All rights reserved.
Demo
31
© 2013 Imperva, Inc. All rights reserved.
PMA SuperGlobal Attacks in the wild
 Attacks source is a hacked server
 Attacks (at least) two other servers
 Attacks persist over half a year
32
© 2013 Imperva, Inc. All rights reserved.
A Modern Exploit Summary: Research
 Sophisticated research
 Combines multiple vulnerabilities and issues in multiple
domains
• PHPMyAdmin (PMA)
• PHP internals
33
© 2013 Imperva, Inc. All rights reserved.
A Modern Exploit Summary: Development
 Exploit packed in a single, “click once” PHP script
 Automates the different attack stages
 Can be launched from infected servers to infect others
34
© 2013 Imperva, Inc. All rights reserved.
PHP SuperGlobal Attacks
In the wild
35
© 2013 Imperva, Inc. All rights reserved.
SuperGlobal Attacks Targets
 RFI (Remote File Inclusion): trying to overwrite
“_Server[document_root]” to point to external resource
36
© 2013 Imperva, Inc. All rights reserved.
SuperGlobal Attacks Targets
 Part of general scanning against the site – Nikto,
Acunetix, Nessus
 Intrusion Detection System filter evasion: an
alternative way to represent HTTP query parameters
• “_REQUEST[Itemid]=1” request parameter is equivalent to
“Itemid=1”
• However, it evades a naïve IDS signature that blacklists
“Itemid=1”
37
© 2013 Imperva, Inc. All rights reserved.
SuperGlobal Attacks Targets
 During May 2013
 3.5K requests that manipulated PHP SuperGlobal
variables.
 27 different attack sources
 24 web applications as targets
38
© 2013 Imperva, Inc. All rights reserved.
Targeted SuperGlobal
 Some SuperGlobals are more targeted than others
 The more targeted SuperGlobals provide access to more
sensitive resources
REQUEST
4%
SESSION
13%
SERVER
14%
GLOBALS
55%
ENV
14%
39
© 2013 Imperva, Inc. All rights reserved.
Summary & Conclusions
40
© 2013 Imperva, Inc. All rights reserved.
Third-Party Code Perils
 PHPMyAdmin:
• Popular utility installation
• Often bundled with other applications
 Even if PMA is not used, the server is exposed to code
execution attacks!!
 Administrators might not be aware to all bundled software
 An “opt out” security model is needed
 Optional solution is Web Application Firewall (WAF) with
constant updates of security content.
43
© 2013 Imperva, Inc. All rights reserved.
Conclusions
 Establish a positive security model
 Use layered security mechanisms
 Beware of third-party code perils
 Block SuperGlobal parameters in requests
46
© 2013 Imperva, Inc. All rights reserved.
More information in HII:
http://www.imperva.com/resources/hacke
r_intelligence.asp
Q&A
47
© 2013 Imperva, Inc. All rights reserved.
Related documents
360° Global Threat Detection & Analysis
360° Global Threat Detection & Analysis
Resume for Jason Michael Maddux - Jason Michael Maddux, BS CS
Resume for Jason Michael Maddux - Jason Michael Maddux, BS CS
The Fall 2011 Graduation Plan & DARS Workshop WHEN Friday
The Fall 2011 Graduation Plan & DARS Workshop WHEN Friday
W. C. - Mindteck Academy
W. C. - Mindteck Academy
EMPLOYEE MANAGEMENT SYSTEM (EMS)
EMPLOYEE MANAGEMENT SYSTEM (EMS)
Download