Presentation is loading. Please wait.

Presentation is loading. Please wait.

© 2013 Imperva, Inc. All rights reserved. PHP SuperGlobals: Supersized Trouble 1 Shelly Hershkovitz, Senior Security Analyst, Imperva.

Similar presentations


Presentation on theme: "© 2013 Imperva, Inc. All rights reserved. PHP SuperGlobals: Supersized Trouble 1 Shelly Hershkovitz, Senior Security Analyst, Imperva."— Presentation transcript:

1 © 2013 Imperva, Inc. All rights reserved. PHP SuperGlobals: Supersized Trouble 1 Shelly Hershkovitz, Senior Security Analyst, Imperva

2 © 2013 Imperva, Inc. All rights reserved. Shelly Hershkovitz 2  Senior Security Analyst at Imperva  Leads the efforts to capture and analyze hacking activities Responsible for number of Imperva’s HII reportsreports  Experienced in machine learning and computer vision  Holds BA in Computer Science & M.Sc degree in Bio- Medical Engineering

3 © 2013 Imperva, Inc. All rights reserved. How it all began… 3 Bla bla…CVE Honeypots

4 © 2013 Imperva, Inc. All rights reserved. HII Reports 4  Hacker Intelligence Initiative is focused at understanding how attackers are operating in practice A different approach from vulnerability research  Data set composition ~60 real world applications Anonymous Proxies  More than 24 months of data  Powerful analysis system Combines analytic tools with drill down capabilities

5 © 2013 Imperva, Inc. All rights reserved. Agenda 5  Introduction Relevant PHP background  An Anatomy of a Modern Web Exploit Abusing SuperGlobals  Demo  Additional PHP SuperGlobal Attacks In the wild  Summary & Conclusions  Q&A

6 © 2013 Imperva, Inc. All rights reserved. Introduction 6 Relevant PHP background

7 © 2013 Imperva, Inc. All rights reserved.  The most popular server-side programming language in the world:  And goes from strength to strength Breadth and Depth of PHP - I

8 © 2013 Imperva, Inc. All rights reserved.  The most popular web applications are powered by PHP Breadth and Depth of PHP – II

9 © 2013 Imperva, Inc. All rights reserved. Outline – PHP Background 9 SuperGlobals Serialization Session Management

10 © 2013 Imperva, Inc. All rights reserved. PHP SuperGlobals 10  “Local” versus “global” scopes  Global variables Cross-function communication *ANY* function may change them  SuperGlobals: Predefined array variables Available in all scopes  SuperGlobals: cookies, sessions, environment, etc.

11 © 2013 Imperva, Inc. All rights reserved. PHP SuperGlobal list 11 VariableDefinition 1GLOBALS References all variables available in global scope 2_SERVER Server and execution environment information 3_GETHTTP GET variables 4_POSTHTTP POST variables 5_FILESHTTP File upload variables 6_COOKIEHTTP Cookies 7_SESSIONSession variables 8_REQUESTHTTP Request variables 9_ENVEnvironment variables

12 © 2013 Imperva, Inc. All rights reserved. External Variable Modification 12  MITRE Common Weakness Enumeration: CWE-473  “A PHP application does not properly protect against the modification of variables from external sources, such as query parameters or cookies”.  SuperGlobals are a natural target: Exist in every PHP application Provide access to the server’s core functionality

13 © 2013 Imperva, Inc. All rights reserved. Serialization 13  The process of saving data stored in memory to file is called “serialization”  The process of loading data stored in file to memory is called “deserialization” __sleep()__wakeup()

14 © 2013 Imperva, Inc. All rights reserved. PHP Session Management 14  New user: Unique identifier for the session. A cookie called PHPSESSID is sent to the user with this identifier. A file is created on the server, for example: sess_1q8jkgkoetd3dprcb3n7mpmc4o26eili.  Resuming session data.

15 © 2013 Imperva, Inc. All rights reserved. An Anatomy of a Modern Web Exploit 15 Exploiting SuperGlobals

16 © 2013 Imperva, Inc. All rights reserved. Outline 16  PHPMyAdmin  CVE  CVE  Attack Flow  Demo  Attacks on the wild

17 © 2013 Imperva, Inc. All rights reserved. PHPMyAdmin (PMA) 17  The most popular MySQL administration tool for PHP  Often is bundled by default in LAMP (Linux, Apache, MySQL, PHP) installations

18 © 2013 Imperva, Inc. All rights reserved. Outline – PHP Background 18 SuperGlobals CVE Session Management Serialization CVE

19 © 2013 Imperva, Inc. All rights reserved. CVE : PhpMyAdmin Vulnerability 19  Parses a given query string to local scope  _SESSION variables are saved in the session’s file on the server bad_stuff username|s:9:"bad_stuff";

20 © 2013 Imperva, Inc. All rights reserved. CVE : PhpMyAdmin Vulnerability 20  PhpMyAdmin’s Unset session functionality  Parse_str() : parses the given query string and stores the variables in the current scope.  Session_write_close(): Makes Session data persistent throughout the entire user’s session.

21 © 2013 Imperva, Inc. All rights reserved. CVE : Exploit 21  An attacker can now Craft a malicious query string with the _SESSION SuperGlobal Injected _SESSION value overrides the session’s original values New values are saved to local file

22 © 2013 Imperva, Inc. All rights reserved.  Discovered by Stefan Esser - Late 2010  Attacker can write data to the _SESSION in *ANY* format, if the session variable name starts with ‘!’ CVE PHP Vulnerability & Exploit 22

23 © 2013 Imperva, Inc. All rights reserved. Serialization 23  The process of saving data stored in memory to file is called “serialization”  The process of loading data stored in file to memory is called “deserialization” __sleep()__wakeup()

24 © 2013 Imperva, Inc. All rights reserved. PMA Session deserialization: Vulnerability 24  On session deserialization, the load() function is called  Eval is evil! Can be used to execute unexpected code

25 © 2013 Imperva, Inc. All rights reserved. Attack Flow 25 An attacker sends the 1 st request to receive a cookie An attacker sends the 2 nd request, _SESSION holds: 1. Malicious code 2. PMA_Config serialized object with source=session file path PHP saves the session’s information to local file An attacker sends the 3 rd request PHP deserialize PMA_Config which calls __wakeup(), which calls load(), which calls eval(source=sessio n file)

26 © 2013 Imperva, Inc. All rights reserved. The Exploit Code on the Web 26

27 © 2013 Imperva, Inc. All rights reserved. Attack Flow 27 An attacker sends the 1 st request to receive a cookie An attacker sends the 2 nd request, _SESSION holds: 1. Malicious code 2. PMA_Config serialized object with source=session file path PHP saves the session’s information to local file An attacker sends the 3 rd request PHP unserialize PMA_Config which calls __wakeup(), which calls load(), which calls eval(source=session file)

28 © 2013 Imperva, Inc. All rights reserved. Guessing Session Filename 28  Luckily for the attacker, the location of the session file is predictable  Session File name consists of The “sess_” prefix The session identifier – known to the user/attacker  File’s path is predictable default values

29 © 2013 Imperva, Inc. All rights reserved. Guessing Session Filename: in the wild 29  Multiple guesses for path the same session file (“sess_19qq…”)

30 © 2013 Imperva, Inc. All rights reserved. The Final Exploit 30  Now the attackers can, *FINALLY*, get their code evaluated  /phpMyAdmin/index.php?session_to_unset=123& token=86498ff0a666f808df76ffaabee9b7a3& _SESSION[!bla]=|xxx|a:1:{i:0;O:10:"PMA_Config":1:{ s:6:“source";s:59:"/var/lib/php5/sess_6a3e0376fbfe a3ee202ef1ca85c451a62";}}& _SESSION[payload]=

31 © 2013 Imperva, Inc. All rights reserved. Demo 31

32 © 2013 Imperva, Inc. All rights reserved. PMA SuperGlobal Attacks in the wild 32  Attacks source is a hacked server  Attacks (at least) two other servers  Attacks persist over half a year

33 © 2013 Imperva, Inc. All rights reserved. A Modern Exploit Summary: Research 33  Sophisticated research  Combines multiple vulnerabilities and issues in multiple domains PHPMyAdmin (PMA) PHP internals

34 © 2013 Imperva, Inc. All rights reserved. A Modern Exploit Summary: Development 34  Exploit packed in a single, “click once” PHP script  Automates the different attack stages  Can be launched from infected servers to infect others

35 © 2013 Imperva, Inc. All rights reserved. PHP SuperGlobal Attacks 35 In the wild

36 © 2013 Imperva, Inc. All rights reserved. SuperGlobal Attacks Targets 36  RFI (Remote File Inclusion): trying to overwrite “_Server[document_root]” to point to external resource

37 © 2013 Imperva, Inc. All rights reserved. SuperGlobal Attacks Targets 37  Part of general scanning against the site – Nikto, Acunetix, Nessus  Intrusion Detection System filter evasion: an alternative way to represent HTTP query parameters “_REQUEST[Itemid]=1” request parameter is equivalent to “Itemid=1” However, it evades a naïve IDS signature that blacklists “Itemid=1”

38 © 2013 Imperva, Inc. All rights reserved. SuperGlobal Attacks Targets 38  During May 2013  3.5K requests that manipulated PHP SuperGlobal variables.  27 different attack sources  24 web applications as targets

39 © 2013 Imperva, Inc. All rights reserved. Targeted SuperGlobal 39  Some SuperGlobals are more targeted than others  The more targeted SuperGlobals provide access to more sensitive resources

40 © 2013 Imperva, Inc. All rights reserved. Summary & Conclusions 40

41 © 2013 Imperva, Inc. All rights reserved. The importance of a positive security model 41  The essence of the external variable manipulation weakness: the attacker has the ability to send out external parameters with the same name of internal variables, and thus override the value of the latter.  External parameters are not part of the standard interface of the targeted application  Blocking all of the internal variables’ names might be difficult with a negative security approach  But trivial with a positive security mechanism that specifies the allowed parameter names for each resource

42 © 2013 Imperva, Inc. All rights reserved. Layered application layer mechanisms 42  Bad news: Attackers can create a complex exploit by combining several vulnerabilities together  Good news: it’s enough to break one of the links in the kill chain to break the chain altogether.  Application layer solution that combines multiple detection mechanisms: positive security model negative security model for generic issues (generic directory traversal protection for this case) Specific CVE detection, is crucial for effective mitigations of such complex attacks.

43 © 2013 Imperva, Inc. All rights reserved. Third-Party Code Perils 43  PHPMyAdmin: Popular utility installation Often bundled with other applications  Even if PMA is not used, the server is exposed to code execution attacks!!  Administrators might not be aware to all bundled software  An “opt out” security model is needed  Optional solution is Web Application Firewall (WAF) with constant updates of security content.

44 © 2013 Imperva, Inc. All rights reserved. Third-party code perils 44  Attackers target popular applications such as the PhpMyAdmin (PMA) utility installation.  PMA is often bundled with other applications.  Having this vulnerable utility present on the server, even if it is not being used, exposes the server to code execution attacks.  Since administrators are not necessarily aware of all the bundled software, an “opt out” security model is needed.  A way to achieve such an “opt out” security model is by deploying a Web Application Firewall (WAF) with constant updates of security content.

45 © 2013 Imperva, Inc. All rights reserved. SuperGlobal parameters in requests should be blocked 45  There is no reason for these parameters to be present in valid requests, they should be banned.  Imperva’s WAF customers received a content update to their Web Application Firewall on January 15 th this year.

46 © 2013 Imperva, Inc. All rights reserved. Conclusions 46  Establish a positive security model  Use layered security mechanisms  Beware of third-party code perils  Block SuperGlobal parameters in requests

47 © 2013 Imperva, Inc. All rights reserved. More information in HII: r_intelligence.asp 47 Q&A


Download ppt "© 2013 Imperva, Inc. All rights reserved. PHP SuperGlobals: Supersized Trouble 1 Shelly Hershkovitz, Senior Security Analyst, Imperva."

Similar presentations


Ads by Google