© 2013 Imperva, Inc. All rights reserved.
PHP SuperGlobals: Supersized Trouble
Confidential1
Tal Be’ery, Web Security Rese...
© 2013 Imperva, Inc. All rights reserved.
Agenda
Confidential2
§  Introduction
•  Relevant PHP background
§  An anatomy ...
© 2013 Imperva, Inc. All rights reserved.
HII Reports
Confidential3
§  Hacker Intelligence Initiative is focused at
under...
© 2013 Imperva, Inc. All rights reserved.
Tal Be’ery,Web Research Team Leader
Confidential4
§  Web Security Research Team...
© 2013 Imperva, Inc. All rights reserved.
Introduction
Confidential5
Relevant PHP Background
© 2013 Imperva, Inc. All rights reserved.
§  The most popular server-side programming language in
the world:
§  And goes...
© 2013 Imperva, Inc. All rights reserved.
§  The most popular web applications are powered by PHP
Breadth and Depth of PH...
© 2013 Imperva, Inc. All rights reserved.
PHP SuperGlobals
Confidential8
§  Most programing languages support different s...
© 2013 Imperva, Inc. All rights reserved.
PHP SuperGlobal List
Confidential9
	
   Variable	
   Definition	
  
1	
   GLOBAL...
© 2013 Imperva, Inc. All rights reserved.
External Variable Modification: A PHP
Specific Weakness
Confidential10
§  MITRE...
© 2013 Imperva, Inc. All rights reserved.
Anatomy of a Modern Web Exploit
Confidential11
Exploiting SuperGlobals
© 2013 Imperva, Inc. All rights reserved.
PHPMyAdmin (PMA)
Confidential12
§  The most popular MySQL administration tool f...
© 2013 Imperva, Inc. All rights reserved.
CVE-2011-2505: PhpMyAdmin Vulnerability
Confidential13
§  PhpMyAdmin’s Unset se...
© 2013 Imperva, Inc. All rights reserved.
CVE-2011-2505: Exploit
Confidential14
§  An attacker can now
•  Craft a malicio...
© 2013 Imperva, Inc. All rights reserved.
Serialization Explained
Confidential15
§  The process of saving data stored in ...
© 2013 Imperva, Inc. All rights reserved.
§  Discovered by Stefan Esser - Late 2010
§  Attacker can write data to the se...
© 2013 Imperva, Inc. All rights reserved.
PMA Session Deserialization: Vulnerability
Confidential17
§  On session deseria...
© 2013 Imperva, Inc. All rights reserved.
Guessing Session Filename: Theory
Confidential18
§  Luckily for the attacker, t...
© 2013 Imperva, Inc. All rights reserved.
Guessing Session Filename: In the Wild
Confidential19
§  Multiple guesses for p...
© 2013 Imperva, Inc. All rights reserved.
The Final Exploit
Confidential20
§  Now the attackers can, *FINALLY*, get their...
© 2013 Imperva, Inc. All rights reserved.
Exploit Result
Confidential21
§  Arbitrary PHP code is executed
© 2013 Imperva, Inc. All rights reserved.
PMA SuperGlobal Attacks In the Wild
Confidential22
§  Attacks source is a hacke...
© 2013 Imperva, Inc. All rights reserved.
A Modern Exploit Summary: Research
Confidential23
§  Sophisticated research
§ ...
© 2013 Imperva, Inc. All rights reserved.
A Modern Exploit Summary: Development
Confidential24
§  Exploit packed in a sin...
© 2013 Imperva, Inc. All rights reserved.
Additional PHP SuperGlobal Attacks
Confidential25
In the Wild
© 2013 Imperva, Inc. All rights reserved.
SuperGlobal Attacks Targets – I
Confidential26
§  Specific vulnerabilities expl...
© 2013 Imperva, Inc. All rights reserved.
SuperGlobal Attacks Targets – II
Confidential27
§  Part of general scanning aga...
© 2013 Imperva, Inc. All rights reserved.
SuperGlobals In the Wild
Confidential28
§  During May 2013:
§  3.5K requests t...
© 2013 Imperva, Inc. All rights reserved.
Targeted SuperGlobal
Confidential29
§  Some SuperGlobals are more targeted than...
© 2013 Imperva, Inc. All rights reserved.
Summary & Conclusions
Confidential30
© 2013 Imperva, Inc. All rights reserved.
The Importance of a Positive Security Model
Confidential31
§  The essence of th...
© 2013 Imperva, Inc. All rights reserved.
Layered Application Layer Mechanisms
Confidential32
§  Bad news: attackers can ...
© 2013 Imperva, Inc. All rights reserved.
Third-Party Code Perils
Confidential33
§  Attackers target popular applications...
© 2013 Imperva, Inc. All rights reserved.
SuperGlobal Parameters In Requests
Should Be Blocked
Confidential34
§  There is...
© 2013 Imperva, Inc. All rights reserved.
Summing Up
Confidential35
§  Establish a positive security model
§  Use layere...
© 2013 Imperva, Inc. All rights reserved.
Webinar Materials
Confidential36
Post-Webinar
Discussions
Answers to
Attendee
Qu...
© 2013 Imperva, Inc. All rights reserved.
www.imperva.com
Confidential37
Próxima SlideShare
Cargando en…5
×

PHP SuperGlobals: Supersized Trouble

937 visualizaciones

Publicado el

Used in over 80% of all websites, PHP is the most popular Web application development platform in the world. The widespread use of PHP, however, makes it an attractive target for malicious hackers. By focusing attacks on vulnerabilities found in popular third party components, such as PHP, hackers are able to expand their reach to countless unsuspecting websites. This presentation explores a growing trend in the hacking community: Web attacks targeting PHP SuperGlobal parameters.

Publicado en: Tecnología
  • Sé el primero en comentar

PHP SuperGlobals: Supersized Trouble

  1. 1. © 2013 Imperva, Inc. All rights reserved. PHP SuperGlobals: Supersized Trouble Confidential1 Tal Be’ery, Web Security Research Team Leader
  2. 2. © 2013 Imperva, Inc. All rights reserved. Agenda Confidential2 §  Introduction •  Relevant PHP background §  An anatomy of a modern web exploit •  Abusing SuperGlobals §  Additional PHP SuperGlobal attacks •  In the wild §  Summary & conclusions §  Q&A
  3. 3. © 2013 Imperva, Inc. All rights reserved. HII Reports Confidential3 §  Hacker Intelligence Initiative is focused at understanding how attackers are operating in practice •  A different approach from vulnerability research §  Data set composition •  ~60 real world applications •  Anonymous Proxies §  More than 24 months of data §  Powerful analysis system •  Combines analytic tools with drill down capabilities
  4. 4. © 2013 Imperva, Inc. All rights reserved. Tal Be’ery,Web Research Team Leader Confidential4 §  Web Security Research Team Leader at Imperva §  Holds MSc & BSc degree in CS/EE from TAU §  10+ years of experience in IS domain §  Facebook “white hat” §  Speaker at RSA, BlackHat, AusCERT §  Columnist for securityweek.com §  CISSP
  5. 5. © 2013 Imperva, Inc. All rights reserved. Introduction Confidential5 Relevant PHP Background
  6. 6. © 2013 Imperva, Inc. All rights reserved. §  The most popular server-side programming language in the world: §  And goes from strength to strength Breadth and Depth of PHP - I Confidential6
  7. 7. © 2013 Imperva, Inc. All rights reserved. §  The most popular web applications are powered by PHP Breadth and Depth of PHP – II http://www.alexa.com/topsites Confidential7
  8. 8. © 2013 Imperva, Inc. All rights reserved. PHP SuperGlobals Confidential8 §  Most programing languages support different scopes for variables, primarily the “local” and the “global” scope. §  Global variables •  Provide a simple channel for cross-function communication •  More risky, as *ANY* function may change them §  PHP has several predefined variables that are called SuperGlobals. §  SuperGlobals provide access to the server’s core functionality – cookies, sessions, environment, etc. §  SuperGlobals variables are available to the PHP script in all scopes, with no need for explicit declaration.
  9. 9. © 2013 Imperva, Inc. All rights reserved. PHP SuperGlobal List Confidential9   Variable   Definition   1   GLOBALS   References all variables available in global scope   2   _SERVER   Server and execution environment information   3   _GET   HTTP GET variables   4   _POST   HTTP POST variables   5   _FILES   HTTP File upload variables   6   _COOKIE   HTTP Cookies   7   _SESSION   Session variables   8   _REQUEST   HTTP Request variables   9   _ENV   Environment variables  
  10. 10. © 2013 Imperva, Inc. All rights reserved. External Variable Modification: A PHP Specific Weakness Confidential10 §  MITRE had assigned a specific CWE (Common Weakness Enumeration) code for the External Variable Modification weakness: CWE-473 §  “A PHP application does not properly protect against the modification of variables from external sources, such as query parameters or cookies”. §  SuperGlobals are a natural target: •  Exist in every PHP application •  Provide access to the server’s core functionality
  11. 11. © 2013 Imperva, Inc. All rights reserved. Anatomy of a Modern Web Exploit Confidential11 Exploiting SuperGlobals
  12. 12. © 2013 Imperva, Inc. All rights reserved. PHPMyAdmin (PMA) Confidential12 §  The most popular MySQL administration tool for PHP §  Often is bundled by default in LAMP (Linux, Apache, MySQL, PHP) installations
  13. 13. © 2013 Imperva, Inc. All rights reserved. CVE-2011-2505: PhpMyAdmin Vulnerability Confidential13 §  PhpMyAdmin’s Unset session functionality §  Parse_str() : parses the given query string and stores the variables in the current scope. As a result, *ALL* request variables are imported into the function’s local scope. §  Session_write_close(): Makes Session data persistent throughout the entire user’s session. Session data is implicitly written to a local file on the server.
  14. 14. © 2013 Imperva, Inc. All rights reserved. CVE-2011-2505: Exploit Confidential14 §  An attacker can now •  Craft a malicious query string with the _SESSION SuperGlobal •  Injected _SESSION value overrides the session’s original values •  New values are saved to local file
  15. 15. © 2013 Imperva, Inc. All rights reserved. Serialization Explained Confidential15 §  The process of saving data stored in memory to file is called “serialization” §  The process of loading data stored in file to memory is called “deserialization” Source: http://www.studytonight.com/java/images/Serialization-deserialization.JPG
  16. 16. © 2013 Imperva, Inc. All rights reserved. §  Discovered by Stefan Esser - Late 2010 §  Attacker can write data to the session in *ANY* format, if the session variable name starts with ‘!’ CVE-2010-3065 PHP Vulnerability & Exploit Confidential16
  17. 17. © 2013 Imperva, Inc. All rights reserved. PMA Session Deserialization: Vulnerability Confidential17 §  On session deserialization, the load() function is called §  Eval is evil! •  Can be used to execute unexpected code §  But in order to exploit, attackers need to first specify a valid source (= session filename )
  18. 18. © 2013 Imperva, Inc. All rights reserved. Guessing Session Filename: Theory Confidential18 §  Luckily for the attacker, the location of the session file is predictable §  Session file name consists of •  The “sess_” prefix •  The session identifier – known to the user/attacker §  File’s path is predictable •  default values
  19. 19. © 2013 Imperva, Inc. All rights reserved. Guessing Session Filename: In the Wild Confidential19 §  Multiple guesses for path the same session file (“sess_19qq…”)
  20. 20. © 2013 Imperva, Inc. All rights reserved. The Final Exploit Confidential20 §  Now the attackers can, *FINALLY*, get their code evaluated §  /phpMyAdmin/index.php?session_to_unset=123& token=86498ff0a666f808df76ffaabee9b7a3& _SESSION[!bla]=|xxx|a:1:{i:0;O:10:"PMA_Config":1: {s:6:“source";s:59:"/var/lib/php5/ sess_6a3e0376fbfe9797081a 3ee202ef1ca85c451a62";}}& _SESSION[payload]=<?php phpinfo(); ?>
  21. 21. © 2013 Imperva, Inc. All rights reserved. Exploit Result Confidential21 §  Arbitrary PHP code is executed
  22. 22. © 2013 Imperva, Inc. All rights reserved. PMA SuperGlobal Attacks In the Wild Confidential22 §  Attacks source is a hacked server §  Attacks (at least) two other servers §  Attacks persist over half a year
  23. 23. © 2013 Imperva, Inc. All rights reserved. A Modern Exploit Summary: Research Confidential23 §  Sophisticated research §  Combines multiple vulnerabilities and issues in multiple domains •  PHPMyAdmin (PMA) •  PHP internals
  24. 24. © 2013 Imperva, Inc. All rights reserved. A Modern Exploit Summary: Development Confidential24 §  Exploit packed in a single, “click once” PHP script §  Automates the different attack stages §  Can be launched from infected servers to infect others
  25. 25. © 2013 Imperva, Inc. All rights reserved. Additional PHP SuperGlobal Attacks Confidential25 In the Wild
  26. 26. © 2013 Imperva, Inc. All rights reserved. SuperGlobal Attacks Targets – I Confidential26 §  Specific vulnerabilities exploit – such as the previously discussed PMA attack §  RFI (Remote File Inclusion): trying to overwrite “Server[document_root]” to point to external resource
  27. 27. © 2013 Imperva, Inc. All rights reserved. SuperGlobal Attacks Targets – II Confidential27 §  Part of general scanning against the site – Nikto, Acunetix, Nessus §  IDS filter evasion: SuperGlobal Provide an alternative way to represent HTTP query parameters •  “_REQUEST[Itemid]=1” request parameter is equivalent to “Itemid=1” in every way •  However, it evades a naïve IDS signature that blacklists “Itemid=1” •  We have seen these evasion technique applied on several CVEs
  28. 28. © 2013 Imperva, Inc. All rights reserved. SuperGlobals In the Wild Confidential28 §  During May 2013: §  3.5K requests that manipulated PHP SuperGlobal variables. §  27 different attack sources §  24 web applications as targets
  29. 29. © 2013 Imperva, Inc. All rights reserved. Targeted SuperGlobal Confidential29 §  Some SuperGlobals are more targeted than others §  The more targeted SuperGlobals provide access to more sensitive resources GLOBALS 55% ENV 14% SERVER 14% SESSION 13% REQUEST 4%
  30. 30. © 2013 Imperva, Inc. All rights reserved. Summary & Conclusions Confidential30
  31. 31. © 2013 Imperva, Inc. All rights reserved. The Importance of a Positive Security Model Confidential31 §  The essence of the external variable manipulation weakness: the attacker has the ability to send out external parameters with the same name of internal variables, and thus override the value of the latter. §  External parameters are not part of the standard interface of the targeted application §  Blocking all of the internal variables’ names might be difficult with a negative security approach §  But trivial with a positive security mechanism that specifies the allowed parameter names for each resource
  32. 32. © 2013 Imperva, Inc. All rights reserved. Layered Application Layer Mechanisms Confidential32 §  Bad news: attackers can create a complex exploit by combining several vulnerabilities together §  Good news: it’s enough to break one of the links in the kill chain to break the chain altogether . §  Application layer solution that combines multiple detection mechanisms: •  Positive security model •  Negative security model for generic issues (generic directory traversal protection for this case) •  Specific CVE detection, is crucial for effective mitigations of such complex attacks.
  33. 33. © 2013 Imperva, Inc. All rights reserved. Third-Party Code Perils Confidential33 §  Attackers target popular applications such as the PhpMyAdmin (PMA) utility installation. §  PMA is often bundled with other applications. §  Having this vulnerable utility present on the server, even if it is not being used, exposes the server to code execution attacks. §  Since administrators are not necessarily aware of all the bundled software, an “opt out” security model is needed. §  A way to achieve such an “opt out” security model is by deploying a Web Application Firewall (WAF) with constant updates of security content.
  34. 34. © 2013 Imperva, Inc. All rights reserved. SuperGlobal Parameters In Requests Should Be Blocked Confidential34 §  There is no reason for these parameters to be present in valid requests, they should be banned. §  Imperva’s WAF customers received a content update to their Web Application Firewall on January 15th 2013.
  35. 35. © 2013 Imperva, Inc. All rights reserved. Summing Up Confidential35 §  Establish a positive security model §  Use layered application layer security mechanisms §  Beware of third-party code perils §  Block SuperGlobal parameters in requests
  36. 36. © 2013 Imperva, Inc. All rights reserved. Webinar Materials Confidential36 Post-Webinar Discussions Answers to Attendee Questions Webinar Recording Link Join Group Join Imperva LinkedIn Group, Imperva Data Security Direct, for…
  37. 37. © 2013 Imperva, Inc. All rights reserved. www.imperva.com Confidential37

×