My next class:

PHP Deserialization Exploit attempt

Published: 2022-09-07. Last Updated: 2022-09-07 13:32:38 UTC
by Johannes Ullrich (Version: 1)
0 comment(s)

I came across the following deserialization exploit attempt not in a honeypot but in the log for this (isc.sans.edu) webserver:

/!php/object+"O:24:\\"GuzzleHttp\\\\Psr7\\\\FnStream\\":2:{s:33:\\"\\0GuzzleHttp\\\\Psr7\\\\FnStream\\0methods\\";a:1:{s:5:\\"close\\";s:7:\\"phpinfo\\";}s:9:\\"_fn_close\\";s:7:\\"phpinfo\\";}"/recentdomains/,

People usually think about deserialization vulnerabilities in Java (and maybe .Net). But code written in any object-oriented language may be susceptible to deserialization vulnerabilities.

In some ways, the PHP example is even more "transparent" than some of the past Java examples I have seen. Deserialization vulnerabilities are a bit weird in that they just take advantage of a feature in how objects are instantiated. Software may exchange arbitrary objects serialized as a string. As the object is deserialized, its constructor is called, which may execute arbitrary code delivered with the object. Think about it as calling "eval" on the string received. [owasp]

This can be "ok", if only a limited set of objects are deserialized or if the object is received from a trusted source and properly digitally signed to avoid tampering with the object in transit. But the process quickly goes wrong if arbitrary objects are deserialized from arbitrary sources.

In this case, the attacker can find a "Gadget," which is an object that allows code execution, and feed it to the software using the "correct" parameters. In the case above, the gadget is "GuzzleHttp." There is nothing "wrong" with GuzzleHttp. GuzzleHttp is a PHP library used to create HTTP requests. Similar to the standard library "curl," it abstracts some lower-level features. GuzzleHttp is often installed as part of other packages (e.g. Laravel) if you use extensions that connect to HTTP APIs. So this is not a vulnerability in GuzzleHttp, but the attacker is looking for code that accepts GuzzleHttp objects and instantiates them (I do not think this is ever a good idea). [guzzle]

I am not sure what vulnerable software the exploit above looks for. But if attempts to execute phpinfo. This exploit will only flag vulnerable pages to come back and exploit later. Let me know if you can identify it (email jullrich\@/sans.edu). 

GuzzleHttp is a well-known gadget; you can find it listed in a GitHub repository of well-known gadget chains for various vulnerabilities. [gadgets]

[owasp] https://cheatsheetseries.owasp.org/cheatsheets/Deserialization_Cheat_Sheet.html
[guzzle] https://docs.guzzlephp.org/en/stable/
[gadgets] https://github.com/ambionics/phpggc

 

---
Johannes B. Ullrich, Ph.D. , Dean of Research, SANS.edu
Twitter|

0 comment(s)
My next class:

Comments


Diary Archives