“PHP Object Injection is an application level vulnerability that could allow an attacker to perform different kinds of malicious attacks, such as Code Injection, SQL ...




1.A deep dive into PHP Object Injection Ionut Popescu

2.Contents Part 1: Background information Part 2: Vulnerability exploitation Part 3: Demo

3.Vulnerability description “ PHP Object Injection is an application level vulnerability that could allow an attacker to perform different kinds of malicious attacks, such as Code Injection, SQL Injection, Path Traversal and Application Denial of Service, depending on the context. The vulnerability occurs when user-supplied input is not properly sanitized before being passed to the unserialize() PHP function. Since PHP allows object serialization, attackers could pass ad-hoc serialized strings to a vulnerable unserialize() call, resulting in an arbitrary PHP object(s) injection into the application scope.” - OWASP

4.Vulnerable software WordPress 3.6.1 Magento Joomla 3.0.3 IP Board 3.3.4 Dotclear 2.6.1 OpenCart CubeCart 5.2.0 Drupal 7.34 vBulletin 5.1.0 Tuelap 7.6-4 Moodle 2.5.0 WHMCS 5.2.12

5.Part 1: Background information

6.Classes in PHP

7.PHP Magic Methods __construct() __destruct() __call() __ callStatic () __get() __set() __ isset () __unset() __sleep() __wakeup() __ toString () __invoke() __ set_state () __clone() __ debugInfo ()

8.Magic methods example Output: __construct This is a string __ toString __destruct

9.Magic methods example #2 Output: Get: Data Set: RHOST = Call: run Invoke: shell

10.Object serialization serialize — Generates a storable representation of a value String s:size:value; Integer i:value; Boolean b:value; (does not store "true" or "false", does store 1 or 0) Null N; Array a:size:{key definition;value definition;(repeated per element)} Object O:strlen(object name):object name:object size:{ s:strlen (property name):property name:property definition;(repeated per property)}

11.Serialization example Output: s:5:"OWASP"; O:8:"stdClass":0:{} b:1; a:3:{i:0;i:1;i:1;i:2;i:2;i:3;} O:8:"stdClass":0:{}

12.Serialization example #2 User John is 20 years old. O :4:"User":2: { s :3:"age"; i :20; s :4:"name"; s :4:"John"; }

13.unserialize “magic” If the serialized string is an object, unserialize will: Create an object instance (with specified values) Call __wakeup function (if it is present) Call __destruct function (if it is present) at script execution end

14.Unserialize example __construct __sleep Serialized: O:4:"Test":2:{s:8:"variable";s:4:"BUZZ";s:9:"variable2";s:5:"OTHER";} __wakeup BUZZ __destruct __destruct

15.Part 2: Vulnerability exploitation

16.PHP Object Injection Application calls “unserialize” with user-supplied data There are classes that implement __destruct, __wakeup or other functions Classes are loaded at the “unserialize” time (autoloading will help)

17.Vulnerable code example

18.Exploitation Normal call: script.php?usr_serialized =O:4:" User ":2:{s:3:"age";i:20;s:4:"name";s:4:"John";} Exploit : Create a serialized LogFile object that will delete “. htaccess ” on destructor Output: O:7:"LogFile":1:{s:8:"filename";s:9:".htaccess";} __destruct deletes ". htaccess " file. Call: script.php?usr_serialized =O:7:" LogFile ":1:{s:8:"filename";s:9:".htaccess";} Result : __destruct deletes ". htaccess " file.

19.Vulnerable code example #2

20.Exploitation #2 Normal call: script.php?usr_serialized =O:4:"User":2:{s:3:"age";i:20;s:4:"name";s:4:"John";} Exploit : Create a serialized FileClass object that will read “ config.php ” file on __ toString Output : O:9:"FileClass":1:{s:8:"filename";s:10:"config.php";} Call : script.php?usr_serialized =O:9:"FileClass":1:{s:8:"filename";s:10:"config.php";} Result : <? php $ private_data = MAGIC;?>

21.Other exploitation vectors Other magic methods: __get, __set, __call… Normal functions with the same name. E.g. User:: getData () Database:: getData ()

22.How to fix? Do not use “unserialize” on user-supplied data Use json_decode

23.Part 3: Demo

24.IP Board – Vulnerable code /admin/sources/base/ core.php : 4021 - 4053

25.IP Board - Exploitation / ips_kernel / classDb.php : 1841 - 1883

26.IP Board – Public exploit

27.References [1] Understanding PHP Object Injection http://securitycafe.ro/2015/01/05/understanding-php-object-injection/ [2] Classes and Objects http://php.net/manual/en/language.oop5.php [3] Magic Methods http://php.net/manual/en/language.oop5.magic.php [4] unserialize http://php.net/manual/en/function.unserialize.php [5] Shocking News in PHP Exploitation https://www.owasp.org/images/f/f6/POC2009-ShockingNewsInPHPExploitation.pdf [6] Code Reuse Attacks in PHP: Automated POP Chain Generation http://syssec.rub.de/media/emma/veroeffentlichungen/2014/09/10/POPChainGeneration-CCS14.pdf [7] Invision Power Board <= 3.3.4 - "unserialize()" PHP Code Execution https://www.exploit-db.com/exploits/22398/ [8] WordPress < 3.6.1 PHP Object Injection https://vagosec.org/2013/09/wordpress-php-object-injection/ [9] Remote Code Execution exploit in WordPress 3.5.1 https://vagosec.org/2013/12/wordpress-rce-exploit/

28.Questions? Thank you, Ionut Popescu