2015 - Sam Thomas - PHP unserialization vulnerabilities – what are we missing

I welcome back to its attractive we've got some Thomas here to speak about HP one serialization bloom abilities are getting the impression that quite a lot of you in the audience already know some

promises to be quite good questions interesting

okay so my name's Sam Thomas I'm the head of research at pentester giving is the obligatory my slide the boring stuff in the pirate basically do like to thank mr. so what is appear to be on serialization so basically over the last few years we've taken this slowly emerging class of fun abilities called object injection does appear in other languages etc but really only focused on PHP and focused on serialization just recently and I didn't know about this - they came to prepare this all someone whose name I don't know it's only being freed on Oh Lord so I demonstrated a different way of exploiting a similar purpose now I first came across this on sort of

normal and just had a few days to test them out did a bit of reform it was fought to an old version SilverStripe which is an open source CMS so did the normal thing see the change and this and she jumped out at me so after getting past those first three words a bigger look at what I said obviously we ignore potential but this word serialization doesn't really know what it meant so that's well okay because this amazing research by Stefan Esther who basically found the issue I think it's quite important to make sure he gets to credit because when we talk about classes of vulnerabilities like SQL injection or custom scripting we don't achieve every single person so

obvious this function materializes around for a long time I'm guessing a lot of other people have similar experiences because around the same time a lot of people started talking about this cause of own ability is instill examples stuff you know the exploits that you could do now I wasn't aware of all of this research when I was scared and I'm going to talk a little bit about some of the other stuff they've done so this guy asked any right of well he did some amazing stuff basically using built-in classes in PHP as well as the user-defined one's a computer ramallah just basically thought British taken on this one of us he found a lot of instances of it you know south and I

was paid and done a lot of work there basically so because I learned things more by doing them by just reading about them I wanted to sort of talk through three fun abilities that I worked now I was basically trying to be clever here and talk about my solo abilities you know talk about the methodology I say you could apply this to more recent stuff so I went off to have a look at some more recency in years and one jumped out meets the base of one of the experts I'm going to show you here today with some small changes would affect this wordpress plugin which apparently is I hope I don't do as much as I

thought I would to justify that this is you know very relevant now I'm not really going to talk about the vulnerability I don't know if you call my colleague always talk about static analysis we really know how to find this kind of honor adversities you think of SQL injection or cross-site scripting is basically you the control data gain to a function that it shouldn't it I'm not going to talk about how to fix it because basically it's fairly trivial just phone i'm serializing control more recently with PHP 7 they've introduced a second argument to the function is saying you can limit what classes you can see realizing what I do really want to talk about is the actual technique we used to

exploit it so this is sort of one of the slides from Stephan Lester's original presentation and basically introduced this concept called property orientation programming and that's a much broader area okay so this is the basic agenda before we can get to the cool stuff of actually exploited we need some background information so what is on serialization why is it exploitable okay so basically there's two functions of the PHP serialized and uncivilized that you know do the opposite of each other so serialized generates a storable representation you know got some simple examples there like integers and strings and this basics think you store them in a database or in a local file or something like that now the problem comes with

those kind of babies are exposed to the end-user so for instance is passed through a cookie or a get parameter on serialize does the opposite and converts this binary string back into the actual value doesn't sound all that interesting but once we get down to actually what things are a value within so you've got eight primitive types I think this scalar one should be well understood thank you these special types are our resource which is like an open database or an open file handle these are the one thing that can't be serialized so okay an array basically consists of a set of indexes and a set of values in PHP those indexes could take any value which could

get a bit complicated when you think about no say having object as an in depth but everything we can look at would just be integers or strings for the index okay now an object is an instance of a class so you've got the code a winding class which defines the properties and various methods and we can represent that and in terms of what's serialized it's just the the properties and the class name is you know an instance of that object in a state is represented by that okay so that's the rough idea of what serialization but why is it exploitable basically that comes down to these things called magic methods with impunity now there's quite

a lot of them I'm not going to go into all of them but if I sort of explain these four briefly the sort of thing they do so the first one we're gonna look at is wake up and this is the one method actually on normally used at any of the exploits but it's the one that should start to make us think they might be under there so whenever we uncivilized an object if that the cloth that the object is has a wake up method to find that's runs that we we're starting the process of code execution typically it's basically meant to to reinitialize those resources that I mentioned couldn't be serialized so for instance if you see realize something is

supposed to be connected to a database that connection will be broken when you sterilize it when you are serialize it will try and bring that connection back and the next one is destruct which is basically called by the garbage collector so when an object is destroyed this destruct method is invoked in the object you know typically it cleans up references one interesting thing it might do is finish any unfinished business so say we had an object that represents another file stream with as a property there might be data in that buffer and while it's destroying it right to my phone so you can imagine if we could give it an arbitrary object data in the buffer in the park of our

choice suddenly we're doing intimacy okay the next one is to string which basically happens when we treat an object the snoer for a string so the Scimitar not even if you try and take out an object it will evoke this method to convert it to a string and display that and this can get interesting if there is complex rendering methods so say we've got a logic that represents a page that might you know reference a template something like that if we can control where it's looking for that template then we're doing something interesting finally look at which might not be obvious why it's relevant now but hopefully commonplace thing is this cool method which is invoked if we try to

pull an undefined method on an object so then call the method called foo bar and that object but it doesn't have that method defined it does have a cool method it would try and sort catch that

so that's essentially why we can start to see my big space but we can start a sequence of : but the other stuff I wanted to talk about is what makes it particularly exploited so a lot of complex applications basically define something called an auto over so whenever new trying to access a class that it doesn't know about it's going to go off and try and load that class bar you know that's basically how you define it but it essentially it means you could have a lot of different classes available the next thing I didn't actually know what this was called I draw a technical explanation for the value of what this means is that any variable warranted a

property of an object could take any value so it could be an object an array then finally that people don't really seem to mention this one but I certainly need to find out about it it's really important you might define a function to take two arguments but if someone invokes it with no arguments it's just going to pass an argument so combining these two things we start to see we can put completely unexpected objects as a properties to say we've got an invite they commonly named method like clothes or something might be trying to close a file and we have something completely different there okay so I think we're ready to start looking at the exploits

and the first one sorry rather this is the basic method so this is pretty much what Stefan SSN and it's in his paper we start off by finding somewhere we control the takes the density realized then we work out what classes are accessible to us we try and find the magic method to kick off the set of code we can run and then we basically try and find a way of getting from that point to something interesting now when he sort of ran through these it was very much like step one so the first vulnerability were going to look at I mentioned right at the start I was just on a test that to the changelog it sent

me to this paper I saw and understood some of that basic stuff I've gone through there and thought right I'm ready to exploit so find an entry point from the change like it was fairly obvious where it was something okay so what classes can't we use within our explain SilverStripe just haven't also though they're defined I'm not going to go into all the details but basically uses a manifest based system so there's a separate PHP exit executable that constructs a big list of all the classes within the codebase and what file they're in and then when we going to try and access the class that it doesn't know about it just checks this list and those upper class so

that's pretty good for a space yes we can get to nearly every class in the codebase okay so then we need to find starting points now I mentioned to string earlier I'm going to ignore it for now this it wasn't clear to me at first that we should be looking there so we can only destruct and wake up looking through the codebase

normally goes through each of them but I thought I'd go through a couple of the ones that we reject sort to show you how easily we were so the first one is MySQL pretty basic that's taking a property of our object checking if it's a resource which it couldn't possibly because we can't serialize a resource and then doing something boiling in a way the second one CSB parser we look at the destruct method that could be interesting because it's calling a function called closed file or we go and look at that and it doesn't actually really do anything close

well we actually do mr. jumping fast a few more is this one which is in the class presented love now this takes the property writers which is essentially an array of writers iterates through each one and invokes a function called shut down now it's pretty important to say that the exploits Vanessa yoo-hoo a lot of the ones he demonstrated started with this very same class and very same function so that's what we've chosen zoologist Harvey okay so where can we get to from there like I mentioned his approach not his approach but sort of simplifying it was very much where can we get to in the next step so there's five shutdown functions that need the exact same five that he went

through in his job and he basically said they were all useless except zone lot of right around now immediately that we've got that basically we didn't send our between emails which is interesting but not really where we want to get to so he then showed that basically this would invoke a method called render on one of his properties and he had seven classes with render methods rejected six of them one of them did something interesting there was only one object with a render method and it didn't do interesting so you know it seemed like a dead end basically so I went back went through all those distracts all these methods basically stayed up late into the night thinking

changed or silicon execution even worth where is it up and send it stupid email but that's not what so that's pretty much what I went to bed that night you know I had a good night's sleep so fresh perspective in the morning step back and reread these papers and try to understand it what medicine and what basically ministers that we shouldn't I believe that you know what we're involved in directly but if we trigger any of those magic methods so we don't only need to look at the object for the shutdown method we need to look at any objects but the core method which we could invoke by telling it to shut down again I'm not going to step through all

of them there's one I want to show you quickly because I'm going to talk about it later and this is basically I'm really compact that I know this is gonna be a bit sort of circumstantial but we're gonna see so this property's the method that's been invoked on to the other object say on this case the form property is function with the same name support for the same argument I saw this a ton of times and didn't think you could ever be because why wouldn't we just so this is the one we're actually going to use now what this does is it takes the method name converts into uppercase and then it searches one of his properties to see if

it's supposed to handle that method so actually that method could have any names as long as we set up this priorities property to cover that method it's gonna catch it and then it goes ahead and lo something now in terms of interesting stuff we could do you know logging something to presumably a file sounds pretty interesting so sort of as I mentioned this is really really useful because of what triggers it so any method on any property of an object could trigger this and so basically once we know we've got one of these we're looking for those destructs or wake up so basically anything that invokes a method on one of its properties so looking a bit further into what actually

does this it calls the log method from there basically this construction I'm ready with the details of the event that it's morning now what's handy for us is it you know take stuff like the parameters that are part of it it calculates a timestamp but it emerges those with one of the properties so actually we could overwrite and I think that was passed to the function by saying this extras prophecy then goes ahead and invokes the right methodology now I don't want to sort of jump through those and those of code so we go straight to basically this is the expo that we built so the initial object that we supply is one of these then robes

with a single writer so when this is destroying it's going both now we've said these this priorities property to basically say yes can't shut down we've set the message for what to put within the nagas entry and you know I haven't spoken about this class but it's exactly intended a lot of stuff to the file so basically we're just telling you to buy that message to a file so go ahead and try that on the local machine and great writing text we think we're just moments away basically from getting shot so I went ahead and changed that just some PHP code to execute for a three so it turns out that basically they were using

HT access files to prevent the execution now at this point I spent way too much time that's probably cause over to etc and I've never actually completed this but I was hoping to do it for this so this is going to be a bit hand way to be but there is a way to do it basically peer to peer as this mechanism or filters that you can use for files and you can for instance out but basics before to Konya to know if these nice and ignores what we do basically take this repeatedly and eventually it swallows up all the characters that we don't control that they turn it into any valid characters well we've got the

technology thoughts that are between occasionally you know quite a new htaccess file that will remain so I'm afraid that's where the first one finishes but the next two are hopefully much more interesting I just wanted to go through that one because it's the first time I came across the issue so this is I think to be honest it's my favorite web application I guess that sounds a bit weird hopefully this isn't that strange place that's favored so I'm not going to be able to go into the full teaser ability because it's quite complicated so finding an energy point basically a security issue with MySQL that they haven't recognized as a security issue if you set up a table to use the utf-8

character set it doesn't handle for my characters properly it's quite similar to like denial by poisoning attack so if we try and set a value to through and then one of these characters bar it turns into just food now it wouldn't occur to me you know it occurred to me that might be relevant to some issues but certainly not this one so this guy's Hornberger if and basically had an amazing insight some intern was a wordpress and figured out that we could abuse this to trigger on they say the next step is to look at what classes are accessible if there's an also know that we can get to them in WordPress there's no water notice that

we're extremely limited in what classes we could use so the next thing is to go through these starting points now this is where we have to use - straining as example so sort to make the point that we should be checking that method as well if you think about the sort of data that's given the other serialised it's almost guaranteed to treat something is this true okay so we've basically only got three methods that we could possibly use there's two districts and then there's this one complex two string method now this is what I was talking about you know going next steps next steps next steps here we can take a bit of a different approach so we're

basically faced with this complex set of possible places we check you through all of those is going to take an age but what if we identify where we want to get to then we identify some useful piece of code that we could target then suddenly it's quite an easy problem to solve and similar to some of those static analysis so okay can you know can we find something useful so ignore the exit code and looking at the common is there anything that sort of stands out Namie more interesting than just displaying the name of the thing

well it's certainly going to be more dynamic than just displaying a fixed value so I didn't get there straight away but it shouldn't be surprising that I ended up looking at a classical translations and that has a very interesting function because it's for dynamically creating a function to deal with pluralization this create function function is quite similar to the vowel so basically we can feed code into there so basically we start from that end point and work our way back to the back we read from a file we go back and see we can control that file you know looking at what it could be HTTP or InFocus I think the function call is readable which won't accept that HTTP

URL but it will accept an FTP so we could host this language file externally and just point to it and then going further back we need to have an actual name for it to try and translate and we need to tell that that name is where the text Amane that it doesn't recognize so this is the exploit it's quite simple really we've got the WP theme it's got three properties one is headers which is an array has two entries main text domain as I mentioned it has been a has to have a text to make it doesn't recognize so I'm sure you all know

obviously okay so now pray to the devil Gus and receive

that's basically the source code for the exploit will be using so basically we're building a version of this object with the property set I'll show you we're gonna URL encoder and sterilize that now as I mentioned that's sort of grabbing something for the FTP site so let's have a quick this

so you saw we said the stylesheet parameter Y 2 y la y that's used in the folder name and then it's going ahead look at the languages and we've set up a u.s. language in there so this is a binary file format it's not something

now this issue's only exposed to authenticated users so you have to either have registration available or some wiki camera we came

so we can update various properties of our user profile so I've set my username to food

it's terminated it at the viola play now what Tom Brown go through basically noticed is that there's quite a complex process coming here going on if we try to give a value that looks like see realized same time it's gonna serialize it again then on serialize it lighted if we give a value that doesn't look like civilized age it's gonna put it in when it gets it out its gonna check if it looks serialized and I'll Co as a basic we can use this

it just comes out as one business getting on serialized I guess to demonstrate a bit more community we sterilized it right so it's just an array is zero elements essentially should so not only is it uncie realizing it's invoking to string on it and that's what the two string method have a railing

okay so this is the request there's a slight complication here that the new name field that sort of field we looked at won't accept any null bytes which we are going to need for our exploit but fourteen there's a couple of theories of doing so what is just

I basically run that run that code which generates the serialized value

so you are

so to say that it's the object we were talking about

go ahead and basically said I

that's the truth

okay so moving on to the next one this is an issue in June found by a video now when I came to prepare this presentation I wasn't aware of the work that young so he's been working on ribs PHP static analysis tool but there's a version which is in public yet which he's been working on the both finds these vulnerabilities and tries to find you know percent of exploits change of objects that we cause things to happen now this really surprised me basically I've got this code execution probabilities that I was going to show you guys I thought was quite good and it turns out he found a release important now the reason I didn't know about it is

because it uses the same kind of the hurdle basically the there's a function in PHP method exists to check if I meant that exists until recently if you fed a malformed class through to that you basically in some situations of use that to to cause an open file include now I didn't know about this before

it doesn't depend on this so you

shouldn't be looking at what classes are loaded it's a bit complicated how they also know the works but essentially it's if the class name begins with the start of three things with J in this case we split on every capital letter so I've just given an example there's a class with J cache controller it goes up next a library's Joomla cache controller so we can get to loads and loads of classes we need to find the starting point there's basically only one useful and this is used by all the other so to actually get to any useful home we have to have this debug Lang parameter says true get on one of its properties now as you

can imagine get it's quite a common so

and so looking at these past things it shouldn't be surprising that all those Jay cash ones there's a bunch of Jacob there's a lot of classes or objects that are calling get on each other sort of intertwine so stepping through these one of the first ones that grabs our attention is not because it's going to be useful to us straight away but because it's a potential end point and quite an exciting one as well so there's this this class is basically thought-provoking callbacks or cash for backs it takes the parameters and now as an endpoint this is quite trivial to abuse if we control both arguments past we could just give it a function name an

argument it's so we do give it an arbitrary object and a novelty method we don't control the arguments any method or any object hopefully we can find something so this point we're stopping to think can I get control of that first argument I thought it'd be a lot easier to find something but this was actually the closest I can come to complete control so we've got github case which is essentially generating a part and then using a HTTP client to get a response from that part I think instructs the URL know basically this also caused a bunch of gaps on another one of his properties to get the values for these properties happy now another thing we come across

is like a simple method we basically completely control what it's doing responded with so given any prophecy we have basically sets up this array to give any value about cutting a long story short if we give it a malformed URL hole that basically throws out the URL generation and then we give it a user name when it's fun it was struck that URL that would stick the user name of the from with an outside and there's nothing else there okay so we not got complete control over that we can now invoke get on any object with a string that we control almost all so if we go back to that cache controller callback it mentioned that you could

also access it with a string shortly now there's kind of two bars ones for invoking static methods which is gonna be pretty much useless to us because that's invoked on a class rather than object we don't control any a spirit because the other one looks a bit more interesting particularly because of this comment which I haven't had it in is in the code whenever we see that now to understand what this is doing you have to basically notice the double dollars which is something I certainly wasn't familiar with until I came across this so those are variable variables in PHP we can use the variable as a reference to another variable so we can put the

name of the variable all right things are being to see if we access dollars already is the same as accessing the name of the okay so now hopefully we can start to understand what this does from controlling that string we can basically completely control the two values given to these two it's gonna then try and access a global variable with the name that we give it so the intention of this is to invoke methods on global objects within the application it's not immediately obvious why this might be useful to us because we have the same problems as static methods we look a bit further through the code hopefully we can start to see what we might do so this I

basically if we want to get to the cool user function we need to have our data sets forth which is what you know we need to catch to miss basically when it's it's seeing it's got a cash value for this function implication and that we would think is fine we know that we can return whatever we want with but actually if we return false is going to try and lock the cash now that J Lang which is the class we looked at return our which you dated with and that doesn't have a lock method so we try and lock that ya applications to the very rare so that's finally when that proxy method I was talking about comes in it turns

out we use a functional it doesn't error non-existing and just prop c3 to another object and here's a class that has the exact same structure is the one I showed before is just proxying the crew logs of its cache now the prepare is that this class already hasn't yet method so we can't actually cook so the get method but this one's almost a proxy with this basically and focus yet on its cache and then uncie realizes the values okay we have to serialize whatever data return so the path the lock what did the rest of the function do is to pass one two between Akashic resolve and one to actually invoke the function so looking at this is just going through

it once it doesn't look that useful but if you think about we we could globalize any variables if we globalize it was all result before it's used and then retrieve something from the cache this result variable is going to stick around so basically we can pass through that whole sequence of code twice once globalizing the zone - and the second time missing cash and using result as the object finally we go ahead and so I wanted to mention actually this class jayati we can't water abnormally it's not in the directory structure where we'd expect it to be would actually expect it to be called with J updates or updating so what we can do is simply create a dummy

class that tries to know J update or update fails but then it knows about JD and there's other methods of indirect inclusion so for instance if we find really useful methods in some class that we can also load it could be worth looking at other classes that we can also know to include that class after doing all that I've got 500 so it turns out there was a reason we can't run through that whole process twice right at the start the first thing we revoked in the gown is basically checking the response code now what we actually need to do is give our object a code property yeah it's the hex money now if you

remember we had to set debug known to true to actually invoke the destructor then that's gonna go ahead and try and get me drink it up yes that's been a fun workout it's URL but this bit in the arguments according to get its client the pass through all that stuff basically is doing that's going to be a hit in the cache the first time through

yeah it's gonna grab that object set the globe now global resolve variable to the hob jet is gonna pass through everything back again missed the cache and basically invoke this method on the object that we can result

I probably shouldn't say

thank you

so it's loading up Jimmer

this is the big long set of clothes that we use to create the object that were you know one serialize

I know that kind of lives always too simple

no I did was go away I don't think it's worth so I showing you a video of everything that's

so that's really me done if there's anything I want you to take away from this talk there's any development in the audience really think seriously before you use any time civilizations on civilization function if there's any testers or researchers I think it's an easy issue to find maybe not so easy to exploit but yeah I think we're running a bit short on time so okay see that

yeah so basically if we're looking at you know of on reversing we don't have been also what I'd normally do is Chuck you know or echo get declared classes just into the source code just before we are serialize and look at what's making there are some other examples than these that we looked at where people might say you know well to force a certain class too late so now I looked at one recently where I think when a certain kind of email classes so they set various other parameters so that to the loaded before the on serialization is triggered but yeah I think you know if you if you done the declare classes just before you once

he realized you should see everything that's accessible to you

you