Sam Thomas, a security researcher from Secarma, has discovered a new exploitation technique that could make it easier for hackers to trigger critical deserialization vulnerabilities in PHP programming language using previously low-risk considered functions.
The new technique leaves hundreds of thousands of web applications open to remote code execution attacks, including websites powered by some popular content management systems like WordPress and Typo3.
PHP unserialization or object injection vulnerabilities were initially documented in 2009, which could allow an attacker to perform different kinds of attacks by supplying malicious inputs to the unserialize() PHP function.
If you are unaware, serialization is the process of converting data objects into a plain string, and unserialize function help program recreate an object back from a string.
Thomas found that an attacker can use low-risk functions against Phar archives to trigger deserialization attack without requiring the use of unserialize() function in a wide range of scenarios.
Phar files, an archive format in PHP, stores metadata in a serialized format, which gets unserialized whenever a file operation function (fopen, file_exists, file_get_contents, etc.) tries to access the archive file.
“This is true for both direct file operations (such as “file_exists”) and indirect operations such as those that occur during external entity processing within XML (i.e., when an XXE vulnerability is being exploited),” Thomas said.
Exploiting PHP Deserialization Attack Against WordPress Sites
In a detailed paper released at Black Hat conference last week, Thomas demonstrated how this attack can be executed against WordPress sites using an author account to take full control over the web server.
For successful exploitation of the flaw, all an attacker needs to do is upload a valid Phar archive containing the malicious payload object onto the target’s local file system and make the file operation function access it using the “phar://” stream wrapper.
Thomas also revealed that an attacker can even exploit this vulnerability using a JPEG image, originally a Phar archive converted into valid JPEG by modifying its first 100 bytes.
“The way certain thumbnail functionality within the application [WordPress] works enables an attacker with the privileges to upload and modify media items to gain sufficient control of the parameter used in a “file_exists” call to cause unserialization to occur,” the researcher said.
Once the crafted thumbnail uploaded on the targeted WordPress server, the attacker can use another function to call the same image file as a Phar archive using the “phar://” stream wrapper, eventually executing the arbitrary code when the program deserializes the metadata.
“The vulnerability exists due to insecure deserialization of data passed as an image file and then executed via the ‘phar://’ stream wrapper within the ‘wp_get_attachment_thumb_file’ function in ‘/wpincludes/post.php’ script,” an advisory reads.
“A remote authenticated attacker with the ability to create/edit posts can upload a malicious image and execute arbitrary PHP code on vulnerable system.”
Thomas reported this vulnerability to the WordPress security team earlier last year, and the company acknowledged the issue. However, the patch released by the company did not address the problem completely.
Thomas also reported the vulnerability to Typo3 on 9th June 2018, and the vendor addressed the issue in versions 7.6.30, 8.7.17 and 9.3.
For more details about the vulnerability, you can head on to the detailed paper [PDF] published by Secarma.