Tweet
Tweet

Slide 1

Slide 1 text

How your PHP application can get hacked, and how to prevent that from happening? Antti Rössi PHPCon Poland 2019

Slide 2

Slide 2 text

whoami Antti Rössi @anamus_ Helsinki, Finland CTO, Partner @ Jobilla Oy OSCP Certified Pentester During daytime I’m building a digital software product. During night-time I hack software in order to make it more secure. (CTFs, pentesting, bug bounties, reversing…)

Slide 3

Slide 3 text

Faith of our users is in our hands (as developers and admins)

Slide 4

Slide 4 text

Our users, clients and employers expect that the applications we write are secure.

Slide 5

Slide 5 text

Hackers love edge cases and quirks of our technologies.

Slide 6

Slide 6 text

“How can I break this application in ways that the developers never even thought of…?”

Slide 7

Slide 7 text

We as developers need to know about these quirks and oddities.

Slide 8

Slide 8 text

Hack yourself first (before someone else does)

Slide 9

Slide 9 text

No content

Slide 10

Slide 10 text

!! Disclaimer !! All material and examples in this talk are for educational use only. The term ‘hacking’ in this presentation refers to ‘ethical hacking’ and should not be confused with ‘black hat hacking’, meaning attacking or attempting to attack any application, systems or network unauthorised. Hacking or attempting to hack anything you don’t own is by default illegal. Doing so will eventually get you in jail. Please act responsibly. I as the author is this presentation, nor any author of the tools used in this presentation shall not be responsible for any individual performing illegal actions with the tools or methods used in this presentation. The intent of this presentation and of all the demonstrations involved, is to help professional software developers to write more secure software. @anamus_

Slide 11

Slide 11 text

Where can I practise hacking then? @anamus_

Slide 12

Slide 12 text

Download the examples (Link to Github in my Twitter, @anamus_) @anamus_

Slide 13

Slide 13 text

@anamus_

Slide 14

Slide 14 text

SQL Injection (there’s also a NoSQL injection…) @anamus_

Slide 15

Slide 15 text

Attacker injects malicious SQL queries into an HTTP request. @anamus_ SQL Injection

Slide 16

Slide 16 text

SQL Injection Can lead to a full disclosure of the DB content when successful. @anamus_

Slide 17

Slide 17 text

DB::"raw("select * from users order by $order desc"); @anamus_

Slide 18

Slide 18 text

Certain edge cases can be very hard to spot in code reviews. @anamus_ SQL Injection

Slide 19

Slide 19 text

Biggest danger however usually lies within our attitude. @anamus_ SQL Injection

Slide 20

Slide 20 text

“You’d have to enumerate this completely blind, there aren’t even errors returned. Not doable.” @anamus_ SQL Injection

Slide 21

Slide 21 text

“It would take a person ages to manually get anything out of this ‘theoretical’ vulnerability.” @anamus_ SQL Injection

Slide 22

Slide 22 text

Easy to test & exploit with proper tooling. @anamus_ SQL Injection

Slide 23

Slide 23 text

Round 1 Fight! @anamus_

Slide 24

Slide 24 text

Object Injection (from PHAR Deserialisation to Remote Code Execution) @anamus_

Slide 25

Slide 25 text

Quick theory lesson first @anamus_ Object Injection

Slide 26

Slide 26 text

Stream Wrappers in PHP file:// — Accessing local filesystem http:// — Accessing HTTP(s) URLs ftp:// — Accessing FTP(s) URLs php:// — Accessing various I/O streams zlib:// — Compression Streams data:// — Data (RFC 2397) glob:// — Find pathnames matching pattern phar:// — PHP Archive ssh2:// — Secure Shell 2 rar:// — RAR ogg:// — Audio streams expect:// — Process Interaction Streams @anamus_ Object Injection

Slide 27

Slide 27 text

Stream Wrappers in PHP file:// — Accessing local filesystem http:// — Accessing HTTP(s) URLs ftp:// — Accessing FTP(s) URLs php:// — Accessing various I/O streams zlib:// — Compression Streams data:// — Data (RFC 2397) glob:// — Find pathnames matching pattern phar:// — PHP Archive ssh2:// — Secure Shell 2 rar:// — RAR ogg:// — Audio streams expect:// — Process Interaction Streams @anamus_ Object Injection

Slide 28

Slide 28 text

PHAR Files @anamus_ Object Injection

Slide 29

Slide 29 text

Complete PHP application in a single file bundle. @anamus_ Object Injection

Slide 30

Slide 30 text

phar:// allows reading PHP files from a PHAR bundle. @anamus_ Object Injection

Slide 31

Slide 31 text

Object Serialization In PHP @anamus_ Object Injection

Slide 32

Slide 32 text

Object ->" String ->" Object @anamus_ Object Injection

Slide 33

Slide 33 text

Example @anamus_ Object Injection

Slide 34

Slide 34 text

class Logger { public $file = 'log.txt'; public $data = 'testing'; public function __construct() { // ... } public function switchContext() { // ... } } @anamus_

Slide 35

Slide 35 text

$logger = new Logger(); print serialize($logger); @anamus_

Slide 36

Slide 36 text

O:6:"Logger":2: {s:4:"file";s:7:"log.txt";s:4 :"data";s:7:"testing";} @anamus_ Object Injection

Slide 37

Slide 37 text

O:6:"Logger":2: {s:4:"file";s:7:"log.txt";s:4 :"data";s:7:"testing";} CLASS NAME @anamus_ Object Injection

Slide 38

Slide 38 text

O:6:"Logger":2: {s:4:"file";s:7:"log.txt";s:4 :"data";s:7:"testing";} CLASS PROPERTIES (names, lengths, contents) @anamus_ Object Injection

Slide 39

Slide 39 text

No methods are included. (good move security wise…) @anamus_ Object Injection

Slide 40

Slide 40 text

Deserialised objects are automatically injected into the current application’s scope. @anamus_ Object Injection

Slide 41

Slide 41 text

@anamus_ Here’s the catch #1 Object Injection

Slide 42

Slide 42 text

There are 2 magic methods that get called automatically. @anamus_ Object Injection

Slide 43

Slide 43 text

public function __wakeup() { // called upon deserialisation } public function __destruct() { // called before garbage collection } @anamus_

Slide 44

Slide 44 text

public $arg = 'id'; public function __destruct() { system($this->%arg); } @anamus_

Slide 45

Slide 45 text

O:6:"Logger":1: {s:3:"arg";s:2:"id";} @anamus_ Object Injection

Slide 46

Slide 46 text

O:6:"Logger":1: {s:3:"arg";s:2:"id";} @anamus_ Object Injection

Slide 47

Slide 47 text

O:6:"Logger":1: {s:3:"arg";s:3:"h4x";} @anamus_ Object Injection

Slide 48

Slide 48 text

public function __destruct() { system(“h4x”); } @anamus_ Object Injection

Slide 49

Slide 49 text

This is a so called ‘Gadget’ @anamus_ Object Injection

Slide 50

Slide 50 text

Here’s the catch #2 @anamus_ Object Injection

Slide 51

Slide 51 text

PHAR files can contain metadata in a serialised format @anamus_ Object Injection

Slide 52

Slide 52 text

Any file operation on the archive will cause the meta data to be deserialised @anamus_ Object Injection

Slide 53

Slide 53 text

copy file_exists file_get_contents file_put_contents file fileatime filectime filegroup fileinode filemtime fileowner fileperms filesize filetype fopen is_dir is_executable is_file is_link is_readable is_writable lstat mkdir parse_ini_file readfile rename rmdir stat touch unlink @anamus_ Object Injection

Slide 54

Slide 54 text

copy file_exists file_get_contents file_put_contents file fileatime filectime filegroup fileinode filemtime fileowner fileperms filesize filetype fopen is_dir is_executable is_file is_link is_readable is_writable lstat mkdir parse_ini_file readfile rename rmdir stat touch unlink @anamus_ Object Injection

Slide 55

Slide 55 text

Catch #3 @anamus_ Object Injection

Slide 56

Slide 56 text

phar:// stream wrapper doesn’t discriminate between different filetypes @anamus_ Object Injection

Slide 57

Slide 57 text

1. Take an image file 2. Hide malicious PHAR file in it 3. Call filesize() on it with phar:// 4. Object from PHAR metadata gets injected in application runtime 5. Gadget kicks in on __destruct() @anamus_ Object Injection

Slide 58

Slide 58 text

Round 2 Fight! @anamus_

Slide 59

Slide 59 text

Privilege Escalation @anamus_

Slide 60

Slide 60 text

Exploiting a bug, design flaw, or configuration flaw… @anamus_ Privilege Escalation

Slide 61

Slide 61 text

Privilege Escalation …to access resources otherwise unreachable to us. @anamus_

Slide 62

Slide 62 text

Eg. find a process that’s running as root, and exploit that. @anamus_ Privilege Escalation

Slide 63

Slide 63 text

Hijack the process execution flow, but don’t crash it. @anamus_ Privilege Escalation

Slide 64

Slide 64 text

Very few things should ever run as root on the host machine. @anamus_ Privilege Escalation

Slide 65

Slide 65 text

Your scheduler or queue processes are certainly not one of these things. @anamus_ Privilege Escalation

Slide 66

Slide 66 text

Round 3 Fight! @anamus_

Slide 67

Slide 67 text

How to not get hacked? @anamus_

Slide 68

Slide 68 text

Tip #1 Do not trust user input of any format. Validate everything. Sanitise everything. @anamus_

Slide 69

Slide 69 text

Tip #2 Do not run outdated software in production. @anamus_

Slide 70

Slide 70 text

Tip #3 Do not run code that you don’t understand in production. Eg. copy-pasting code from online tutorials. @anamus_

Slide 71

Slide 71 text

Tip #4 Follow the principle of least privilege. Both in your application, and on your production host. @anamus_

Slide 72

Slide 72 text

Tip #5 Learn to think like a hacker. And preferably the basics of hacking. @anamus_

Slide 73

Slide 73 text

Closing Words @anamus_

Slide 74

Slide 74 text

Security is not a one- time effort that you can tick off your to-do list. @anamus_

Slide 75

Slide 75 text

It’s an infinite ongoing process, and requires you to pay attention to it every single day you write or run code. @anamus_

Slide 76

Slide 76 text

–Uncle Ben, Spiderman “With great power comes great responsibility.” @anamus_

Slide 77

Slide 77 text

Thanks! Twitter: anamus_ @anamus_

Slide 78

Slide 78 text

Related Links & Materials •https://github.com/ambionics/phpggc •https://blog.ripstech.com/2018/new-php- exploitation-technique/ •https://www.ixiacom.com/company/blog/exploiting- php-phar-deserialization-vulnerabilities-part-1 •https://www.youtube.com/watch?v=GePBmsNJw6Y •Hack The Box - CronOS @anamus_