PHP Code Execution Attack
A new exploitation technique has been discovered that allow attackers to trigger critical deserialization vulnerabilities in PHP programming language using previously low-risk considered functions.
PHP unserialization was first discovered in 2009 which allows attackers to perform various attacks by supplying malicious input to the PHP unserialize() function.
“Serialization is the process of converting data objects into a plain string, and unserialize function help program recreate an object back from a string”
For successful exploitation attacker needs to:
- Upload a valid Phar archive containing the malicious payload object onto the target's local file system
- Trigger the file operation function access it using the "phar://" stream wrapper
Alternatively, an attacker can also exploit this vulnerability using a JPEG image that is an origin Phar archive, converted into a valid JPEG by modifying its first 100 bytes. Once the crafted image is uploaded on the targeted WordPress server, the attacker can use another function to call the same image file, as a Phar archive using the "phar://" stream wrapper. This will eventually execute the arbitrary code when the program deserializes the metadata. These details can be found in the research paper https://cdn2.hubspot.net/hubfs/3853213/us-18-Thomas-It's-A-PHP-Unserialization-Vulnerability-Jim-But-Not-As-We-....pdf?
Prevention and Mitigation Strategies
The vulnerability still exists in Typo3 and patches have been released in 7.6.30, 8.7.17 and 9.3. It was also reported to WordPress security team earlier last year, and the company acknowledged the issue. However, the patch released by the company did not address the problem completely. Our members are advised to utilize the latest patches now or as soon as they are available.