Not All PHP Implementations Are Equally Useful

1,955 views

Published on

Published in: Technology
0 Comments
1 Like
Statistics
Notes
  • Be the first to comment

No Downloads
Views
Total views
1,955
On SlideShare
0
From Embeds
0
Number of Embeds
1
Actions
Shares
0
Downloads
27
Comments
0
Likes
1
Embeds 0
No embeds

No notes for slide

Not All PHP Implementations Are Equally Useful

  1. 1. Not all PHP implementations areequally useful Sergey Scherbel Positive Technologies May 2012
  2. 2. Intro: PHP A few words about PHP: one of the most popular script languages is quickly improved has an adaptable syntax there are a number of various CMS and CMF on PHPAt the same time: efficiency of PHP interpreter is not highBut efficiency is critical for a great number of projects...
  3. 3. Intro: PHPBut you can create your own PHP! 
  4. 4. Alternative PHP implementationsThere are several alternative PHP implementations. As a rule, theseimplementations compile PHP scripts into a machine-code form.Lets consider the following implementations: Roadsend PHP (PHP -> C -> machine code) Phalanger (PHP -> Microsoft IL) Quercus on Resin (PHP -> JVM) PHC (PHP -> C -> machine code) HipHop (PHP -> C++ -> machine code)
  5. 5. Roadsend PHP Roadsend PHP compiler allows you to create executable files. It also includes embedded MicroServer web server.Variants of run: the executable + web server + FastCGI = web application the executable + MicroServer = web application
  6. 6. Phalanger Phalanger is a PHP compiler for .NET. supports full compatibility with .NET is compatible with a great number of PHP applications allows users to address .NET classes
  7. 7. Quercus on ResinResin is a web server and Java application server designed by CauchoTechnology.The web server includes a special PHP implementation named Quercus.The web server is released in 2 versions: Professional: PHP is compiled into Java byte code Open Source: PHP is executed by the interpreter
  8. 8. HipHop HipHop is a source code translator designed by Facebook. Features: PHP is translated into a temporary C++ code The temporary code is compiled via g++ The result includes the web server ./program -m server --port 8080 There is also HPHPi that is a PHP interpreter that allows script execution without compilation.
  9. 9. HipHop Files that are the result of compilation So, the size of an elementary PHP script after compilation is ~ 30 MB!
  10. 10. HipHopYou can eliminate several types of vulnerabilities in case an application iscompiled but not interpret!Local File Inclusion: There is no way to connect arbitrary files You can connect only the scripts that were included while compilationArbitrary File Loading: PHP script loading does not result in desired effect – the script may not be run Possible exploitation – load a HTML page and then attack clients
  11. 11. What are the key items? Environment vulnerabilities (embedded web server, etc.) Parameter Handling HTTP Parameter Pollution HTTP Parameter Contamination Cross-technology vulnerabilities (PHP + .NET = ???) Vulnerabilities in PHP old versions (a legendary ones )
  12. 12. Environment vulnerabilities
  13. 13. Roadsend PHP MicroServer: Path TraversalEmbedded web server incorrectly handles file names.
  14. 14. Roadsend PHP MicroServer: Path TraversalThis is also possible 
  15. 15. Parameter Handling
  16. 16. HTTP Parameter ContaminationVarious platforms and applications handle incorrect charactersin parameters in different ways.The attack is used to bypass various filters (WAF).We compare: usual LAMP (a master platform) Win7 + IIS 7.5 + Phalanger 3.0 Linux + HipHop Linux + Quercus on Resin (different versions)
  17. 17. HTTP Parameter ContaminationWe immediately find differences with LAMP platform! Quercus on Resin Quercus on Resin Request LAMP 3.1.12 4.0.26 Array Array Array ( ( ( test.php?a&b=1 [a] => [a] => [a&b] => 1 [b] => 1 [b] => 1 ) ) ) Array Array Array ( ( ( test.php?a=1&b [a] => 1 [a] => 1 [a] => 1 [b] => [b] => [b] => ) ) )
  18. 18. HTTP Parameter Contamination Quercus on IIS 7.5 + Request LAMP HipHop Resin <= Phalanger 3.0 4.0.26 Array Array Array Array ( ( test.php?= ( ( [] => [] => ) ) ) ) Array Array Array Array ( ( test.php?[]= ( ( [[]] => [0] => ) ) ) ) Array Array ( ( [a] => Array [a] => Array test.php?a[][= ( Error 500 ( Error 500 [0] => [0] => ) ) ) )
  19. 19. HTTP Parameter ContaminationError 500 in IIS 7.5 + Phalanger 3.0
  20. 20. HTTP Parameter ContaminationError 500 in Quercus on Resin
  21. 21. HTTP Parameter Contamination IIS 7.5 + Quercus on Query LAMP HipHop Phalanger 3.0 Resin 4.0.26 Array Array Array Array ( ( ( ( test.php?a%=1 [a%] => 1 [a%] => 1 [a%] => 1 [a�] => ) ) ) ) Array Array Array Array ( ( ( ( test.php?a =1 [a_] => 1 [a ] => 1 [a_] => 1 [a ] => 1 ) ) ) ) Array Array Array Array ( ( ( ( test.php?a.=1 [a_] => 1 [a_] => 1 [a_] => 1 [a_] => 1 ) ) ) ) Array Array Array Array ( ( ( ( test.php?a%00b=1 [a] => 1 [a�b] => 1 [a] => 1 [a�b] => 1 ) ) ) ) Only HipHop results coincide with the master platform.
  22. 22. Special practices for OS Windows File functions in Phalanger incorrectly handle characters reserved for OS («:» + another special character, i.e.: «|»).
  23. 23. Global variablesThe possibility to set variable values directly is a flaw in web applicationsecurity.<?phpinclude($path. ".inc");?>You can call the script directly and define an arbitrary value that resultsin code execution (RFI, LFI). register_globals option is responsible for a possibility to set variable values directly PHP 5.4.0 does not include register_globals option.
  24. 24. Global variables <= Quercus on Resin 4.0.26 Quercus does not include register_globals option (developers name it a ‘black hole’ in security), an error occurs in case you try to set it. In case parameters are sent via POST method, they become global!
  25. 25. Global variables <= Quercus on Resin 4.0.26
  26. 26. Rewriting of variables <= Quercus on Resin 4.0.26Parameters sent in POST method, are handled incorrectly – it is possibleto rewrite variables in _SERVER array!
  27. 27. Rewriting of variables <= Quercus on Resin 4.0.26 Attack vector is rewriting of _SERVER array elements that include the script absolute path. As a rule, _SERVER array elements are used in script connection and file system functions. Rewriting of variables allows an attacker to conduct a number of attacks, i.e. Local File Inclusion. <?php include($_SERVER["DOCUMENT_ROOT"]."header.php"); ?>
  28. 28. Rewriting of variables <= Quercus on Resin 4.0.26Rewriting of variables allows you to set an arbitrary value for$_SERVER["DOCUMENT_ROOT"].
  29. 29. Loose comparison of variables of various typesLoose comparison is a comparison with ==Loose comparison of parameters in PHP is implemented with severalfeatures:
  30. 30. Loose comparison of variables of various types A great number of PHP applications consider these features. In case the behavior changes, results are not predictable… We monitor if the features are actual… and find some curious things 
  31. 31. Loose comparison of variables of various typesScript #1:<?php$xArray = array(TRUE, FALSE, 1, 0, -1, "1", "0", "-1", NULL, array(), "php", "");foreach($xArray as $x) { if($x == array()) { echo("TRUE"); } else { echo("FALSE"); } echo("<br>");}?>Script #2:<?php$xArray = array(TRUE, FALSE, 1, 0, -1, "1", "0", "-1", NULL, array(), "php", "");foreach($xArray as $x) { if(array() == $x) { echo("TRUE"); } else { echo("FALSE"); } echo("<br>");}?>
  32. 32. == equals | Quercus on Resin Script #1 (resin 3.1.12) Script #1 (resin 4.0.26) Script #2 TRUE FALSE FALSE TRUE FALSE TRUE TRUE TRUE 1 FALSE TRUE TRUE 0 TRUE TRUE TRUE -1 FALSE TRUE TRUE "1" FALSE FALSE TRUE "0" FALSE FALSE TRUE "-1" FALSE FALSE TRUE NULL TRUE TRUE TRUE array() TRUE TRUE TRUE "php" FALSE FLASE TRUE "" FALSE FLASE TRUE It is clear that the result of comparison depends on the sequence of compared variables. This behavior is not usual for an ordinary PHP interpreter. Also, the result of all comparisons of array() and 0 is true (TRUE), this is not usual for an ordinary PHP interpreter.
  33. 33. == equals | Quercus on ResinThen, we carried out the detailed analysis of loose comparisons for arrays withvariables of different types:<?php$test = …$xArray = array(TRUE, FALSE, 1, 0, -1, "1", "0", "-1", NULL, array(), "php", "");foreach($xArray as $x) { if($test == $x) { echo("TRUE"); } else { echo("FALSE"); } echo("<br>");}?>In case an empty array is sent:http://192.168.67.139:8080/test.php?test[]=, its type is defined as array(1) { [0]=> string(0) "" } – and this is a usual behavior for PHP. Thecomparison results for this type of parameters with parameters of other types are the mostinteresting.
  34. 34. == equals | Quercus on Resin $test = array() $test = array(0 => "") $x = TRUE TRUE TRUE $x = FALSE TRUE TRUE $x = 1 TRUE TRUE $x = 0 TRUE TRUE $x = -1 TRUE TRUE $x = "1" TRUE FALSE $x = "0" TRUE FALSE $x = "-1" TRUE FALSE $x = NULL TRUE TRUE $x = array() TRUE TRUE $x = "php" TRUE FALSE $x = "" TRUE TRUE The results greatly differ from the expected ones. Script behavior is not predictable, a number of vulnerabilities can occur!
  35. 35. Cross-technology vulnerabilities
  36. 36. open_basedir/safe mode bypass | Phalanger 3.0 Phalanger allows you to access .NET classes, that can lead to security restriction bypass. Defined security restrictions (i.e., disable_functions) are usually not considered in .NET constructions: <?php $process = new DiagnosticsProcess(); $process->StartInfo->FileName = "cmd.exe"; $process->StartInfo->WorkingDirectory = "C:"; $process->StartInfo->Arguments = "/c ".$_GET["cmd"]; $process->Start(); $process->WaitForExit(); ?>
  37. 37. Vulnerabilities in PHP old versions Legendary vulnerabilities...
  38. 38. XSS in Error Message | Quercus on Resin | RoadsendSpecial characters are not replaced by HTML equivalents in errormessages that means the an error message is an XSS.
  39. 39. File Loading: Path Traversal | Quercus on Resin 3.1.12There is possible exploitation of Path Traversal because of incorrecthandling of loaded file name.Example of HTTP query:POST http://192.168.67.139:8080/test/file.php HTTP/1.1…Content-Type: multipart/form-data; boundary=---------------------------101412320927450Content-Length: 228-----------------------------101412320927450rnContent-Disposition: form-data; name="test"; filename="../shell.php"rnContent-Type: application/octet-streamrnrn<?phprnphpinfo();rn?>rn-----------------------------101412320927450--rn
  40. 40. File Loading: Null Byte | Quercus on ResinIncorrect file name handling that is loaded on the server an attackercan discard postfixes (i.e., .jpg) with NULL byte.
  41. 41. File Loading: Null Byte | Quercus on ResinAs a result, Extension Checks Bypass is possible.<?phpif(isset($_FILES["image"])) { if(!preg_match("#.(jpg|png|gif)$#", $_FILES["image"]["name"])) { die("Hacking attempt!");} copy($_FILES["image"]["tmp_name"], "./uploads/".$_FILES["image"]["name"] );}?>
  42. 42. ResultsAll third-party implementations are more efficient, have more features,but the back side is security. Environmental vulnerabilities HTTP Parameter Contamination Path Traversal logic violations etcThe most vulnerable implementation is Quercus on Resin.The most secure implementation is HipHop. Its results not only coincidewith the master platform but even exceed standard PHP implementation.
  43. 43. Thank you for your attention! Questions?

×