PHP Deserialization Exploit attempt
I came across the following deserialization exploit attempt not in a honeypot but in the log for this (isc.sans.edu) webserver:
/!php/object+"O:24:\\"GuzzleHttp\\\\Psr7\\\\FnStream\\":2:{s:33:\\"\\0GuzzleHttp\\\\Psr7\\\\FnStream\\0methods\\";a:1:{s:5:\\"close\\";s:7:\\"phpinfo\\";}s:9:\\"_fn_close\\";s:7:\\"phpinfo\\";}"/recentdomains/,
People usually think about deserialization vulnerabilities in Java (and maybe .Net). But code written in any object-oriented language may be susceptible to deserialization vulnerabilities.
In some ways, the PHP example is even more "transparent" than some of the past Java examples I have seen. Deserialization vulnerabilities are a bit weird in that they just take advantage of a feature in how objects are instantiated. Software may exchange arbitrary objects serialized as a string. As the object is deserialized, its constructor is called, which may execute arbitrary code delivered with the object. Think about it as calling "eval" on the string received. [owasp]
This can be "ok", if only a limited set of objects are deserialized or if the object is received from a trusted source and properly digitally signed to avoid tampering with the object in transit. But the process quickly goes wrong if arbitrary objects are deserialized from arbitrary sources.
In this case, the attacker can find a "Gadget," which is an object that allows code execution, and feed it to the software using the "correct" parameters. In the case above, the gadget is "GuzzleHttp." There is nothing "wrong" with GuzzleHttp. GuzzleHttp is a PHP library used to create HTTP requests. Similar to the standard library "curl," it abstracts some lower-level features. GuzzleHttp is often installed as part of other packages (e.g. Laravel) if you use extensions that connect to HTTP APIs. So this is not a vulnerability in GuzzleHttp, but the attacker is looking for code that accepts GuzzleHttp objects and instantiates them (I do not think this is ever a good idea). [guzzle]
I am not sure what vulnerable software the exploit above looks for. But if attempts to execute phpinfo. This exploit will only flag vulnerable pages to come back and exploit later. Let me know if you can identify it (email jullrich\@/sans.edu).
GuzzleHttp is a well-known gadget; you can find it listed in a GitHub repository of well-known gadget chains for various vulnerabilities. [gadgets]
[owasp] https://cheatsheetseries.owasp.org/cheatsheets/Deserialization_Cheat_Sheet.html
[guzzle] https://docs.guzzlephp.org/en/stable/
[gadgets] https://github.com/ambionics/phpggc
---
Johannes B. Ullrich, Ph.D. , Dean of Research, SANS.edu
Twitter|
Comments
www
Nov 17th 2022
6 months ago
EEW
Nov 17th 2022
6 months ago
qwq
Nov 17th 2022
6 months ago
mashood
Nov 17th 2022
6 months ago
isc.sans.edu
Nov 23rd 2022
6 months ago
isc.sans.edu
Nov 23rd 2022
6 months ago
isc.sans.edu
Dec 3rd 2022
5 months ago
isc.sans.edu
Dec 3rd 2022
5 months ago
<a hreaf="https://technolytical.com/">the social network</a> is described as follows because they respect your privacy and keep your data secure. The social networks are not interested in collecting data about you. They don't care about what you're doing, or what you like. They don't want to know who you talk to, or where you go.
<a hreaf="https://technolytical.com/">the social network</a> is not interested in collecting data about you. They don't care about what you're doing, or what you like. They don't want to know who you talk to, or where you go. The social networks only collect the minimum amount of information required for the service that they provide. Your personal information is kept private, and is never shared with other companies without your permission
isc.sans.edu
Dec 26th 2022
5 months ago
isc.sans.edu
Dec 26th 2022
5 months ago