state of the art post exploitation in hardened php
play

State of the Art Post Exploitation in Hardened PHP Environments - PowerPoint PPT Presentation

Aug 24, 2023 •91 likes •716 views

http://www.sektioneins.de State of the Art Post Exploitation in Hardened PHP Environments Stefan Esser <stefan.esser@sektioneins.de> Who am I? Stefan Esser from Cologne/Germany Information Security since 1998 PHP Core

  1. http://www.sektioneins.de State of the Art Post Exploitation in Hardened PHP Environments Stefan Esser <stefan.esser@sektioneins.de>

  2. Who am I? Stefan Esser • from Cologne/Germany • Information Security since 1998 • PHP Core Developer since 2001 • Month of PHP Bugs & Suhosin • Head of Research & Development at SektionEins GmbH Stefan Esser • State of the Art Post Exploitation in Hardened PHP Environments • July 2009 • 2

  3. Part I Introduction Stefan Esser • State of the Art Post Exploitation in Hardened PHP Environments • July 2009 • 3

  4. Introduction (I) • PHP applications are often vulnerable to remote PHP code execution • File/URL Inclusion vulnerabilities • PHP file upload • Injection into eval() , create_function(), preg_replace() • Injection into call_user_func() parameters • executed PHP code can do whatever it wants on insecure web servers Stefan Esser • State of the Art Post Exploitation in Hardened PHP Environments • July 2009 • 4

  5. Introduction (II) • post exploitation is a lot harder when the PHP environment is hardened • more and more PHP environments are hardened by default • executed PHP code is very limited in possibilities • taking control over a hardened server is a challenge Stefan Esser • State of the Art Post Exploitation in Hardened PHP Environments • July 2009 • 5

  6. What the talk is about... • intro of common protections (on web servers) • intro of a special kind of local PHP vulnerabilities • how to exploit two such 0 day vulnerabilities in a portable/stable way • using info leak and memory corruption to • disable several protections directly from within PHP • execute arbitrary machine code (a.k.a. launch kernel exploits) Stefan Esser • State of the Art Post Exploitation in Hardened PHP Environments • July 2009 • 6

  7. Part II Common Protections in Hardened PHP Environments Stefan Esser • State of the Art Post Exploitation in Hardened PHP Environments • July 2009 • 7

  8. Types of protections... • protections against remote attacks <- already failed • limit possibilities of PHP code • limit possibilities of PHP interpreter • hardening against buffer overflow/memory corruption exploits • limit possibility to load arbitrary code • non writable filesystems Stefan Esser • State of the Art Post Exploitation in Hardened PHP Environments • July 2009 • 8

  9. Where to find protections... • in PHP itself • in Suhosin (-patch/-extension) • in webserver • in c-library • in compiler / linker • in filesystem • in kernel / kernel-security-extensions Stefan Esser • State of the Art Post Exploitation in Hardened PHP Environments • July 2009 • 9

  10. PHP‘s internal protections (I) • safe_mode • disables access to several configuration settings • shell command execution only in safe_exec_dir • white- and blacklist of environment variables • limits access to files / directories with the UID of the script • ... • open_basedir • limits access to files / directories inside defined basedir(s) Stefan Esser • State of the Art Post Exploitation in Hardened PHP Environments • July 2009 • 10

  11. PHP‘s internal protections (II) • disable_function / disable_classes • removes functions/classes from function/class table (processwide) • dl() hardening • dl() function can be disabled by enable_dl • dl() is limited to extension_dir • dl() is limited to the cgi/cli/embed and other non ZTS SAPI Stefan Esser • State of the Art Post Exploitation in Hardened PHP Environments • July 2009 • 11

  12. PHP‘s internal protections (III) • memory manager in PHP < 5.2.0 • request memory allocator is a wrapper around malloc() • free memory is kept in a doubly linked list • memory manager in PHP >= 5.2.0 • new memory manager request memory blocks via malloc() / mmap() /... and does managing itself • „safe unlink“ like features • canaries when compiled as debug version Stefan Esser • State of the Art Post Exploitation in Hardened PHP Environments • July 2009 • 12

  13. Suhosin-Patch‘s PHP protections (I) • memory manager hardening • safe_unlink for all PHP versions >= 4.3.10 • 3 canaries (before metadata, before buffer, after buffer) • HashTable and llist destructor protection • protects against overwritten destructor function pointer • only destructors defined in calls to zend_hash_init() / zend_llist_init() are allowed • script is aborted if an unknown destructor is encountered Stefan Esser • State of the Art Post Exploitation in Hardened PHP Environments • July 2009 • 13

  14. Suhosin-Extension‘s PHP protections (II) • suhosin.executor.func.whitelist / suhosin.executor.func.blacklist • similar to disable_function but not processwide • functions NOT removed from function list, just forbidden on call • suhosin.executor.eval.whitelist / suhosin.executor.eval.blacklist • separate white- and blacklist that only affects eval()‘d code • other suhosin features only protect against remote attacks Stefan Esser • State of the Art Post Exploitation in Hardened PHP Environments • July 2009 • 14

  15. c-library / compiler / linker protections • stack variable reordering / canary protection • RELRO • memory manager hardening • pointer obfuscation Stefan Esser • State of the Art Post Exploitation in Hardened PHP Environments • July 2009 • 15

  16. Kernel level protections • non executable ( NX ) stack, heap, ... • address space layout randomization ( ASLR ) • mprotect() hardening • no-exec mounts • (mod_)apparmor, systrace, selinux, grsecurity Stefan Esser • State of the Art Post Exploitation in Hardened PHP Environments • July 2009 • 16

  17. Part III Internals of PHP Variables Stefan Esser • State of the Art Post Exploitation in Hardened PHP Environments • July 2009 • 17

  18. PHP Variables PHP 5 typedef union _zvalue_value { • PHP variables are stored in structures long lval; /* long value */ called ZVAL double dval; /* double value */ struct { char *val; • ZVAL differences in PHP 4 and PHP 5 int len; } str; HashTable *ht; /* hash table value */ • element order zend_object_value obj; } zvalue_value; • 16 bit vs. 32 bit refcount struct _zval_struct { /* Variable information */ zvalue_value value; /* value */ • object handling different zend_uint refcount; zend_uchar type; /* active type */ • zend_uchar is_ref; Possible variable types are }; #define IS_NULL 0 #define IS_LONG 1 PHP 4 #define IS_DOUBLE 2 #define IS_BOOL* 3 struct _zval_struct { #define IS_ARRAY 4 /* Variable information */ zvalue_value value; /* value */ #define IS_OBJECT 5 zend_uchar type; /* active type */ #define IS_STRING* 6 zend_uchar is_ref; #define IS_RESOURCE 7 zend_ushort refcount; }; * in PHP < 5.1.0 IS_BOOL and IS_STRING are switched Stefan Esser • State of the Art Post Exploitation in Hardened PHP Environments • July 2009 • 18

  19. PHP Arrays typedef struct _hashtable { uint nTableSize; uint nTableMask; uint nNumOfElements; ulong nNextFreeElement; • PHP arrays are stored in a HashTable struct Bucket *pInternalPointer; Bucket *pListHead; • Bucket *pListTail; HashTable can store elements by Bucket **arBuckets; dtor_func_t pDestructor; • numerical index zend_bool persistent; unsigned char nApplyCount; • string - hash functions are variants of DJB hash function zend_bool bApplyProtection; } HashTable; • Auto-growing bucket space typedef struct bucket { • ulong h; Bucket collisions are kept in double linked list uint nKeyLength; void *pData; • Additional double linked list of all elements void *pDataPtr; struct bucket *pListNext; • Elements: *ZVAL - Destructor: ZVAL_PTR_DTOR struct bucket *pListLast; struct bucket *pNext; struct bucket *pLast; char arKey[1]; } Bucket; Stefan Esser • State of the Art Post Exploitation in Hardened PHP Environments • July 2009 • 19

  20. PHP Arrays - The big picture global list HashTable collision list arBuckets 0 bucket_1 bucket_5 1 ZVAL_1 ZVAL_4 2 3 ZVAL_2 4 bucket_2 5 bucket_4 ZVAL_5 6 7 bucket_3 ZVAL_3 Stefan Esser • State of the Art Post Exploitation in Hardened PHP Environments • July 2009 • 20

  21. Part IV Interruption Vulnerabilities Stefan Esser • State of the Art Post Exploitation in Hardened PHP Environments • July 2009 • 21

  22. Interruption Vulnerabilities (I) • PHP‘s internal functions • are written as if not interruptible • but are interruptible by user space PHP “callbacks“ • Interruption by PHP code can cause • unexpected behavior, information leaks, memory corruption • Vulnerability class first exploited during MOPB • e.g. MOPB-27-2007, MOPB-28-2007, MOPB-37-2007 • no one discloses them • no one fixes them Stefan Esser • State of the Art Post Exploitation in Hardened PHP Environments • July 2009 • 22

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

! Current State of Exploitation ! Return-Oriented Exploitation ! Mac OS X x86 Return-Oriented

! Current State of Exploitation ! Return-Oriented Exploitation ! Mac OS X x86 Return-Oriented

! Current State of Exploitation ! Return-Oriented Exploitation ! Mac OS X x86 Return-Oriented Exploitation ! Techniques ! Demo ! Mac OS X x86_64 ! Conclusion ! Morris Worm (November 1988) ! Exploited a stack buffer overflow in BSD in.fingerd on VAX

1.02k views • 80 slides
through the exploitation of nonlinear post-buckling behavior Ariel Ibarra Pino Fifth deal.II

through the exploitation of nonlinear post-buckling behavior Ariel Ibarra Pino Fifth deal.II

UNIVERSITY OF MINNESOTA Aerospace Engineering and Mechanics COLLEGE OF SIENCE AND ENGINEERING Design of switchable many-state architectured materials through the exploitation of nonlinear post-buckling behavior Ariel Ibarra Pino Fifth deal.II

407 views • 3 slides
Post Exploitation Operations with Cloud Synchronization Services Jake Williams

Post Exploitation Operations with Cloud Synchronization Services Jake Williams

Post Exploitation Operations with Cloud Synchronization Services Jake Williams jwilliams@csr-group.com @MalwareJake Agenda The problem (cloud backup/synchronization) The solution (DropSmack) Next steps Insecure Authentication

1.1k views • 55 slides
CLOUD POST EXPLOITATION Andrew Johnson @secprez | Sacha Faust @sachafaust | Cloud &amp;

CLOUD POST EXPLOITATION Andrew Johnson @secprez | Sacha Faust @sachafaust | Cloud &amp;

CLOUD POST EXPLOITATION Andrew Johnson @secprez | Sacha Faust @sachafaust | Cloud &amp; Enterprise Red T eam ake Aways Azure Overview Key T Cloud Pivots Trends and Countermeasures 2 eam Red Team Success Culture Collective Growth

1.31k views • 27 slides
The Black Art of Wireless Post-Exploitation: Bypassing Port-Based Access Controls Using Indirect

The Black Art of Wireless Post-Exploitation: Bypassing Port-Based Access Controls Using Indirect

The Black Art of Wireless Post-Exploitation: Bypassing Port-Based Access Controls Using Indirect Wireless Pivots GreHacks Gabriel Ryan (solstice) net user author /domain Gabriel Ryan Researcher @ Gotham Digital Science Worlds best Red

1.89k views • 125 slides
Post Exploitation Bliss: Meterpreter for iPhone Charlie MIller Vincenzo Iozzo Independent

Post Exploitation Bliss: Meterpreter for iPhone Charlie MIller Vincenzo Iozzo Independent

Post Exploitation Bliss: Meterpreter for iPhone Charlie MIller Vincenzo Iozzo Independent Security Evaluators Zynamics &amp; Secure Network cmiller@securityevaluators.com vincenzo.iozzo@zynamics.com Who we are Charlie First to hack the

885 views • 73 slides
Post-Crisis State Transformation: Rethinking the Foundations of the State Linkping, 1-5 May

Post-Crisis State Transformation: Rethinking the Foundations of the State Linkping, 1-5 May

International Conference Post-Crisis State Transformation: Rethinking the Foundations of the State Linkping, 1-5 May 2009 Background Consensus is growing that the use of the Western model of the Nation State in post crisis contexts poses

119 views • 11 slides
Cyber@UC Meeting 49 Systems Exploitation: Sniffing, Man in the Middle, etc If Youre New!

Cyber@UC Meeting 49 Systems Exploitation: Sniffing, Man in the Middle, etc If Youre New!

Cyber@UC Meeting 49 Systems Exploitation: Sniffing, Man in the Middle, etc If Youre New! Join our Slack: ucyber.slack.com SIGN IN! (Slackbot will post the link in #general) Feel free to get involved with one of our committees:

464 views • 21 slides
Cyber@UC Meeting 50 Systems Exploitation with Metasploit If Youre New! Join our Slack:

Cyber@UC Meeting 50 Systems Exploitation with Metasploit If Youre New! Join our Slack:

Cyber@UC Meeting 50 Systems Exploitation with Metasploit If Youre New! Join our Slack: ucyber.slack.com SIGN IN! (Slackbot will post the link in #general) Feel free to get involved with one of our committees: Content Finance

382 views • 20 slides
Micro-spectroscopic investigations of the Al and S speciation in hardened cement paste 1 ,R.

Micro-spectroscopic investigations of the Al and S speciation in hardened cement paste 1 ,R.

Nuclear Energy and Safety Research Department Laboratory for Waste Management PAUL SCHERRER INSTITUT Micro-spectroscopic investigations of the Al and S speciation in hardened cement paste 1 ,R. Dhn 1 , B. Lothenbach 2 , M. Vespa 1 E.

646 views • 52 slides
Weird Machines on Little Robots Intro to binary exploitation on Android smartphones @f0rki

Weird Machines on Little Robots Intro to binary exploitation on Android smartphones @f0rki

Weird Machines on Little Robots Intro to binary exploitation on Android smartphones @f0rki 2013-06-06 Agenda Motivation ARM Primer Exploitation 101 Science, Bitches! Vulnerability classes Exploitation Defenses &amp; Mitigation Techniques

899 views • 51 slides
Implemen'ng a ver'cally hardened DNP3 control stack Sven M.

Implemen'ng a ver'cally hardened DNP3 control stack Sven M.

Implemen'ng a ver'cally hardened DNP3 control stack Sven M. Hallberg, Sergey Bratus, Adam Crain, Meredith L. Pa&lt;erson,

886 views • 49 slides
Finding a Needle in the Haystack of Hardened Interconnect Patterns S. Nikoli, G. Zgheib*, and

Finding a Needle in the Haystack of Hardened Interconnect Patterns S. Nikoli, G. Zgheib*, and

Finding a Needle in the Haystack of Hardened Interconnect Patterns S. Nikoli, G. Zgheib*, and P. Ienne FPL19, Barcelona, 09.09.2019 cole Polytechnique Fdrale de Lausanne *Intel Corporation Why harden connections? 2 crossbar LUT LUT

626 views • 44 slides
AN APPLICATION OF THE HARDENED FLOATING-POINT CORES ON HIL SIMULATIONS Elas Todorovich,

AN APPLICATION OF THE HARDENED FLOATING-POINT CORES ON HIL SIMULATIONS Elas Todorovich,

AN APPLICATION OF THE HARDENED FLOATING-POINT CORES ON HIL SIMULATIONS Elas Todorovich, Alberto Snchez, ngel de Castro SPL 2019 - Buenos Aires 2 Power converter Design Verification Thousands of directed and random tests are

360 views • 9 slides
An Introduction to Elder Abuse for Professionals: Financial Exploitation NCEA Financial

An Introduction to Elder Abuse for Professionals: Financial Exploitation NCEA Financial

An Introduction to Elder Abuse for Professionals: Financial Exploitation NCEA Financial Exploitation 1 Learning Objectives At the end of this presentation, you will be able to: Define and describe financial exploitation Identify

386 views • 34 slides
Cyber@UC Meeting 90 MBE: Basic Binary Exploitation If Youre New! Join our Slack:

Cyber@UC Meeting 90 MBE: Basic Binary Exploitation If Youre New! Join our Slack:

Cyber@UC Meeting 90 MBE: Basic Binary Exploitation If Youre New! Join our Slack: cyberatuc.slack.com Check out our website: cyberatuc.org Organization Resources on our Wiki: wiki.cyberatuc.org SIGN IN! (Slackbot will post

442 views • 14 slides
Remote Visualization of Large Scale Data for Ultra-High Resolution Display Environment Sungwon

Remote Visualization of Large Scale Data for Ultra-High Resolution Display Environment Sungwon

Remote Visualization of Large Scale Data for Ultra-High Resolution Display Environment Sungwon Nam, Luc Renambot, Andrew Johnson, Jason Leigh Electronic Visualization Laboratory, University of Illinois, Chicago Byungil Jeong, Kelly Gaither

191 views • 17 slides
From a Calculus to an Execution Environment for Stream Processing Robert Soul Martin Hirzel Bu

From a Calculus to an Execution Environment for Stream Processing Robert Soul Martin Hirzel Bu

From a Calculus to an Execution Environment for Stream Processing Robert Soul Martin Hirzel Bu ra Gedik Robert Grimm Cornell University IBM Research Bilkent University New York University DEBS 2012 1 to an Execution Environment

218 views • 21 slides
How COVID-19 has Affected the Environment and Climate Change within the Built Environment TEAM

How COVID-19 has Affected the Environment and Climate Change within the Built Environment TEAM

How COVID-19 has Affected the Environment and Climate Change within the Built Environment TEAM Leader: Christopher Patterson, Uber Technologies Andrea Wolf, Colliers Courtney Ferguson, Oracle Elaine Aye, RWDI Gideon Banner, National Grid

589 views • 7 slides
Planning to Be Surprised: Optimal Bayesian Exploration in Dynamic Environments Yi Sun, Faustino

Planning to Be Surprised: Optimal Bayesian Exploration in Dynamic Environments Yi Sun, Faustino

Planning to Be Surprised: Optimal Bayesian Exploration in Dynamic Environments Yi Sun, Faustino Gomez, J urgen Schmidhuber IDSIA, USI &amp; SUPSI, Switzerland August 2011 Sun,Gomez,Schmidhuber (IDSIA) Bayesian Exploration 08/11 1 / 18

1.29k views • 90 slides
Addressing Health in Environmental Impact Assessment: A Draft Consultation Presenters

Addressing Health in Environmental Impact Assessment: A Draft Consultation Presenters

Addressing Health in Environmental Impact Assessment: A Draft Consultation Presenters Facilitators Francesca Viliani Birgitte FischerBonde Odile Mekel Sarah HumboldtDachroeden Ben Cave Moderator Bridget John, bridget@iaia.org

870 views • 35 slides
Occupational and Environmental Respiratory Disease and Updates in Occupational and Environmental

Occupational and Environmental Respiratory Disease and Updates in Occupational and Environmental

Department of Medicine, Division of Occupational and Environmental Medicine University of California, San Francisco School of Medicine presents Occupational and Environmental Respiratory Disease and Updates in Occupational and Environmental

531 views • 16 slides
Scientific Research on Yoga and the Workplace Yoga Alliance Webinar June 4, 2020 Sat Bir S.

Scientific Research on Yoga and the Workplace Yoga Alliance Webinar June 4, 2020 Sat Bir S.

Brigham &amp; Womens Hospital Harvard Medical School Scientific Research on Yoga and the Workplace Yoga Alliance Webinar June 4, 2020 Sat Bir S. Khalsa, Ph.D. Assistant Professor of Medicine, Harvard Medical School Director of Yoga

571 views • 45 slides
Using th the M e Matrix ix t to bridge t e the g gap b bet etwee een epidemiolog ogy a

Using th the M e Matrix ix t to bridge t e the g gap b bet etwee een epidemiolog ogy a

Using th the M e Matrix ix t to bridge t e the g gap b bet etwee een epidemiolog ogy a and r risk asses essment Judy udy S. L LaKind, Ph.D , Ph.D. LaKind As Asso sociates, s, LL LLC Universit ity o of Ma Maryla land S

266 views • 23 slides

More recommend