Reevaluate “low-risk” PHP unserialization vulnerabilities, researcher says

LAS VEGAS — In cybercrime, as in most areas of crime (or business), the more things change, the more they stay the same.

The emergence of Petya/NotPetya and other virulent forms of malware have showcased how the best and most successful black-hat hacks are not entirely new—bad actors simply take older, more established approaches or attack vectors and add a new twist. And so it is with PHP unserialization attacks, as showcased at the Black Hat conference earlier this month by Sam Thomas, director of research for Secarma Ltd, an information security consultancy.

Thomas was able to demonstrate a new exploitation method that makes it easier for cyber-criminals to generate critical deserialization vulnerabilities in the PHP programming language using functions previously considered low-risk. PHP unserialization vulnerabilities, or object injection vulnerabilities as they have also been called, allow hackers to perform different kinds of attacks by supplying malicious inputs to the “unserialize” PHP function. (Serialization is the process of converting data objects into a plain string, and the unserialize function recreates an object back from a string.) This attack vector has been documented since 2009, so the fact that these flaws exist is nothing new.

Indeed, OWASP added PHP deserialization to its Top 10 list, and last year’s massive Equifax breach was reportedly initiated through deserialization.

Given the popularity of PHP (aka PHP: Hypertext Preprocessor), a server-side scripting language that has been around since the mid-1990s, it is not surprising that bad actors have found new ways to exploit this approach. What Thomas of Secarma demonstrated at his Black Hat session, dubbed, “It’s a PHP Unserialization Vulnerability, Jim, But Not as We Know It” (as a shout-out to fellow Star Trek-loving cybersecurity experts), is that cyber-criminals can use low-risk functions against Phar archives to start a deserialization attack withoutrequiring the use of unserialize() function in a wide range of scenarios. Phar files, an archive format in PHP, stores metadata in a serialized format, which gets unserialized whenever a file operation function—such as fopen, file_exists, file_get_contents—tries to access the archive file.

“This is true for both direct file operations…and indirect operations such as those that occur during external entity processing within XML,” Thomas said during his presentation. He also issued a white paper during Black Hat that detailed how this particular variant of the PHP unserialization attack can be used on WordPress sites to exert full control over a web server. All the attacker needs do is upload a valid ‘Phar’ archive containing a malicious payload object onto the target’s local file system and make the file operation function access it.

This vulnerability can even be exploited using a basic JPEG image, originally a Phar archive converted into valid JPEG by changing its first 100 bytes, according to Thomas.

“The way certain thumbnail functionality within an application works enables an attacker with the privileges to upload and modify media items to gain sufficient control of the parameter used in a ‘file_exists’ call to cause unserialization to occur,” Thomas said.“A remote authenticated attacker with the ability to create [or] edit posts can upload a malicious image and execute arbitrary PHP code on vulnerable systems.”

Thomas highlighted that the unserialization is exposed to “a lot of vulnerabilities that might have previously been considered quite low-risk.”

“Issues which they might have thought [were] fixed with a configuration change or had been considered quite minor previously, might need to be reevaluated in the light of the attacks I demonstrated,” he said.

More from Black Hat 2018

  • Hack mobile point-of-sale systems? Researchers count the ways
  • Take-aways from Black Hat USA 2018
  • Talking phishing campaigns with @PhishingAI’s Jeremy Richards
  • Vegas hotel room checks raise privacy, safety concerns at Def Con, Black Hat

Mozilla sets termination date for Firefox’s legacy add-ons

Mozilla this week laid out the roadmap for ending Firefox support for all old-school add-ons, telling users that the end of those legacy extensions would come in just two weeks.

“Mozilla will stop supporting Firefox Extended Support Release (ESR) 52, the final release that is compatible with legacy add-ons, on September 5, 2018,” wrote Caitlin Neiman, add-on developer community manager, in an August 21 post to a company blog.

Firefox ESR is the version designed for enterprises and other users who want a more static browser; Mozilla upgrades ESR about once a year, as opposed to the every-six-week standard feature update tempo. Firefox ESR 52, destined to fall off the support list in two weeks, was first issued in March 2017. Its replacement, Firefox ESR 60, debuted in May of this year. Since that latter date, Mozilla has been regularly updating both ESR versions to give customers time to migrate from version 52 to version 60.

Because Firefox ESR 52 is the final version that supported legacy add-ons, Mozilla will also soon scrub extensions from its online market. “We will start the process of disabling legacy add-on versions on addons.mozilla.org (AMO) in September,” Neiman said. As of September 6, no new legacy add-ons will be accepted to the store; all such add-ons will be disabled in early October. “Once this happens, users will no longer be able to find your extension on AMO,” Neiman warned developers.

Mozilla has taken a long time to get to this place.

Three years ago, Mozilla outlined substantial changes to Firefox’s add-on ecosystem, including a plan to introduce a new API (application programming interface) that was designed to let developers port Google Chrome extensions to Firefox. By late 2017, Mozilla was ready to bar legacy add-ons from running in Firefox, a move made November 14 with the release of Firefox 57, a.k.a. “Quantum.”

As add-on developers have redesigned their works using the WebExtensions API, instances of Firefox still harboring the legacy — and thus unsupported — versions have been automatically updated to the newer add-on format. That will happen for Firefox ESR 52 users as well. “Once a new version is submitted to AMO, users who have installed the legacy version will automatically receive the update,” Neiman said.

Firefox has been on a five-month skid in user share, according to metrics vendor Net Applications. Firefox’s July global share, for example, was 9.7%, a two-year low that signaled the possibility of even bigger trouble ahead. Last month, Computerworld forecast that if Firefox continued declining on its 12-month average, the browser would fall under 9% by November and below 8% by March 2019.

What’s new in Microsoft Visual Studio for Mac

Microsoft has released Visual Studio for Mac Version 7.6, focused on reliability, particularly in code editing.

Improvements also have been made in performance and support for Azure cloud functions. New templates enable publishing of a function to Azure. But Microsoft emphasized code editing with the Version 7.6 release.

Improvements in the code editing include:

  • JavaScript syntax highlighting has been improved.
  • IntelliSense has been improved for developers using the F# language, with the resolution of an issue in which “.” could not be used for autocompletion.
  • An IntelliSense problem was fixed in which red squiggles persisted even when there were no errors,
  • A fix was made to an issue in which Quick Fix items were not being displayed if source analysis was disabled.
  • A situation where tooltips would not disappear was fixed.

For the IDE, Microsoft improved tag-based classification for C#, reusing Visual Studio for Windows code. This is expected to improve typing performance in the editor. Also, to speed up NuGet restore on solution loads, no-op restore of NuGet packages is supported during opening of a solution. Startup time has been improved in the IDE and memory consumption reduced.

For Azure Functions, providing event-driven compute services on demand in a serverless fashion, Version 7.6 has templates for configuring access rights, connection strings, and other binding properties. The upgrade also lets developers publish functions to the Azure Portal. Developers can right-click on project name and choose Publish > Publish to Azure.