state of the art post exploitation in hardened php
play

State of the Art Post Exploitation in Hardened PHP Environments - PowerPoint PPT Presentation

Aug 24, 2023 •91 likes •716 views

http://www.sektioneins.de State of the Art Post Exploitation in Hardened PHP Environments Stefan Esser <stefan.esser@sektioneins.de> Who am I? Stefan Esser from Cologne/Germany Information Security since 1998 PHP Core

  1. http://www.sektioneins.de State of the Art Post Exploitation in Hardened PHP Environments Stefan Esser <stefan.esser@sektioneins.de>

  2. Who am I? Stefan Esser • from Cologne/Germany • Information Security since 1998 • PHP Core Developer since 2001 • Month of PHP Bugs & Suhosin • Head of Research & Development at SektionEins GmbH Stefan Esser • State of the Art Post Exploitation in Hardened PHP Environments • July 2009 • 2

  3. Part I Introduction Stefan Esser • State of the Art Post Exploitation in Hardened PHP Environments • July 2009 • 3

  4. Introduction (I) • PHP applications are often vulnerable to remote PHP code execution • File/URL Inclusion vulnerabilities • PHP file upload • Injection into eval() , create_function(), preg_replace() • Injection into call_user_func() parameters • executed PHP code can do whatever it wants on insecure web servers Stefan Esser • State of the Art Post Exploitation in Hardened PHP Environments • July 2009 • 4

  5. Introduction (II) • post exploitation is a lot harder when the PHP environment is hardened • more and more PHP environments are hardened by default • executed PHP code is very limited in possibilities • taking control over a hardened server is a challenge Stefan Esser • State of the Art Post Exploitation in Hardened PHP Environments • July 2009 • 5

  6. What the talk is about... • intro of common protections (on web servers) • intro of a special kind of local PHP vulnerabilities • how to exploit two such 0 day vulnerabilities in a portable/stable way • using info leak and memory corruption to • disable several protections directly from within PHP • execute arbitrary machine code (a.k.a. launch kernel exploits) Stefan Esser • State of the Art Post Exploitation in Hardened PHP Environments • July 2009 • 6

  7. Part II Common Protections in Hardened PHP Environments Stefan Esser • State of the Art Post Exploitation in Hardened PHP Environments • July 2009 • 7

  8. Types of protections... • protections against remote attacks <- already failed • limit possibilities of PHP code • limit possibilities of PHP interpreter • hardening against buffer overflow/memory corruption exploits • limit possibility to load arbitrary code • non writable filesystems Stefan Esser • State of the Art Post Exploitation in Hardened PHP Environments • July 2009 • 8

  9. Where to find protections... • in PHP itself • in Suhosin (-patch/-extension) • in webserver • in c-library • in compiler / linker • in filesystem • in kernel / kernel-security-extensions Stefan Esser • State of the Art Post Exploitation in Hardened PHP Environments • July 2009 • 9

  10. PHP‘s internal protections (I) • safe_mode • disables access to several configuration settings • shell command execution only in safe_exec_dir • white- and blacklist of environment variables • limits access to files / directories with the UID of the script • ... • open_basedir • limits access to files / directories inside defined basedir(s) Stefan Esser • State of the Art Post Exploitation in Hardened PHP Environments • July 2009 • 10

  11. PHP‘s internal protections (II) • disable_function / disable_classes • removes functions/classes from function/class table (processwide) • dl() hardening • dl() function can be disabled by enable_dl • dl() is limited to extension_dir • dl() is limited to the cgi/cli/embed and other non ZTS SAPI Stefan Esser • State of the Art Post Exploitation in Hardened PHP Environments • July 2009 • 11

  12. PHP‘s internal protections (III) • memory manager in PHP < 5.2.0 • request memory allocator is a wrapper around malloc() • free memory is kept in a doubly linked list • memory manager in PHP >= 5.2.0 • new memory manager request memory blocks via malloc() / mmap() /... and does managing itself • „safe unlink“ like features • canaries when compiled as debug version Stefan Esser • State of the Art Post Exploitation in Hardened PHP Environments • July 2009 • 12

  13. Suhosin-Patch‘s PHP protections (I) • memory manager hardening • safe_unlink for all PHP versions >= 4.3.10 • 3 canaries (before metadata, before buffer, after buffer) • HashTable and llist destructor protection • protects against overwritten destructor function pointer • only destructors defined in calls to zend_hash_init() / zend_llist_init() are allowed • script is aborted if an unknown destructor is encountered Stefan Esser • State of the Art Post Exploitation in Hardened PHP Environments • July 2009 • 13

  14. Suhosin-Extension‘s PHP protections (II) • suhosin.executor.func.whitelist / suhosin.executor.func.blacklist • similar to disable_function but not processwide • functions NOT removed from function list, just forbidden on call • suhosin.executor.eval.whitelist / suhosin.executor.eval.blacklist • separate white- and blacklist that only affects eval()‘d code • other suhosin features only protect against remote attacks Stefan Esser • State of the Art Post Exploitation in Hardened PHP Environments • July 2009 • 14

  15. c-library / compiler / linker protections • stack variable reordering / canary protection • RELRO • memory manager hardening • pointer obfuscation Stefan Esser • State of the Art Post Exploitation in Hardened PHP Environments • July 2009 • 15

  16. Kernel level protections • non executable ( NX ) stack, heap, ... • address space layout randomization ( ASLR ) • mprotect() hardening • no-exec mounts • (mod_)apparmor, systrace, selinux, grsecurity Stefan Esser • State of the Art Post Exploitation in Hardened PHP Environments • July 2009 • 16

  17. Part III Internals of PHP Variables Stefan Esser • State of the Art Post Exploitation in Hardened PHP Environments • July 2009 • 17

  18. PHP Variables PHP 5 typedef union _zvalue_value { • PHP variables are stored in structures long lval; /* long value */ called ZVAL double dval; /* double value */ struct { char *val; • ZVAL differences in PHP 4 and PHP 5 int len; } str; HashTable *ht; /* hash table value */ • element order zend_object_value obj; } zvalue_value; • 16 bit vs. 32 bit refcount struct _zval_struct { /* Variable information */ zvalue_value value; /* value */ • object handling different zend_uint refcount; zend_uchar type; /* active type */ • zend_uchar is_ref; Possible variable types are }; #define IS_NULL 0 #define IS_LONG 1 PHP 4 #define IS_DOUBLE 2 #define IS_BOOL* 3 struct _zval_struct { #define IS_ARRAY 4 /* Variable information */ zvalue_value value; /* value */ #define IS_OBJECT 5 zend_uchar type; /* active type */ #define IS_STRING* 6 zend_uchar is_ref; #define IS_RESOURCE 7 zend_ushort refcount; }; * in PHP < 5.1.0 IS_BOOL and IS_STRING are switched Stefan Esser • State of the Art Post Exploitation in Hardened PHP Environments • July 2009 • 18

  19. PHP Arrays typedef struct _hashtable { uint nTableSize; uint nTableMask; uint nNumOfElements; ulong nNextFreeElement; • PHP arrays are stored in a HashTable struct Bucket *pInternalPointer; Bucket *pListHead; • Bucket *pListTail; HashTable can store elements by Bucket **arBuckets; dtor_func_t pDestructor; • numerical index zend_bool persistent; unsigned char nApplyCount; • string - hash functions are variants of DJB hash function zend_bool bApplyProtection; } HashTable; • Auto-growing bucket space typedef struct bucket { • ulong h; Bucket collisions are kept in double linked list uint nKeyLength; void *pData; • Additional double linked list of all elements void *pDataPtr; struct bucket *pListNext; • Elements: *ZVAL - Destructor: ZVAL_PTR_DTOR struct bucket *pListLast; struct bucket *pNext; struct bucket *pLast; char arKey[1]; } Bucket; Stefan Esser • State of the Art Post Exploitation in Hardened PHP Environments • July 2009 • 19

  20. PHP Arrays - The big picture global list HashTable collision list arBuckets 0 bucket_1 bucket_5 1 ZVAL_1 ZVAL_4 2 3 ZVAL_2 4 bucket_2 5 bucket_4 ZVAL_5 6 7 bucket_3 ZVAL_3 Stefan Esser • State of the Art Post Exploitation in Hardened PHP Environments • July 2009 • 20

  21. Part IV Interruption Vulnerabilities Stefan Esser • State of the Art Post Exploitation in Hardened PHP Environments • July 2009 • 21

  22. Interruption Vulnerabilities (I) • PHP‘s internal functions • are written as if not interruptible • but are interruptible by user space PHP “callbacks“ • Interruption by PHP code can cause • unexpected behavior, information leaks, memory corruption • Vulnerability class first exploited during MOPB • e.g. MOPB-27-2007, MOPB-28-2007, MOPB-37-2007 • no one discloses them • no one fixes them Stefan Esser • State of the Art Post Exploitation in Hardened PHP Environments • July 2009 • 22

Recommend

! Current State of Exploitation ! Return-Oriented Exploitation ! Mac OS X x86 Return-Oriented

! Current State of Exploitation ! Return-Oriented Exploitation ! Mac OS X x86 Return-Oriented

! Current State of Exploitation ! Return-Oriented Exploitation ! Mac OS X x86 Return-Oriented Exploitation ! Techniques ! Demo ! Mac OS X x86_64 ! Conclusion ! Morris Worm (November 1988) ! Exploited a stack buffer overflow in BSD in.fingerd on VAX

1.02k views • 80 slides
through the exploitation of nonlinear post-buckling behavior Ariel Ibarra Pino Fifth deal.II

through the exploitation of nonlinear post-buckling behavior Ariel Ibarra Pino Fifth deal.II

UNIVERSITY OF MINNESOTA Aerospace Engineering and Mechanics COLLEGE OF SIENCE AND ENGINEERING Design of switchable many-state architectured materials through the exploitation of nonlinear post-buckling behavior Ariel Ibarra Pino Fifth deal.II

407 views • 3 slides
Post Exploitation Operations with Cloud Synchronization Services Jake Williams

Post Exploitation Operations with Cloud Synchronization Services Jake Williams

Post Exploitation Operations with Cloud Synchronization Services Jake Williams jwilliams@csr-group.com @MalwareJake Agenda The problem (cloud backup/synchronization) The solution (DropSmack) Next steps Insecure Authentication

1.1k views • 55 slides
CLOUD POST EXPLOITATION Andrew Johnson @secprez | Sacha Faust @sachafaust | Cloud &amp;

CLOUD POST EXPLOITATION Andrew Johnson @secprez | Sacha Faust @sachafaust | Cloud &amp;

CLOUD POST EXPLOITATION Andrew Johnson @secprez | Sacha Faust @sachafaust | Cloud &amp; Enterprise Red T eam ake Aways Azure Overview Key T Cloud Pivots Trends and Countermeasures 2 eam Red Team Success Culture Collective Growth

1.31k views • 27 slides
The Black Art of Wireless Post-Exploitation: Bypassing Port-Based Access Controls Using Indirect

The Black Art of Wireless Post-Exploitation: Bypassing Port-Based Access Controls Using Indirect

The Black Art of Wireless Post-Exploitation: Bypassing Port-Based Access Controls Using Indirect Wireless Pivots GreHacks Gabriel Ryan (solstice) net user author /domain Gabriel Ryan Researcher @ Gotham Digital Science Worlds best Red

1.89k views • 125 slides
Post Exploitation Bliss: Meterpreter for iPhone Charlie MIller Vincenzo Iozzo Independent

Post Exploitation Bliss: Meterpreter for iPhone Charlie MIller Vincenzo Iozzo Independent

Post Exploitation Bliss: Meterpreter for iPhone Charlie MIller Vincenzo Iozzo Independent Security Evaluators Zynamics &amp; Secure Network cmiller@securityevaluators.com vincenzo.iozzo@zynamics.com Who we are Charlie First to hack the

885 views • 73 slides
Post-Crisis State Transformation: Rethinking the Foundations of the State Linkping, 1-5 May

Post-Crisis State Transformation: Rethinking the Foundations of the State Linkping, 1-5 May

International Conference Post-Crisis State Transformation: Rethinking the Foundations of the State Linkping, 1-5 May 2009 Background Consensus is growing that the use of the Western model of the Nation State in post crisis contexts poses

119 views • 11 slides
Cyber@UC Meeting 49 Systems Exploitation: Sniffing, Man in the Middle, etc If Youre New!

Cyber@UC Meeting 49 Systems Exploitation: Sniffing, Man in the Middle, etc If Youre New!

Cyber@UC Meeting 49 Systems Exploitation: Sniffing, Man in the Middle, etc If Youre New! Join our Slack: ucyber.slack.com SIGN IN! (Slackbot will post the link in #general) Feel free to get involved with one of our committees:

464 views • 21 slides
Cyber@UC Meeting 50 Systems Exploitation with Metasploit If Youre New! Join our Slack:

Cyber@UC Meeting 50 Systems Exploitation with Metasploit If Youre New! Join our Slack:

Cyber@UC Meeting 50 Systems Exploitation with Metasploit If Youre New! Join our Slack: ucyber.slack.com SIGN IN! (Slackbot will post the link in #general) Feel free to get involved with one of our committees: Content Finance

382 views • 20 slides
Micro-spectroscopic investigations of the Al and S speciation in hardened cement paste 1 ,R.

Micro-spectroscopic investigations of the Al and S speciation in hardened cement paste 1 ,R.

Nuclear Energy and Safety Research Department Laboratory for Waste Management PAUL SCHERRER INSTITUT Micro-spectroscopic investigations of the Al and S speciation in hardened cement paste 1 ,R. Dhn 1 , B. Lothenbach 2 , M. Vespa 1 E.

646 views • 52 slides
Weird Machines on Little Robots Intro to binary exploitation on Android smartphones @f0rki

Weird Machines on Little Robots Intro to binary exploitation on Android smartphones @f0rki

Weird Machines on Little Robots Intro to binary exploitation on Android smartphones @f0rki 2013-06-06 Agenda Motivation ARM Primer Exploitation 101 Science, Bitches! Vulnerability classes Exploitation Defenses &amp; Mitigation Techniques

899 views • 51 slides
Implemen'ng a ver'cally hardened DNP3 control stack Sven M.

Implemen'ng a ver'cally hardened DNP3 control stack Sven M.

Implemen'ng a ver'cally hardened DNP3 control stack Sven M. Hallberg, Sergey Bratus, Adam Crain, Meredith L. Pa&lt;erson,

886 views • 49 slides
Finding a Needle in the Haystack of Hardened Interconnect Patterns S. Nikoli, G. Zgheib*, and

Finding a Needle in the Haystack of Hardened Interconnect Patterns S. Nikoli, G. Zgheib*, and

Finding a Needle in the Haystack of Hardened Interconnect Patterns S. Nikoli, G. Zgheib*, and P. Ienne FPL19, Barcelona, 09.09.2019 cole Polytechnique Fdrale de Lausanne *Intel Corporation Why harden connections? 2 crossbar LUT LUT

626 views • 44 slides
AN APPLICATION OF THE HARDENED FLOATING-POINT CORES ON HIL SIMULATIONS Elas Todorovich,

AN APPLICATION OF THE HARDENED FLOATING-POINT CORES ON HIL SIMULATIONS Elas Todorovich,

AN APPLICATION OF THE HARDENED FLOATING-POINT CORES ON HIL SIMULATIONS Elas Todorovich, Alberto Snchez, ngel de Castro SPL 2019 - Buenos Aires 2 Power converter Design Verification Thousands of directed and random tests are

360 views • 9 slides
An Introduction to Elder Abuse for Professionals: Financial Exploitation NCEA Financial

An Introduction to Elder Abuse for Professionals: Financial Exploitation NCEA Financial

An Introduction to Elder Abuse for Professionals: Financial Exploitation NCEA Financial Exploitation 1 Learning Objectives At the end of this presentation, you will be able to: Define and describe financial exploitation Identify

386 views • 34 slides
Cyber@UC Meeting 90 MBE: Basic Binary Exploitation If Youre New! Join our Slack:

Cyber@UC Meeting 90 MBE: Basic Binary Exploitation If Youre New! Join our Slack:

Cyber@UC Meeting 90 MBE: Basic Binary Exploitation If Youre New! Join our Slack: cyberatuc.slack.com Check out our website: cyberatuc.org Organization Resources on our Wiki: wiki.cyberatuc.org SIGN IN! (Slackbot will post

442 views • 14 slides
Building Hardened Implementations of SCADA/ICS Protocols Using Language-Theoretic Security

Building Hardened Implementations of SCADA/ICS Protocols Using Language-Theoretic Security

Building Hardened Implementations of SCADA/ICS Protocols Using Language-Theoretic Security Prashant Anantharaman, Dartmouth College pa@cs.dartmouth.edu http://cs.dartmouth.edu/~pa CREDC Industry Workshop March 27-29, 2017 Funded by the U.S.

583 views • 36 slides
Radiation Hardened Op-amp Design for 1 Mrad TID Euntae Cho a , Gyuseong Cho b , Inyong Kwon a a

Radiation Hardened Op-amp Design for 1 Mrad TID Euntae Cho a , Gyuseong Cho b , Inyong Kwon a a

Transactions of the Korean Nuclear Society Virtual Spring Meeting July 9-10, 2020 Radiation Hardened Op-amp Design for 1 Mrad TID Euntae Cho a , Gyuseong Cho b , Inyong Kwon a a Korea Atomic Energy Research Institute b Korea Advanced Institute of

412 views • 3 slides
Radiation Hardened Technology for Remote Maintenance Chuck Britton, PhD. David Holcomb, PhD.

Radiation Hardened Technology for Remote Maintenance Chuck Britton, PhD. David Holcomb, PhD.

Radiation Hardened Technology for Remote Maintenance Chuck Britton, PhD. David Holcomb, PhD. Nance Ericson, PhD. Presented at the 2018 Molten Salt Reactor Workshop Oak Ridge, Tn October, 2018 ORNL is managed by UT-Battelle, LLC for the US

506 views • 17 slides
SEU-Hardened Energy Recovery Pipelined Interconnects for On-Chip Networks A. Ejlali*, B. M.

SEU-Hardened Energy Recovery Pipelined Interconnects for On-Chip Networks A. Ejlali*, B. M.

SEU-Hardened Energy Recovery Pipelined Interconnects for On-Chip Networks A. Ejlali*, B. M. Al-Hashimi Electronics and Comp. Science * Computer Engineering Dept. University of Southampton Sharif University of Technology Southampton, UK

440 views • 23 slides
exploitation initiatives Monday, 10 December 2018 Biowaste treatment and exploitation SYMBIOSIS

exploitation initiatives Monday, 10 December 2018 Biowaste treatment and exploitation SYMBIOSIS

CluBE and biowaste exploitation initiatives Monday, 10 December 2018 Biowaste treatment and exploitation SYMBIOSIS Sensitization Event Nikolaos Ntavos Cluster Manager n.ntavos@clube.gr Cluster of Bioenergy &amp; Environment Formally

632 views • 37 slides
Effect of co-existing ions on lead leaching behaviour from hardened cement paste Takumi Nishiwaki

Effect of co-existing ions on lead leaching behaviour from hardened cement paste Takumi Nishiwaki

4th International Conference on Rehabilitation and Maintenance in Civil Engineering Best Western Premier Hotel, Solo Baru, July,11 12 2018 Effect of co-existing ions on lead leaching behaviour from hardened cement paste Takumi Nishiwaki

259 views • 22 slides
StarlingX Hardened Managed Kubernetes Platform for the Edge BRENT ROWSELL STARLINGX TSC

StarlingX Hardened Managed Kubernetes Platform for the Edge BRENT ROWSELL STARLINGX TSC

StarlingX Hardened Managed Kubernetes Platform for the Edge BRENT ROWSELL STARLINGX TSC MEMBER GREG WAINES STARLINGX CORE BART WENSLEY STARLINGX CORE STARLINGX.IO Agenda Architecture Overview Deployment Models Day 1/Day

225 views • 19 slides
WiFi Exploitation: How passive interception leads to active exploitation SecTor Canada Solomon

WiFi Exploitation: How passive interception leads to active exploitation SecTor Canada Solomon

WiFi Exploitation: How passive interception leads to active exploitation SecTor Canada Solomon Sonya @Carpenter1010 The problem always seems to become more tractable when presented with the solution Solomon Sonya @Carpenter1010 What to

680 views • 63 slides

More recommend