PHP Worms: Santy / Perl.PhpInclude - ModSecurity
PHP Worms
对newbb 1.0/2.0有影响
PHP Worms: Santy / Perl.PhpInclude - ModSecurity
PHP Blog: Dynamically Typed
Dec 27th, 2004 @ 9:55 AM MST
Looks like someone’s finally got nasty, in writing code which targets potential mistakes people often make with PHP. Although you may be on holiday, recommend giving these some thought at least and, if in doubt, do what Christian as done and take it offline until you’ve got time to deal with it.
Santy
Hopefully you’ve already picked this up but if you’re using phpBB, you should to upgrade to 2.0.11 (see the announcement).
The reason? The Santy Worm. This one even made the BBC’s website (ironically, probably the first time for PHP or a PHP app).
There’s been some confusion surrounding Santy, such as this announcement, which suggests the worm exploits a vulnerability in PHP itself. Derick cleared this up here - phpBB was also exposed to a problem with PHP’s unserialize() function (fixed in the latest PHP release) but this was not what the worm uses. Ilia discusses the unserialize() vulns here.
The most considered and up-to-date information I’ve found so far is available here. There’s now more than one version of the worm out there and the latest, Santy.e, also being called the Perl.PhpInclude.Worm (it’s apparently not related to Santy).
Perl.PhpInclude
The Perl.PhpInclude.Worm seems to exploit a common potential vulnerability / mistake, which I described (last April 1st) here. Make sure you read this: 4. Remote Files and take this very seriously.
Should be possible to knock up a shell script to scan a filesystem for code that could potentially contain such issues, grepping for include statements (and similar) which contain PHP variables. Out of time for today but will try tomorrow (unless someone gets there first).
ModSecurity
Been pondering a blog / discussion on ModSecurity for a while now. This makes me think it’s time to get a move on. I owe it’s author Ivan some emails - ModSecurity came up at OSCOM.4. This is just some quick notes…
First I highly recommend that both web hosting companies and developers of projects like phpBB that look at ModSecurity. Ivan has already blogged what may a filter for Santy here.
Some key things about ModSecurity (referring here to the C version, not the Java version);
- It’s an Apache module
- It filters incoming requests first, before Apache does anything else with them (such as hand off to PHP)
- It’s rules-based and rules can contain regular expressions (among other things)
- You can have it perform very fine grained filtering (e.g. filtering a single GET variable called ‘highlight’)
- Configuration can be made in httpd.conf and .htaccess files
- It can work in something like a “permit all / deny some” or “deny all / permit some” modes, similar to other Apache rules
- It really is the simplest thing you can possibly do
- There’s a tutorial by Ivan on O’Reilly here
Potentially hosts can use ModSecurity to screen all requests for likely exploits such as Javascript XSS and things like the Santy worm (permit all / deny some) . Developers like the phpBB team could also publish “valid request signatures” for their applications - everything they regard as valid input (deny all / permit some).
1/4/2005 @ 10:44 am
From http://php.net
A Note on Security in PHP
[31-Dec-2004] PHP is a powerful and flexible tool. This power and flexibility comes from PHP being a very thin framework sitting on top of dozens of distinct 3rd-party libraries. Each of these libraries have their own unique input data characteristics. Data that may be safe to pass to one library may not be safe to pass to another.
A recent Web Worm known as NeverEverSanity exposed a mistake in the input validation in the popular phpBB message board application. Their highlighting code didn’t account for double-urlencoded input correctly. Without proper input validation of untrusted user data combined with any of the PHP calls that can execute code or write to the filesystem you create a potential security problem. Despite some confusion regarding the timing of some unrelated PHP security fixes and the NeverEverSanity worm, the worm didn’t actually have anything to do with a security problem in PHP.
When we talk about security in a web application we really have two classes. Remote and Local. Every remote exploit can be avoided with very careful input validation. If you are writing an application that asks for a user’s name and age, check and make sure you are only getting characters you would expect. Also make sure you are not getting too much data that might overflow your backend data storage or whatever manipulation functions you may be passing this data to. A variation of the remote exploit is the XSS or cross-site scripting problem where one user enters some javascript that the next user then views.
For Local exploits we mostly hear about open_basedir or safemode problems on shared virtual hosts. These two features are there as a convenience to system administrators and should in no way be thought of as a complete security framework. With all the 3rd-party libraries you can hook into PHP and all the creative ways you can trick these libraries into accessing files, it is impossible to guarantee security with these directives. The Oracle and Curl extensions both have ways to go through the library and read a local file, for example. Short of modifying these 3rd-party libraries, which would be difficult for the closed-source Oracle library, there really isn’t much PHP can do about this.
When you have PHP by itself with only a small set of extensions safemode and open_basedir are generally enough to frustrate the average bad guy, but for critical security situations you should be using OS-level security by running multiple web servers each as their own user id and ideally in separate jailed/chroot’ed filesystems. Better yet, use completely separate physical servers. If you share a server with someone you don’t trust you need to realize that you will never achieve airtight security.
1/20/2005 @ 5:07 pm
As an application security professional I’ve always been frustrated, as I’m sure many of you have been, with the lack of understanding of application security among IT professionals. Many think that solving application security issues only requires an IPS/IDS, VA and patching. Only a few out there really understand the depth of the problem as presented in the OWASP top 10.
The Santy worm is a turning point in this respect. As Santy and hpInclude its successor, are application layer attacks (”PHP injection” and “command injection” respectively) they stretch signature based technology to its limits and require signatures that are easy to evade and are prone to generate false positives.
Just think how many different ways the Santy attack vector used as a snort signature < <<'&highlight=%2527%252Esystem('>>> can be modified to evade an IDS (manually or automatically).
“PhpInclude” is even more interesting as it does not address a specific vulnerability but tries to exploit a known flawed technique used to write PHP code. It tries to change arbitrary parameters of a PHP script to a command injection string, expecting that in some cases these parameters will be used in a PHP include statement. It is probably the first worm to exploit a OWASP top 10 security problem and not a specific voluntarily.
The “phpInclude” attack vector is varying but has the general form < <>>. A signature based system may look for the signatures such as erl mdor getbut they are way too short and simplistic to evade false positives.
“Santy” and “phpInclude” emphasize the need for real application security measurements such as code review, application layer scanning and real time application layer security.
An interesting solution for real time protection is application layer signatures. Such signatures predict better application layer attacks. To do so they have to be contextual (i.e. confined to field values), normalized and correlated to other attack indicators such as abnormal behavior or multiple signature match during the session’s requests and responses.
While mod_security is a real time application security solution Mod_security is not different from IPS solutions in this case since unlike networks which are (relatively) simple and static, applications are complex and dynamic. A real time application security solution has to provide some sort of a dynamic policy that adapts automatically to the application. Otherwise security configuration will have to be performed constantly during the application life cycle.
In other words - for you as a security expert with application knowledge it is a great solution. For an organization it is impractical.