转载

joomla /libraries/joomla/session/session.php 反序列化截断畸形字符串导致对象注入漏洞

catalog

 1. 漏洞描述 2. PHP SESSION持久化 3. PHP 序列化/反序列化内核实现 4. 漏洞代码分析 5. POC构造技巧 6. 防御方案

1. 漏洞描述

Joomla在处理SESSION序列化数据的时候，对序列化格式未进行严格规范，导致攻击者可以构造畸形HTTP包，实现对象注入

Relevant Link:

 https://developer.joomla.org/security-centre/630-20151214-core-remote-code-execution-vulnerability.html http://www.freebuf.com/vuls/89599.html

2. PHP SESSION持久化

0x1: Session简介

会话支持在 PHP 中是在并发访问时由一个方法来保存某些数据.从而使你能够构建更多的定制程序从而提高你的 web 网站的吸引力.

一个访问者访问你的 web 网站将被分配一个唯一的 id, 就是所谓的会话 id. 这个 id 可以存储在用户端的一个 cookie 中，也可以通过 URL 进行传递.

会话支持允许你将请求中的数据保存在超全局数组$_SESSION中. 当一个访问者访问你的网站，PHP 将自动检查(如果 session.auto_start 被设置为 1）或者在你要求下检查(明确通过 session_start() 或者隐式通过 session_register()) 当前会话 id 是否是先前发送的请求创建. 如果是这种情况，那么先前保存的环境将被重建.

$_SESSION (和所有已注册得变量) 将被 PHP 使用内置的序列化方法在请求完成时进行序列化.序列化方法可以通过 session.serialize_handler 这个 PHP 配置选项中来设置一个指定的方法.注册的变量未定义将被标记为未定义.在并发访问时,这些变量不会被会话模块定义除非用户后来定义了它们.

0x2: The SessionHandler class

SessionHandler is a special class that can be used to expose the current internal PHP session save handler by inheritance. There are seven methods which wrap the seven internal session save handler callbacks

 1. open 2. close 3. read 4. write 5. destroy 6. gc 7. create_sid

By default, this class will wrap whatever internal save handler is set as defined by the session.save_handler configuration directive which is usually files by default. Other internal session save handlers are provided by PHP extensions such as SQLite (as sqlite), Memcache (as memcache), and Memcached (as memcached).

 <?php     echo ini_get('session.save_handler'); ?>

When a plain instance of SessionHandler is set as the save handler using session_set_save_handler() it will wrap the current save handlers. A class extending from SessionHandler allows you to override the methods or intercept or filter them by calls the parent class methods which ultimately wrap the interal PHP session handlers.

This allows you, for example, to intercept the read and write methods to encrypt/decrypt the session data and then pass the result to and from the parent class. Alternatively one might chose to entirely override a method like the garbage collection callback gc.

Because the SessionHandler wraps the current internal save handler methods, the above example of encryption can be applied to any internal save handler without having to know the internals of the handlers.

 <?php  /**   * decrypt AES 256   *   * @param data $edata   * @param string $password   * @return decrypted data   */ function decrypt($edata, $password) {     $data = base64_decode($edata);     $salt = substr($data, 0, 16);     $ct = substr($data, 16);      $rounds = 3; // depends on key length     $data00 = $password.$salt;     $hash = array();     $hash[0] = hash('sha256', $data00, true);     $result = $hash[0];     for ($i = 1; $i < $rounds; $i++) {         $hash[$i] = hash('sha256', $hash[$i - 1].$data00, true);         $result .= $hash[$i];     }     $key = substr($result, 0, 32);     $iv  = substr($result, 32,16);      return openssl_decrypt($ct, 'AES-256-CBC', $key, true, $iv);   }  /**  * crypt AES 256  *  * @param data $data  * @param string $password  * @return base64 encrypted data  */ function encrypt($data, $password) {     // Set a random salt     $salt = openssl_random_pseudo_bytes(16);      $salted = '';     $dx = '';     // Salt the key(32) and iv(16) = 48     while (strlen($salted) < 48) {       $dx = hash('sha256', $dx.$password.$salt, true);       $salted .= $dx;     }      $key = substr($salted, 0, 32);     $iv  = substr($salted, 32,16);      $encrypted_data = openssl_encrypt($data, 'AES-256-CBC', $key, true, $iv);     return base64_encode($salt . $encrypted_data); }  class EncryptedSessionHandler extends SessionHandler {     private $key;      public function __construct($key)     {         $this->key = $key;     }      public function read($id)     {         $data = parent::read($id);          var_dump($data);          if (!$data) {             return "";         } else {             return decrypt($data, $this->key);         }     }      public function write($id, $data)     {         $data = encrypt($data, $this->key);          return parent::write($id, $data);     } }  // we'll intercept the native 'files' handler, but will equally work // with other internal native handlers like 'sqlite', 'memcache' or 'memcached' // which are provided by PHP extensions. ini_set('session.save_handler', 'files');  $key = 'secret_string'; $handler = new EncryptedSessionHandler($key); session_set_save_handler($handler, true); session_start();  $_SESSION['OP'] = "HE;L"; var_dump($_SESSION); ?>

这里需要明白的是，PHP的SESSION持久化和serialize序列化是两个完全独立的东西，SESSION化(包括自定义SESSION化方案)本质上只是定义了一套算法，用于将超全局变量$_SESSION中的值本地持久化到第三方存储中(例如磁盘文件)而序列化本质上是一种编码转换方式，因为序列化的设计初衷就是为了网络传输、持久化存储，因为序列化的这个特性，序列化被默认用在了PHP的SESSION本地化中，综上，PHP的SESSION本地化流程是

 //session存储 1. PHP对$_SESSION中值进行serialize进行序列化，返回$result 2. PHP调用用户自定义的write函数对$result进行自定义算法处理 3. 持久化存储 //$_SESSION['OP'] = HE;L -> OP|s:4:"HE;L"; -> T1B8czo0OiJIRTtMIjs=  //session加载 1. 从持久化中读取字符串，$input 2. PHP调用用户自定义的read函数对$input进行算法处理 3. 在取$_SESSION值的时候，PHP自动对上一步结果进行反序列化处理 //T1B8czo0OiJIRTtMIjs -> OP|s:4:"HE;L"; -> $_SESSION['OP'] = HE;L

Relevant Link:

 http://php.net/manual/zh/intro.session.php http://php.net/manual/zh/class.sessionhandler.php http://drops.wooyun.org/tips/3909 http://bobao.360.cn/learning/detail/2499.html http://weibo.com/p/1001603920354568452417 http://php.net/manual/zh/function.session-set-save-handler.php

3. PHP 序列化/反序列化内核实现

/php-src-master/ext/session/session.c

 #define PS_DELIMITER '|' #define PS_UNDEF_MARKER '!'  PS_SERIALIZER_DECODE_FUNC(php) /* {{{ */ {     const char *p, *q;     const char *endptr = val + vallen;     zval current;     int has_value;     int namelen;     zend_string *name;     php_unserialize_data_t var_hash;      PHP_VAR_UNSERIALIZE_INIT(var_hash);      p = val;      while (p < endptr)      {         zval *tmp;         q = p;         //搜索序列化的定界符"|"的位置         while (*q != PS_DELIMITER)          {             //逐字符搜索到序列化字符串结尾             if (++q >= endptr) goto break_outer_loop;         }         //PS_UNDEF_MARKER = '!'         if (p[0] == PS_UNDEF_MARKER)          {             p++;             has_value = 0;         }          else          {             has_value = 1;         }          //p代表从本次搜索的开始位置，q -p即代表"|"之前的键名         namelen = q - p;         //获取键名         name = zend_string_init(p, namelen, 0);         q++;          if ((tmp = zend_hash_find(&EG(symbol_table), name)))          {             if ((Z_TYPE_P(tmp) == IS_ARRAY && Z_ARRVAL_P(tmp) == &EG(symbol_table)) || tmp == &PS(http_session_vars))              {                 goto skip;             }         }          if (has_value)          {             ZVAL_UNDEF(¤t);             //调用php_var_unserialize进行key-value解析             if (php_var_unserialize(¤t, (const unsigned char **) &q, (const unsigned char *) endptr, &var_hash))              {                 zval *zv = php_set_session_var(name, ¤t, &var_hash);                 var_replace(&var_hash, ¤t, zv);             }              else              {                 zval_ptr_dtor(¤t);             }         }         PS_ADD_VARL(name); skip:         zend_string_release(name);          p = q;     } break_outer_loop:      PHP_VAR_UNSERIALIZE_DESTROY(var_hash);      return SUCCESS; } /* }}} */

继续跟进php_var_unserialize函数，我们关注关键代码逻辑/php-src-master/ext/standard/var_unserializer.c

 /* 指针依次移动反序列化数据，当解析到如下数据的时候: 130:"_test|O:7:"Example":1:{s:3:"var";s:10:"phpinfo();";} len = parse_uiv(start + 2);通过parase_uiv获取130这个值给len  */ len2 = len = parse_uiv(start + 2); /* maxlen = max - YYCURSOR; 获取当前指针以后数据的长度  */ maxlen = max - YYCURSOR; if (maxlen < len || len == 0)  {     *p = start + 2;     return 0; }  //这样，此时if判断成功，进入内部语句，使得反序列化失败返回0，而我们的指针p指向上一次解析的结尾 php_var_unserialize返回0，  if (php_var_unserialize(¤t, (const unsigned char **) &q, (const unsigned char *) endptr, &var_hash TSRMLS_CC))  {      php_set_session_var(name, namelen, current, &var_hash  TSRMLS_CC);  }  zval_ptr_dtor(¤t);  efree(name);  p = q;  注销当前变量，p = q;进入下一个循环，继续寻找"|"，这个时候会把我们注入的test|当成一个key值

总结一下这个漏洞的利用成因

 1. joomla使用自定义的SESSION持久化方案将SESSION数据保存到Mysql数据库中 2. joomla会将HTTP数据包中的HTTP_USER_AGENT、HTTP_X_FORWARDED_FOR保存到SESSION超全局变量中，并进行持久化 3. 攻击者在包含HTTP_USER_AGENT的攻击包中使用了2个关键性因素     1) "|"(key-value分隔符): }__test|O:21:"JData     2) 截断字符: }__test|O:21:"JData...ð(%F0%9D%8C%86) 4. 攻击者在二次回访的时候，joomla的$browser = $this->get('session.client.browser');会从数据库中读取SESSION数据，并尝试进行反序列化 5. ð(%F0%9D%8C%86)被会Mysql识别为截断字符，即当攻击者的HTTP包中包含这种字符，会导致之后的内容遭到截断 6. 因为截断字符的关系，导致PHP内核在解析session.client.forwarded后面字符串的时候，因为长度Check不一致，导致php_var_unserialize提前退出，返回false 7. PHP在上一次php_var_unserialize失败的时候，会从之前的指针位置继续开始下一轮key-value尝试 8. 在下一轮key-value尝试中，PHP内核将攻击者注入的"|"当成了分隔符，进行key-value解析，导致对象注入

0x1: 非Joomla场景复现

为了模拟出同样的畸形字符串解析问题，我们来构造如下代码

 <?php class Example {    var $var = '';    function __destruct()    {       eval($this->var);    } }  session_start(1); ini_set('session.save_handler', 'files');   $_SESSION['prefix'] = 'hello'; $_SESSION['pyaload'] = '_test|O:7:"Example":1:{s:3:"var";s:10:"phpinfo();";}'; $_SESSION['after'] = 'alibaba'; var_dump($_SESSION);  ?>

访问后，我们手工修复磁盘上的SESSOIN持久化文件，主动触发PHP的畸形解析

 /* 1. 删除原本phpinfo();";}后面的双引号，以及之后的所有内容，模拟Mysql的特殊字符截断 2. 修改pyaload|s:..之后的长度为130，远超过原本的70，使之满足长度不符合的条件 */ prefix|s:5:"hello";pyaload|s:130:"_test|O:7:"Example":1:{s:3:"var";s:10:"phpinfo();";}

Relevant Link:

 https://github.com/php/php-src/blob/PHP-5.4.5/ext/session/session.c

4. 漏洞代码分析

/Joomla_3.4.5_to_3.4.6-Stable-Patch_Package/libraries/joomla/session/session.php

 // Record proxy forwarded for in the session in case we need it later         if (isset($_SERVER['HTTP_X_FORWARDED_FOR']))         {             //将HTTP数据包中的HTTP_X_FORWARDED_FOR保存到全局SESSION中             $this->set('session.client.forwarded', $_SERVER['HTTP_X_FORWARDED_FOR']);         }          // Check for client address         if (in_array('fix_adress', $this->_security) && isset($_SERVER['REMOTE_ADDR']))         {             $ip = $this->get('session.client.address');              if ($ip === null)             {                 $this->set('session.client.address', $_SERVER['REMOTE_ADDR']);             }             elseif ($_SERVER['REMOTE_ADDR'] !== $ip)             {                 $this->_state = 'error';                  return false;             }         }          // Check for clients browser         if (in_array('fix_browser', $this->_security) && isset($_SERVER['HTTP_USER_AGENT']))         {              $browser = $this->get('session.client.browser');              if ($browser === null)             {                 //将HTTP数据包中的HTTP_X_FORWARDED_FOR保存到全局SESSION中                 $this->set('session.client.browser', $_SERVER['HTTP_USER_AGENT']);             }             elseif ($_SERVER['HTTP_USER_AGENT'] !== $browser)             {                 // @todo remove code: $this->_state = 'error';                 // @todo remove code: return false;             }         }

攻击者发送的畸形HTTP数据包的数据，会被joomla保存到全局SESSION中，Session默认初始化是在所有代码执行之前，然而joomla使用自定义存储session机制，替换了php自带的存储方式使用session_set_save_handler自定义了session存储函数/Joomla_3.4.5/libraries/joomla/session/storage.php

 public function register() {     // Use this object as the session handler     session_set_save_handler(     array($this, 'open'), array($this, 'close'), array($this, 'read'), array($this, 'write'), array($this, 'destroy'), array($this, 'gc')     ); }

Relevant Link:

 http://zone.wooyun.org/content/24440 http://zone.wooyun.org/content/24444 http://drops.wooyun.org/papers/11330

5. POC构造技巧

 http://drops.wooyun.org/papers/11330

6. 防御方案

 1. /Joomla/configuration.php class JConfig  {     ..     public $session_handler = 'files'; }  2. 升级PHP >= 5.6.13 从PHP 5.6.13开始，如果第一个变量解析错误，直接销毁整个session   3. joomla CMS代码修复 https://github.com/joomla/joomla-cms/releases/download/3.4.6/Joomla_3.4.5_to_3.4.6-Stable-Patch_Package.tar.gz /Joomla_3.4.5_to_3.4.6-Stable-Patch_Package/libraries/joomla/session/session.php 1. 去除HTTP_USER_AGENT的接收 2. 使用filter_var验证HTTP_X_FORWARDED_FOR是否符合IP格式，防御通过这个字段的注入攻击 // Check for client address if (in_array('fix_adress', $this->_security)         && isset($_SERVER['REMOTE_ADDR'])         && filter_var($_SERVER['REMOTE_ADDR'], FILTER_VALIDATE_IP) !== false) {     $ip = $this->get('session.client.address');      if ($ip === null)     {         $this->set('session.client.address', $_SERVER['REMOTE_ADDR']);     }     elseif ($_SERVER['REMOTE_ADDR'] !== $ip)     {         $this->_state = 'error';          return false;     } }    // Record proxy forwarded for in the session in case we need it later if (isset($_SERVER['HTTP_X_FORWARDED_FOR']) && filter_var($_SERVER['HTTP_X_FORWARDED_FOR'], FILTER_VALIDATE_IP) !== false) {      $this->set('session.client.forwarded', $_SERVER['HTTP_X_FORWARDED_FOR']); }