Killing php bug classes at berlinsides
Mon 05 June 2017 — download

Last week-end, I gave with blotus and bui a talk at BerlinSides about a nice project called Snuffleupagus.

Since you can get the (redacted) slides here, I won't repeat their content here, except the most prominent features:

We're killing the following bug classes:

  • Unserialize-based code execution
  • Cookie-stealing XSS
  • Weak entropy generation via rand and mt_rand
  • External Entities XXE
  • Overly permissives chmod
  • mail-related RCE

We're making persistence and exploitation harder

By allowing the following filters on function execution, by explicit value or regexp:

  • Complete path of the filename
  • Hash of the filename
  • Name of the function
  • Return value of the function
  • Any parameter of the function, even in nested arrays
  • The name of the namespace the function belongs to
  • The name of the class the function (yes, methods are functions in php) belongs to
  • Log or/and dump the request if a rule matched, allowing you to harvest free vulnerabilities

We also provide various hardening measures

Either natively as an option, or in the set of default rules:

  • Forbidding execution of writeable files
  • Calling a program upon script upload to take the decision to quarantine it or not
  • Detection of suspicious calls, like ini_get(open_basedir') or is_callable("system")
  • Detection of mysql_query errors

We have more mitigations and bug-classes slaughter planned (sloppy comparisons, SQLI, …), and odds are that we'll publish a paper along with the project.

We're planning to open-source it in a couple of weeks, feel free to shoot us an email at the address mentioned in the slides (or to idle on #websec) if you want to be part of the alpha.

About BerlinSides, as usual, the talks were mostly interesting and varied: an introduction to the hardenedbsd project, exploitation of hardware older than me, partial-emulation assisted fuzzing of embedded device (by someone from the tasteless ctf team), functional programming (with a pen on a real overhead-projector), interesting réflexions on type-safety, … and the mandatory talk about how broken the IoT is.

Kudos to aluc for organizing it every year.