Secarma Labs specialist
discovered a way to use the PHP bug related to data deserialization against sites running WordPress CMS and not only.
In fact, the problem lies not in the most popular CMS and affects not only WordPress, but any PHP-based applications and libraries that work with data coming from users. The bug is related to how PHP converts PHP objects to strings and vice versa. This process is called serialization and deserialization and is used in all programming languages to move data between different services, servers and applications.
The problems of serialization and deserialization in PHP have been known for a long time. For the first time spoke about this information security expert Stefan Essar back in 2009, and in subsequent years this the topic was developed by other specialists. As a result, new methods of compromising servers working with PHP applications were described.
Now another method of exploiting the problem in a new way was presented at the Black Hat and BSides conferences by the aforementioned Secarma Labs expert Sam Thomas. The explorer way allows you to use the deserialization process to execute arbitrary code in the application and on the server.
The essence of the method is that the attacker must be able to deliver (upload) malicious data to the server. This will allow you to launch a chain of operations starting with the phar:// stream, which will lead to the execution of the malicious code.
Full presentation of the expert on BSides, with all the details can be seen below.
During the presentation of his report, Thomas gave examples of using the problem against CMS WordPress and Typo3 , as well as the TCPDF library built into CMS Contao. Since the most popular of these examples is WordPress, let's take a closer look at it. WordPress Compromises
In WordPress, a PHP deserialization issue affects the processing of thumbnails (thumbnail) . In fact, this means that in order to carry out an attack, an attacker will only need to upload a malicious image to the server. The expert explains that different versions of the CMS will require different payloads: one for WordPress up to version 4.9 and one for newer versions.
In WordPress and TCPDF, the vulnerability has not yet been fixed, but the researcher reported that Typo3 developers have already fixed the bug by releasing updated versions 7.6.30, 8.7.17 on July 12, 2018 and 9.3. It took them a little over a month to release the patch.