Exploiting server side bugs is a jackpot for hackers. Users tend to keep their data in one big pot – the server. This allows attackers to focus on one target, instead of individual users, making it possible for them to achieve greater results. This approach has been extremely profitable for attackers with various goals ranging from credential theft to cyber espionage. They manage to hack servers time and again by exploiting numerous vulnerabilities in server-side scripting languages.
The most popular web server-side scripting language in use today is PHP, with over 80% of websites using it, according to Web Technology Surveys. Many secure coding practices are used when developing in PHP to eliminate different classes of vulnerabilities. However, secure coding can’t mitigate flaws in the language itself. PHP is written in C, exposing it to vulnerabilities that are common in projects written in such low-level language. One class of these is the memory-corruption vulnerabilities, and specifically the use-after-free vulnerabilities.
The language has gone through some major changes to improve efficiency and security, and a new version was released in December 2015 – the hailed PHP-7. This version’s internals are so different than PHP-5 that previous exploitation techniques are irrelevant.
However, even this language has flaws. The Check Point Research Team demonstrates an exploit of PHP-7, using an unserialize vulnerability, in its new report Exploiting PHP-7 unserialize: Teaching a New Dog Old Tricks. In our research, we explain how this vulnerability can be exploited by using re-usable exploit primitives for PHP-7 unserialize vulnerabilities, which are general enough to be applied to all vulnerabilities found in the unserialize mechanism.
An attacker using this exploit can gain full control over the environment executing PHP, allowing him to execute arbitrary code. Check Point notified the PHP security team and MITRE about this potential risk, and provided the information required to mitigate the exploit. It is important to note that currently there is no known vulnerability in PHP-7, meaning users are not at risk.
Check Point users are protected from any potential PHP-7 vulnerabilities by the Check Point Intrusion Prevention System (IPS) software blade. Please visit our website for more information on the Check Point IPS Software Blade.