Suspekt…

Speaking at POC 2009

This year I will return to Power of Community in Seoul and present a session about state of the art exploitation of PHP applications and servers. Unlike my Syscan and Blackhat talk I will also demonstrate how to find unusual code execution vulnerabilities and how to tunnel attacks through web application firewalls.

Session: Shocking News in PHP Exploitation

Remote code execution vulnerabilities in modern PHP applications have become more difficult to find and exploit due to better education of developers and the wide adoption of Suhosin, web application firewalls and other PHP environment hardening. E.g. the class of remote file inclusion vulnerabilities is practically dead in modern PHP installations.

This talk will demonstrate how a well known class of PHP application vulnerabilities that is widely believed to be a DoS vulnerability only, can result in arbitrary PHP code being executed. Furthermore it will be demonstrated how attacks on PHP applications can be tunneled through web application firewalls like mod_security with ease, bypassing the whole rule engine. And last but not least we will take a look at the recently introduced protections against interruption vulnerabilities in PHP and how it is still possible to perform post exploitation tricks as presented at Syscan and Blackhat.

See you in Seoul between 5th and 6th November.

서울에서 11월 5일에서 6일에 만나요!

Posted in PHP, Security, korea | 3 Comments »

CGNSec September 2009

I just wanted to announce that this wednesday (23th of September 2009) at 19:30 there will be the next CGNSec meetup in Cologne/Germany. The meeting takes place at Hallmackenreuther, Brüsseler Platz 9, 50674 Köln (Google Maps).

Everyone working in the field of information security is invited to attend. If you are attending the first time it is best to send me an email beforehand to ensure that you find us. Otherwise search for the table that has the most fun.

Posted in CGNSec, Security | No Comments »

Suhosin Patch 0.9.8 for PHP 5.3.0 *BETA* - Please Test

It has been several weeks between the release of PHP 5.3.0 and now and I haven’t released a stable Suhosin Patch for PHP 5.3.0 yet. The reason for this was that I was away from my development machine with a half ready new generation of Suhosin Patch waiting to be fixed.

With PHP 5.3.0 the need for a realpath() protection is gone, because PHP 5.3.0 has a far better implementation by default now. Therefore the code for the realpath() protection was completely removed from Suhosin 0.9.8. Another problem people often ran into was that Suhosin’s memory manager canary protection was alerting them of memory corruptions that did no visible harm to PHP installations without the Suhosin Patch. Because of this I decided to add support for environment variables that will be evaluated when PHP starts and allow to configure how Suhosin Patch works. To protect the settings they are stored in a memory page that is set to read-only after it has been initialized.

The following environment variables are supported by now:

• SUHOSIN_MM_USE_CANARY_PROTECTION
  • default: 1
  • Set to 0 to disable canary protection. A copy of the MM will be used that does not have canaries. This is nearly the same as the MM of vanilla PHP.
• SUHOSIN_MM_DESTROY_FREE_MEMORY
  • default: 0
  • Set to 1 to enable free memory destruction. Every piece of free memory will be overwritten. This allows debugging e.g. use after free memory corruption bugs easier without using a debug PHP.
• SUHOSIN_MM_IGNORE_CANARY_VIOLATION
  • default: 0
  • Set to 1 stops Suhosin from aborting the process when it detects canary violations. The violations will be logged and the canary restored. It is strongly recommended to NOT use this feature. But it is more secure to use this feature instead of disabling Suhosin completely which happend in the past when people saw canary violation error messages
• SUHOSIN_HT_IGNORE_INVALID_DESTRUCTOR
  • default: 0
  • Set to 1 stops Suhosin from aborting the process when it detects an invalid Hashtable destructor. It is strongly recommended to NOT use this feature.
• SUHOSIN_LL_IGNORE_INVALID_DESTRUCTOR
  • default: 0
  • Set to 1 stops Suhosin from aborting the process when it detects an invalid LinkedList destructor. It is strongly recommended to NOT use this feature.

Because the new features of Suhosin Patch contains new code and some hacks I release the BETA version of the new Suhosin Patch to the public and hope people will test it in different OS/CPU/… and mail me the results to <stefan.esser@sektioneins.de>.

The patch can be downloaded here.

Posted in PHP, Security | 8 Comments »

State of the Art Post Exploitation in Hardened PHP Environments

I am finally back in germany after several weeks in foreign countries like singapore, taiwan and the USA. In all three countries I gave a presentation titled “State of the Art Post Exploitation in Hardened PHP Environments” that discusses a certain flaw in the design of the Zend Engine that allows the development of very stable local exploits against PHP. Within the presentation two (no longer) 0 day exploits are discussed and it is demonstrated how they can be used to get arbitrary read and write access to the memory of PHP, which enables a PHP script to break out of some of the common protections you will see on hardened PHP installations. Find below the slides and the whitepaper sent to Blackhat.

  

Posted in PHP, Security | 7 Comments »

Dutch PHP Conference: The Slides

At this years Dutch PHP Conference I presented a PHP Security Crash Course for beginners and a session about secure programming with the Zend Framework. You can download all the slides from here.

PHP Security Crash Course for beginners

• Part I - Introduction
• Part II - XSS
• Part III -CSRF
• Part IV - SQL Security
• Part V - Session Management Security
• Part VI + VII - PHP Code Inclusion and PHP Code Evaluation

Secure Programming with the Zend Framework

• Secure Programming with the Zend Framework

Enjoy the slides and shoot any questions or improvement ideas my way…

Posted in PHP, Security | 16 Comments »

Speaking at Blackhat Briefings 2009 in Las Vegas

Three weeks after I present my research about advanced post exploitation in hardened PHP environments at SyScan in Singapore and Taipei, I will present a similar session at this year’s Blackhat Briefings 2009 in Las Vegas. The session will be a little bit different from the one at SyScan because I will have a few more minutes to present. If you want to see some PHP memory corruption voodoo in action and cannot attent SyScan you should come to Las Vegas.

Session: State of the Art Post Exploitation in Hardened PHP Environments

When an attacker manages to execute arbitrary PHP code in a web application he nowadays often ends up in hardened PHP environments that not only make use of PHP’s internal protections like safemode, openbasedir or disable_functions but also make use of Suhosin and operating system, filesystem or libc level security mechanisms like ASLR, NX, hardened memory managers or unix file permissions.

In such a situation taking over the server becomes a challenge and requires PHP shellcode that is able to use local PHP exploits to get around these protections. This talk will show the problems arising from the different protection mechanisms for PHP shellcode, will give an insight into the internal memory structures of PHP that are required to write stable local exploits and will demonstrate how a special class of vulnerabilities in PHP that also exists in standard functions enables PHP shellcode to get around most of these protections.

See you in Las Vegas between 29rd and 30rd.

Posted in PHP, Security | 1 Comment »

European Parliament Election 2009

Today there is the european parliament election 2009 in germany and around 11:55 I went to the St. Nikolaus elementary school here in cologne to vote. For me it was the first time to vote in this district and therefore I was happy that several other people were heading in the same direction, which allowed me to just follow them.

Once in the building there were lots of signs directing you to the room. And then something happened that makes you really wonder about the strength of our system. I gave the letter that contains the invitation to vote (Wahlbenachrichtigung) to the girl sitting behind the desk and she started looking me up in their book.

After she found me I was allowed to vote. They did not check my id or my passport.

So in my district you can obviously vote for others just by stealing their letter of invitation…

Posted in Security | 10 Comments »

Speaking at SyScan 2009 Singapore and Taipei

I will present a session at this year’s SyScan 2009 in Singapore and also in Taipei. The session is about my research into advanced post exploitation in hardened PHP environments. If you want to see some PHP memory corruption voodoo you should see it.

Session: State of the Art Post Exploitation in Hardened PHP Environments

When an attacker manages to execute arbitrary PHP code in a web application he nowadays often ends up in hardened PHP environments that not only make use of PHP’s internal protections like safemode, openbasedir or disable_functions but also make use of Suhosin and operating system, filesystem or libc level security mechanisms like ASLR, NX, hardened memory managers or unix file permissions.

In such a situation taking over the server becomes a challenge and requires PHP shellcode that is able to use local PHP exploits to get around these protections. This talk will show the problems arising from the different protection mechanisms for PHP shellcode, will give an insight into the internal memory structures of PHP that are required to write stable local exploits and will demonstrate how a special class of vulnerabilities in PHP that also exists in standard functions enables PHP shellcode to get around most of these protections.

See you in Singapore between 2nd and 3rd July and in Tapei between 7th and 8th July.

Posted in PHP, Security | 2 Comments »

Speaking at Dutch PHP Conference 2009

I will present a session and a workshop at this year’s Dutch PHP Conference 2009 in Amsterdam. The session is about writing secure PHP applications with the Zend Framework and the workshop is a PHP security crash course for beginners. Don’t expect any magic. If you want to see PHP voodoo you need to attend SyScan Singapore 2009.

Workshop: PHP Security Crash Course

This workshop is meant for PHP programmers that know the basics of PHP but have no or only a bit insight into the security problems they have to deal with when developing web applications. During the workshop the most important subjects of web application security will be introduced, which are:

• Input filtering
• Cross Site Scripting (XSS)
• Cross Site Request Forgery (CSRF)
• SQL Injection
• Session Managament
• PHP Code Inclusion and Evaluation

Every subject will be introduced from the attacker’s and the programmer’s point of view, because for an effective defense it is vital to understand the tricks of the offense.

Session: Secure Programming with the Zend Framework

More and more PHP developers are using the Zend Framework when developing new applications. Because of guidelines and features of the framework the process to develop secure PHP applications changes.

This session will introduce which features of ZF help to develop secure applications, how they are used and what security problems you still have to solve on your own.

See you in Amsterdam between 11th and 13th June.

Posted in PHP, Security | No Comments »

Speaking at International PHP Conference 2009 Spring Edition

I will present two sessions at this year’s International PHP Conference 2009 - Spring Edition in Berlin about Bytekit and writing secure PHP applications with the Zend Framework.

Session: Bytekit - An open source toolset to work with PHP bytecode

Bytekit is a PHP extension that allows PHP applications to directly read the PHP Bytecode. It comes with a bytecode disassembler and also provides control flow information that allows drawing control flow graphs.

In this session all of Bytekits features will be introduced and several smaller examples will be presented that show how some security problems can be detected with it in source code.

Bytekit will become open source during the conference.

Session: Secure Programming with the Zend Framework

More and more PHP developers are using the Zend Framework when developing new applications. Because of guidelines and features of the framework the process to develop secure PHP applications changes.

This session will introduce which features of ZF help to develop secure applications, how they are used and what security problems you still have to solve on your own.

See you in Berlin between 25th and 27th May.

Posted in PHP, Security | No Comments »