Tuesday, July 9, 2019

Insecure Deserialization in PHP


Hi guys, this blog is all about the vulnerability named Insecure Deserialization which is ranked number 8 under the OWASP Top 10 list of 2017. In this blog, we will understand the basic concept of Serialization and Deserialization and how Insecure Deserialization can lead to Remote Code Execution. A simple demo for exploiting this vulnerability is also shown.


To understand the vulnerability, we need to understand the concepts of serialization and deserialization. 


What is Serialization?

The process of converting an object/data structure into a specific format/byte stream and store it in a file, memory, or can be sent over a network is known as Serialization. The main objective of Serialization is to save the state of an object.


What is Deserialization?

The reverse process of Serialization is known as Deserialization i.e. it takes the serialized data coming from file, stream or network socket and converts it into an object.


What is Insecure Deserialization?
Insecure Deserialization occurs when the web server accepts serialized objects from untrusted sources or accepts any serialized data without any checks. This is a vulnerability in which an untrusted or unknown malicious data is passed through the Deserialization process that is used to execute code, bypass authentication or abuse the logic behind an application. 


PHP uses two methods i.e. “serialized” for serializing an object and “unserialize” to convert the serialized data back to the object. In this demo, we will create our own vulnerable server that uses PHP unserialize method. 


Visit the following GitHub link for the vulnerable code.


Steps to Setup and Exploit Vulnerable Server


Step 1: Host the Deserialization.php file in the web server and run the file as shown in Exhibit 1.


Exhibit 1


Step 2: Post execution of Step 1, a file “logs.txt” will be created in the server as shown in Exhibit 2.


Exhibit 2


Exhibit 3 shows that the server uses the “unserialize” method and the data being unserialized is sent through the “data” parameter.


Exhibit 3


Step 3: The data sent to the server will get unserialized, thus the data sent by the attacker must be in a serialized format. To do this, create an exploit code that simply serializes the data that you want to send as shown in Exhibit 4. The below code will convert the given data in a serialized form, which when executed on the target server will create a file named “test.php” with the “<?php system($_GET[“hack”]))?>” PHP code in it.


Exhibit 4


Step 4:  Run the “exploit.php” code in the attacker’s browser to get serialized data as shown in Exhibit 5.

Exhibit 5


Step 5: Copy the serialized data and send it to the target web server in the data parameter as shown in Exhibit 6.

Exhibit 6


Step 6: Exhibit 7 shows that the “test.php” file has been created in the target web server.


Exhibit 7


Step 7: Navigate to test.php and enter any command that you want to execute in the “hack” parameter as shown in Exhibit 8. 

Exhibit 8



Bingo!!!!! 


Avoid Insecure Deserialization


To avoid Insecure Deserialization vulnerability - 
  • Do not accept Serialized data from an untrusted source
  • Implement Integrity Checks
  • Monitor and Log Deserialization process and failures
  • Encrypt the serialization process
  • Run in the deserialization process in an isolated environment with limited access