Pierluigi Paganini September 12, 2013

Imperva security researchers observed Web attacks involving PHP SuperGlobal variables are gaining popularity within the hacking community.

Security researchers sounded the alarm for the possible abuse of PHP SuperGlobal variables by attackers, it is very frequent to read on PHP application that are hacked cyber cybercriminals. Security experts from Imperva sustains that PHP applications are vulnerable due the exploitation of vulnerabilities introduced by a set of nine variable used by programmers and named PHP SuperGlobal variables. In May Imperva collected data related cyber attacks against PHP application, the company used honeypots and data directly provided by its customers. The majority of the attacks (55%) manipulated SuperGlobal variables with specifically formed requests, more than 3,000 requests coming from 27 IP addresses and directed against 24 Web applications. According the investigation PHP SuperGlobal variables could be exploited by hackers to run malicious code, conduct remote file inclusion and bypass intrusion detection mechanisms. Imperva issued a report “Hacker Intelligence Initiative, Monthly Trend Report #17” on the flaw explaining that it could be exploited to compromise servers hosting the PHP application for fraudulent activities.

“Web attacks involving PHP “SuperGlobal” parameters are also gaining popularity within the hacking community. They incorporate multiple security problems into an advanced web threat that can break application logic, compromise servers, and may result in fraudulent transactions and data theft.”

The reports revealed that 80,6% of websites host some PHP code meanwhile ASP.NET code was found only on 19% of sites, Imperva focused the analysis on two specific vulnerabilities:

• CVE-2011-2505 – This vulnerability is related to the authentication process of PhPMyAdmin (PMA) and it is exploited for the modification of the _SESSION SuperGlobal variable;
• CVE-2010-3065 – This vulnerability enables the injection of arbitrary code strings into a serialized session.

Over the course of a month, Imperva researches witnessed ~144 attacks per application, on 24 applications monitored, that contained attack vectors related to PHP SuperGlobal variables.

“The attacks appeared in the form of request burst floods–we have seen peaks of over 20 hits per minute, reaching up to 90 hits per minute, on a single application. One of the attack sources was a compromised server belonging to an Italian bank”

Very worrying is the simplicity of conducting these attacks using automatic tools, Imperva reports highlight the fact that popular scanners such as Nessus and Nikto are able to identify the vulnerabilities in a reconnaissance phase. Alarming also the availability on the black market for Exploit code on a popular Russian hacker forum. The report issued by Imperva revealed that the exploitation of the two vulnerabilities could allow hackers to remote arbitrary code execution on a server running an instance of PhPMyAdmin.

“The attacker can combine the two separate vulnerabilities, the former letting the attacker inject a value into the session, and the latter allowing the attacker to create arbitrary string to inject a maliciously crafted PMA_config object into the serialized session.”

The researchers also identify one particular campaign lasted five months that targeted sites in a number of critical industries, including financial services. Some attacks sent requests with specific characteristics from the same addresses simultaneously, this circumstance makes plausible the use the same automated tool for the offensives. In various cases researchers from Imperva also noted that attackers have operated to maintain the control of victims over the time injecting code to elude detection mechanisms by security software. The hackers misusing the _REQUEST SuperGlobal variable are able to change the parameters’ names which can enable them to bypass an existing defense system such as an IDS. The attacks monitored by Imperva and tactics adopted by the attackers evidence the necessity to take PHP code up to date, in particular on third-party applications that in many cases are exploited by hackers to gain controls of the final target.

“Attackers are able to capture this complex attack scenario in a single script that can be used by a botnet operator without exceptional skills,” “The script can be automatically distributed to compromised servers and executed autonomously to gain control or further servers.” states the report.

Security community cannot ignore that hacking community is becoming more sophisticated, a simple scripts could be exploited to hack an entire architecture, the report remark against sophisticated multi-step attack it is necessary the adoption of a multi-layered application security solution.