Upload File

simulation of built-in php features · 9/4/2017  · 7)file inclusion 8)file upload 9)file write...

  • Home
  • Documents
  • Simulation of Built-in PHP Features · 9/4/2017  · 7)File Inclusion 8)File Upload 9)File Write 10)HTTP Resp. Splitting 11) LDAP Injection 12) Open Redirect 13) Path Traversal 14)
36
Simulation of Built-in PHP Features for Precise Static Code Analysis Johannes Dahse and Thorsten Holz Ruhr-University Bochum NDSS ’14, 23-26 February 2014, San Diego, CA, USA

Upload: others

Post on 13-Aug-2020

5 views

Category:

Documents


0 download

Report

TRANSCRIPT

Page 1: Simulation of Built-in PHP Features · 9/4/2017  · 7)File Inclusion 8)File Upload 9)File Write 10)HTTP Resp. Splitting 11) LDAP Injection 12) Open Redirect 13) Path Traversal 14)

Simulation of Built-in PHP Features for Precise Static Code Analysis

Johannes Dahse and Thorsten HolzRuhr-University Bochum

NDSS ’14, 23-26 February 2014, San Diego, CA, USA

Page 2: Simulation of Built-in PHP Features · 9/4/2017  · 7)File Inclusion 8)File Upload 9)File Write 10)HTTP Resp. Splitting 11) LDAP Injection 12) Open Redirect 13) Path Traversal 14)

2

php is everywhere.

CVE entries (2013)

http://www.coelho.net/php_cve.html

Server-side programming languages

http://php.net/usage.php

1. Introduction2. Implementation3. Evaluation4. Conclusion

Page 3: Simulation of Built-in PHP Features · 9/4/2017  · 7)File Inclusion 8)File Upload 9)File Write 10)HTTP Resp. Splitting 11) LDAP Injection 12) Open Redirect 13) Path Traversal 14)

3

1. Introduction2. Implementation3. Evaluation4. Conclusion

Page 4: Simulation of Built-in PHP Features · 9/4/2017  · 7)File Inclusion 8)File Upload 9)File Write 10)HTTP Resp. Splitting 11) LDAP Injection 12) Open Redirect 13) Path Traversal 14)

4

Target: Taint-style Vulnerabilities

<?php $id = $_GET['id']; $sql = “SELECT data FROM users WHERE id = '$id' “; mysql_query($sql);?>

<?php $name = $_GET['name']; $html = “<h1>Hello $name</h1>“; print($html);?>

● SQL injection

● Cross-Site Scripting

source

sensitive sink

1. Introduction2. Implementation3. Evaluation4. Conclusion

Page 5: Simulation of Built-in PHP Features · 9/4/2017  · 7)File Inclusion 8)File Upload 9)File Write 10)HTTP Resp. Splitting 11) LDAP Injection 12) Open Redirect 13) Path Traversal 14)

5

source

1. Introduction2. Implementation3. Evaluation4. Conclusion

PHP Built-in Features

● 228+ Extensions

● 5700+ built-in functions Sinks, sanitization, data flow

● 10+ superglobal variables $GLOBALS, $_FILES, $_SERVER ...

● Settings magic_quotes_gpc, register_globals

Page 6: Simulation of Built-in PHP Features · 9/4/2017  · 7)File Inclusion 8)File Upload 9)File Write 10)HTTP Resp. Splitting 11) LDAP Injection 12) Open Redirect 13) Path Traversal 14)

6

Our Approach

● Static Code Analysis for PHP applications● Precise simulation of built-in features is the key

to detect taint-style vulnerabilities to accept your paper on your own

1. Introduction2. Implementation3. Evaluation4. Conclusion

Page 7: Simulation of Built-in PHP Features · 9/4/2017  · 7)File Inclusion 8)File Upload 9)File Write 10)HTTP Resp. Splitting 11) LDAP Injection 12) Open Redirect 13) Path Traversal 14)

7

Source: http://rewalls.com

2. Implementation

1. Introduction2. Implementation3. Evaluation4. Conclusion

Page 8: Simulation of Built-in PHP Features · 9/4/2017  · 7)File Inclusion 8)File Upload 9)File Write 10)HTTP Resp. Splitting 11) LDAP Injection 12) Open Redirect 13) Path Traversal 14)

8

Precise Simulation

1. Introduction2. Implementation3. Evaluation4. Conclusion

<?php $uri = trim($_SERVER['PHP_SELF']); $uri = urldecode($uri); $url = 'http://rub.de/' . htmlentities($uri); $html = “<a href='$url' >back</a>“; print($html);?>

http://rub.de/index.php/payload

Page 9: Simulation of Built-in PHP Features · 9/4/2017  · 7)File Inclusion 8)File Upload 9)File Write 10)HTTP Resp. Splitting 11) LDAP Injection 12) Open Redirect 13) Path Traversal 14)

9

Precise Simulation

1. Introduction2. Implementation3. Evaluation4. Conclusion

<?php $uri = trim($_SERVER['PHP_SELF']); $uri = urldecode($uri); $url = 'http://rub.de/' . htmlentities($uri); $html = “<a href='$url' >back</a>“; print($html);?>

1. taintable sources● $_FILES[]['name']● $_FILES[]['tmp_name']● $_SERVER['PHP_SELF']● $_SERVER['REMOTE_ADDR']

Page 10: Simulation of Built-in PHP Features · 9/4/2017  · 7)File Inclusion 8)File Upload 9)File Write 10)HTTP Resp. Splitting 11) LDAP Injection 12) Open Redirect 13) Path Traversal 14)

10

Precise Simulation

1. Introduction2. Implementation3. Evaluation4. Conclusion

<?php $uri = trim($_SERVER['PHP_SELF']); $uri = urldecode($uri); $url = 'http://rub.de/' . htmlentities($uri); $html = “<a href='$url' >back</a>“; print($html);?>

1. taintable sources● $_FILES[]['name']● $_FILES[]['tmp_name']● $_SERVER['PHP_SELF']● $_SERVER['REMOTE_ADDR']

$_SERVERS1

PHP_SELF

Path ../Traversal http://rub.de/index.php/../../../../

Page 11: Simulation of Built-in PHP Features · 9/4/2017  · 7)File Inclusion 8)File Upload 9)File Write 10)HTTP Resp. Splitting 11) LDAP Injection 12) Open Redirect 13) Path Traversal 14)

11

Precise Simulation

1. Introduction2. Implementation3. Evaluation4. Conclusion

1. taintable sources● $_FILES[]['name']● $_FILES[]['tmp_name']● $_SERVER['PHP_SELF']● $_SERVER['REMOTE_ADDR']

$_SERVER

● Format string● Regular expressions

2. data flow

S1

Path ../Traversal

<?php $uri = trim($_SERVER['PHP_SELF']); $uri = urldecode($uri); $url = 'http://rub.de/' . htmlentities($uri); $html = “<a href='$url' >back</a>“; print($html);?>

PHP_SELF

Page 12: Simulation of Built-in PHP Features · 9/4/2017  · 7)File Inclusion 8)File Upload 9)File Write 10)HTTP Resp. Splitting 11) LDAP Injection 12) Open Redirect 13) Path Traversal 14)

12

Precise Simulation

1. Introduction2. Implementation3. Evaluation4. Conclusion

1. taintable sources● $_FILES[]['name']● $_FILES[]['tmp_name']● $_SERVER['PHP_SELF']● $_SERVER['REMOTE_ADDR']

$_SERVER

3. encoding● Encoding stack● Interaction with sanitization

● Format string● Regular expressions

2. data flow

S1

Path ../Traversal

<?php $uri = trim($_SERVER['PHP_SELF']); $uri = urldecode($uri); $url = 'http://rub.de/' . htmlentities($uri); $html = “<a href='$url' >back</a>“; print($html);?>

PHP_SELF

Page 13: Simulation of Built-in PHP Features · 9/4/2017  · 7)File Inclusion 8)File Upload 9)File Write 10)HTTP Resp. Splitting 11) LDAP Injection 12) Open Redirect 13) Path Traversal 14)

13

Precise Simulation

1. Introduction2. Implementation3. Evaluation4. Conclusion

1. taintable sources● $_FILES[]['name']● $_FILES[]['tmp_name']● $_SERVER['PHP_SELF']● $_SERVER['REMOTE_ADDR']

$_SERVER

3. encoding● Encoding stack● Interaction with sanitization

● Format string● Regular expressions

2. data flow

S1

<?php $uri = trim($_SERVER['PHP_SELF']); $uri = urldecode($uri); $url = 'http://rub.de/' . htmlentities($uri); $html = “<a href='$url' >back</a>“; print($html);?>

PHP_SELF

Page 14: Simulation of Built-in PHP Features · 9/4/2017  · 7)File Inclusion 8)File Upload 9)File Write 10)HTTP Resp. Splitting 11) LDAP Injection 12) Open Redirect 13) Path Traversal 14)

14

Precise Simulation

1. Introduction2. Implementation3. Evaluation4. Conclusion

1. taintable sources● $_FILES[]['name']● $_FILES[]['tmp_name']● $_SERVER['PHP_SELF']● $_SERVER['REMOTE_ADDR']

$_SERVER

4. sanitization

3. encoding● Encoding stack● Interaction with sanitization

● Sanitization tags● Context-sensitive

● Format string● Regular expressions

2. data flow

S1

<?php $uri = trim($_SERVER['PHP_SELF']); $uri = urldecode($uri); $url = 'http://rub.de/' . htmlentities($uri); $html = “<a href='$url' >back</a>“; print($html);?>

PHP_SELF

Page 15: Simulation of Built-in PHP Features · 9/4/2017  · 7)File Inclusion 8)File Upload 9)File Write 10)HTTP Resp. Splitting 11) LDAP Injection 12) Open Redirect 13) Path Traversal 14)

15

Precise Simulation

1. Introduction2. Implementation3. Evaluation4. Conclusion

1. taintable sources● $_FILES[]['name']● $_FILES[]['tmp_name']● $_SERVER['PHP_SELF']● $_SERVER['REMOTE_ADDR']

$_SERVER

4. sanitization

3. encoding● Encoding stack● Interaction with sanitization

● Sanitization tags● Context-sensitive

● Format string● Regular expressions

2. data flow

S1

XSS <>Element

XSS DQ" Attribute

<?php $uri = trim($_SERVER['PHP_SELF']); $uri = urldecode($uri); $url = 'http://rub.de/' . htmlentities($uri); $html = “<a href='$url' >back</a>“; print($html);?>

PHP_SELF

Page 16: Simulation of Built-in PHP Features · 9/4/2017  · 7)File Inclusion 8)File Upload 9)File Write 10)HTTP Resp. Splitting 11) LDAP Injection 12) Open Redirect 13) Path Traversal 14)

16

Precise Simulation

1. Introduction2. Implementation3. Evaluation4. Conclusion

1. taintable sources● $_FILES[]['name']● $_FILES[]['tmp_name']● $_SERVER['PHP_SELF']● $_SERVER['REMOTE_ADDR']

$_SERVER

4. sanitization

3. encoding● Encoding stack● Interaction with sanitization

● Sanitization tags● Context-sensitive

● Format string● Regular expressions

2. data flow

5. sinks● Parameter● Vulnerability type

S1

XSS DQ" Attribute

XSS <>Element

<?php $uri = trim($_SERVER['PHP_SELF']); $uri = urldecode($uri); $url = 'http://rub.de/' . htmlentities($uri); $html = “<a href='$url' >back</a>“; print($html);?>

PHP_SELF

Page 17: Simulation of Built-in PHP Features · 9/4/2017  · 7)File Inclusion 8)File Upload 9)File Write 10)HTTP Resp. Splitting 11) LDAP Injection 12) Open Redirect 13) Path Traversal 14)

17

Precise Simulation

1. Introduction2. Implementation3. Evaluation4. Conclusion

1. taintable sources● $_FILES[]['name']● $_FILES[]['tmp_name']● $_SERVER['PHP_SELF']● $_SERVER['REMOTE_ADDR']

$_SERVER

4. sanitization

3. encoding● Encoding stack● Interaction with sanitization

● Sanitization tags● Context-sensitive

● Format string● Regular expressions

2. data flow

5. sinks● Parameter● Vulnerability type

6. markup context

<a href='http://rub.de/S1' >back</a>

→ XSS Single-Quoted ' Attribute

S1

XSS DQ" Attribute

XSS <>Element

<?php $uri = trim($_SERVER['PHP_SELF']); $uri = urldecode($uri); $url = 'http://rub.de/' . htmlentities($uri); $html = “<a href='$url' >back</a>“; print($html);?>

PHP_SELF

Page 18: Simulation of Built-in PHP Features · 9/4/2017  · 7)File Inclusion 8)File Upload 9)File Write 10)HTTP Resp. Splitting 11) LDAP Injection 12) Open Redirect 13) Path Traversal 14)

18

Precise Simulation

1. Introduction2. Implementation3. Evaluation4. Conclusion

1. taintable sources● $_FILES[]['name']● $_FILES[]['tmp_name']● $_SERVER['PHP_SELF']● $_SERVER['REMOTE_ADDR']

$_SERVER

4. sanitization

3. encoding● Encoding stack● Interaction with sanitization

● Sanitization tags● Context-sensitive

● Format string● Regular expressions

2. data flow

5. sinks● Parameter● Vulnerability type

6. markup context

<a href='http://rub.de/S1' >back</a>

→ ' onclick='alert(document.cookie)

S1

XSS DQ" Attribute

XSS <>Element

<?php $uri = trim($_SERVER['PHP_SELF']); $uri = urldecode($uri); $url = 'http://rub.de/' . htmlentities($uri); $html = “<a href='$url' >back</a>“; print($html);?>

PHP_SELF

Page 19: Simulation of Built-in PHP Features · 9/4/2017  · 7)File Inclusion 8)File Upload 9)File Write 10)HTTP Resp. Splitting 11) LDAP Injection 12) Open Redirect 13) Path Traversal 14)

19

Precise Simulation

1. Introduction2. Implementation3. Evaluation4. Conclusion

● 952 built-in functions ● 20 vulnerability types● 45 markup contexts

1. taintable sources● $_FILES[]['name']● $_FILES[]['tmp_name']● $_SERVER['PHP_SELF']● $_SERVER['REMOTE_ADDR']

$_SERVER

4. sanitization

3. encoding● Encoding stack● Interaction with sanitization

● Sanitization tags● Context-sensitive

● Format string● Regular expressions

2. data flow

5. sinks● Parameter● Vulnerability type

6. markup context

<a href='http://rub.de/S1' >back</a>

→ ' onclick='alert(document.cookie)

S1

XSS DQ" Attribute

XSS <>Element

PHP_SELF

Page 20: Simulation of Built-in PHP Features · 9/4/2017  · 7)File Inclusion 8)File Upload 9)File Write 10)HTTP Resp. Splitting 11) LDAP Injection 12) Open Redirect 13) Path Traversal 14)

20

Source: http://rewalls.com

3. Evaluation

1. Introduction2. Implementation3. Evaluation4. Conclusion

Page 21: Simulation of Built-in PHP Features · 9/4/2017  · 7)File Inclusion 8)File Upload 9)File Write 10)HTTP Resp. Splitting 11) LDAP Injection 12) Open Redirect 13) Path Traversal 14)

21

Software● HotCRP 2.60

● MyBB 1.6.10

● OsCommerce 2.3.3

● phpBB2 2.0.23

● phpBB3 3.0.11

1. Introduction2. Implementation3. Evaluation4. Conclusion

phpBB3

phpBB2

osCommerce

MyBB

HotCRP

0 50000 100000 150000 200000

LOC

Page 22: Simulation of Built-in PHP Features · 9/4/2017  · 7)File Inclusion 8)File Upload 9)File Write 10)HTTP Resp. Splitting 11) LDAP Injection 12) Open Redirect 13) Path Traversal 14)

22

Vulnerability Detection● 73 True Positives (72%)

● 29 False Positives (28%) 19 FP in OsCommerce Root cause: Path-sensitivity

● 10 False Negatives (24%) 42 CVE entries 8 FN in MyBB Root cause: OOP

1. Introduction2. Implementation3. Evaluation4. Conclusion

48

11

8

321

Cross-Site ScriptingSQL InjectionFile WritePath TraversalVariable TamperingCRLF Injection

Page 23: Simulation of Built-in PHP Features · 9/4/2017  · 7)File Inclusion 8)File Upload 9)File Write 10)HTTP Resp. Splitting 11) LDAP Injection 12) Open Redirect 13) Path Traversal 14)

23

Software in Related Work● Criteria

Available Follow-up version exists Patch-only

● Our results 31 new vulnerabilities detected 0 false positives Precise simulation pays off

1. Introduction2. Implementation3. Evaluation4. Conclusion

MyBloggie 2.1.4

NewsPro 1.1.5

phpBB3

phpBB2

osCommerce

MyBB

HotCRP

0 50000 100000 150000 200000

LOC

Page 24: Simulation of Built-in PHP Features · 9/4/2017  · 7)File Inclusion 8)File Upload 9)File Write 10)HTTP Resp. Splitting 11) LDAP Injection 12) Open Redirect 13) Path Traversal 14)

24

Vulnerability Example● Blind SQL Injection in HotCRP 2.60

● Fixed in version 2.61

● HotCRP stores credentials in plaintext

1. Introduction2. Implementation3. Evaluation4. Conclusion

Page 25: Simulation of Built-in PHP Features · 9/4/2017  · 7)File Inclusion 8)File Upload 9)File Write 10)HTTP Resp. Splitting 11) LDAP Injection 12) Open Redirect 13) Path Traversal 14)

25

1. Introduction2. Implementation3. Evaluation4. Conclusion

Page 26: Simulation of Built-in PHP Features · 9/4/2017  · 7)File Inclusion 8)File Upload 9)File Write 10)HTTP Resp. Splitting 11) LDAP Injection 12) Open Redirect 13) Path Traversal 14)

26

Source: http://rewalls.com

4. Conclusion

1. Introduction2. Implementation3. Evaluation4. Conclusion

Page 27: Simulation of Built-in PHP Features · 9/4/2017  · 7)File Inclusion 8)File Upload 9)File Write 10)HTTP Resp. Splitting 11) LDAP Injection 12) Open Redirect 13) Path Traversal 14)

27

Conclusion● New approach to PHP static code analysis

20 vulnerability types, 45 markup contexts 900+ built-in features simulated

● 73 new vulnerabilities, 28% false positives Current vulnerabilities base on complex PHP features Modeling these features precisely is crucial, missed by previous work

● Future work Path-sensitivity OOP

1. Introduction2. Implementation3. Evaluation4. Conclusion

Page 28: Simulation of Built-in PHP Features · 9/4/2017  · 7)File Inclusion 8)File Upload 9)File Write 10)HTTP Resp. Splitting 11) LDAP Injection 12) Open Redirect 13) Path Traversal 14)

28

Questions [email protected]

1. Introduction2. Implementation3. Evaluation4. Conclusion

Page 29: Simulation of Built-in PHP Features · 9/4/2017  · 7)File Inclusion 8)File Upload 9)File Write 10)HTTP Resp. Splitting 11) LDAP Injection 12) Open Redirect 13) Path Traversal 14)

29

Thank you! Enjoy the conference.

Page 30: Simulation of Built-in PHP Features · 9/4/2017  · 7)File Inclusion 8)File Upload 9)File Write 10)HTTP Resp. Splitting 11) LDAP Injection 12) Open Redirect 13) Path Traversal 14)

30

Backup Slides

Page 31: Simulation of Built-in PHP Features · 9/4/2017  · 7)File Inclusion 8)File Upload 9)File Write 10)HTTP Resp. Splitting 11) LDAP Injection 12) Open Redirect 13) Path Traversal 14)

31

Built-in Function Coverage

● Every 13th line of code calls a built-in function ● Static point of view

● 970 unique calls ● 70% covered

● 37 651 total calls● 89% covered

● Remaining calls are less relevant● Do not influence our analysis results

1. Introduction2. Implementation3. Evaluation4. Conclusion

89%

11% Covered

Ignored

Page 32: Simulation of Built-in PHP Features · 9/4/2017  · 7)File Inclusion 8)File Upload 9)File Write 10)HTTP Resp. Splitting 11) LDAP Injection 12) Open Redirect 13) Path Traversal 14)

32

Target: Taint-style Vulnerabilities

<?php $id = mysql_real_escape_string($_GET['id']); $sql = “SELECT data FROM users WHERE id = $id “; mysql_query($sql);?>

<?php $name = htmlentities($_GET['name']); $html = “<h1>Hello $name</h1>“; print($html);?>

● SQL injection

● Cross-Site Scripting

source

sensitive sink

1. Introduction2. Implementation3. Evaluation4. Conclusion

sanitization

Page 33: Simulation of Built-in PHP Features · 9/4/2017  · 7)File Inclusion 8)File Upload 9)File Write 10)HTTP Resp. Splitting 11) LDAP Injection 12) Open Redirect 13) Path Traversal 14)

33

Path-sensitive sanitization

Page 34: Simulation of Built-in PHP Features · 9/4/2017  · 7)File Inclusion 8)File Upload 9)File Write 10)HTTP Resp. Splitting 11) LDAP Injection 12) Open Redirect 13) Path Traversal 14)

34

Supported vulnerability types

1) Code Execution2) Command Execution3) Connect Injection4) Cross-Site Scripting5) Denial of Service6) Env. Manipulation7) File Inclusion8) File Upload9) File Write10)HTTP Resp. Splitting

11) LDAP Injection12) Open Redirect13) Path Traversal14) Reflection Injection15) Session Fixation16) SQL Injection17) Unserialize18) Variable Tampering19) XML/XXE Injection20) XPath Injection

Page 35: Simulation of Built-in PHP Features · 9/4/2017  · 7)File Inclusion 8)File Upload 9)File Write 10)HTTP Resp. Splitting 11) LDAP Injection 12) Open Redirect 13) Path Traversal 14)

35

Evaluation results

Page 36: Simulation of Built-in PHP Features · 9/4/2017  · 7)File Inclusion 8)File Upload 9)File Write 10)HTTP Resp. Splitting 11) LDAP Injection 12) Open Redirect 13) Path Traversal 14)

36

SQL Injection in phpBB2

admin_styles.php?style=rips&install_to=_GET&0[style_name]=rips&0[template_name)VALUES('sqli','sqli')-- -]=1


GPU Graph Traversal

CS 1031 Tree Traversal Techniques; Heaps Tree Traversal Concept Tree Traversal Techniques: Preorder, Inorder, Postorder Full Trees Almost Complete Trees

Traversal Algorithm

08. graph traversal

Supersavings.Lyurics.com Redirect Virus: Delete Supersavings.Lyurics.com Redirect Virus

Graph Traversal Algorithm

Render Or Redirect?

XML To Relational Model. Key Index – Forward Traversal Backward Traversal

Graph Traversal

NAT/Firewall Traversal

NAT Traversal in SIP - manoftoday.wdfiles.commanoftoday.wdfiles.com/local--files/nat/SIPNATtraversal.pdfNAT Traversal in SIP Page 2 NAT Traversal in SIP Network Address Translation

Tree Traversal #SalesforceSaturday

Chapter 4 10/26 & 10/27. More Linux Commands mkdir rmdir echo > redirect output mv file, directory mv oldFileName newFileName more file rm file

Graph Traversal Pattern

Tree Traversal. Traversal Algorithms preorder inorder postorder

Delete Sweetpacks Redirect: How to Delete Sweetpacks Redirect Virus

301 Redirect

Delivery Redirect

Turn the Page: Automated Traversal of Paginated Websiteschristian.schallhart.net/...turn-the-page-automated-traversal-of-paginated-websites.pdfTurn the Page: Automated Traversal of

Linked List: Traversal Insertion Deletion. Linked List Traversal LB

Redirect Software Configuration Guide v4support.westell.com/Documents/Manuals/Redirect-Version-4-5-Configuration-Guide.pdfThe Redirect software also includes Kentrox Kickstart application

Tree Traversal

Presentation tree traversal

Traversal Connected Compnents

PPSP NAT traversal

[ACM-ICPC] Traversal

Tree Traversals A traversal is a way of walking the tree structure Some common traversals: –pre-order traversal –in-order traversal –post-order traversal

Inorder Traversal

NAT Traversal

Bill redirect manual

Tree traversal techniques

Graph Traversal - Sharif

Meu Redirect

Bill redirect manual_fr

Eduzones Redirect