Alibaba Cloud Discovers the Latest ThinkPHP v5 Vulnerability

By Yong Chen

The exploitation of software vulnerabilities is one of the initial steps of a cyber-attack. In engineering schools, they teach you that fixing a defect in the implementation stage is 6.5 times higher than fixing it in the design stage1. Applying this principle to ‘cybersecurity school’, we can say that blocking an attack at the vulnerability stage is a dozen times cheaper than stopping it after a device is compromised by an exploit.

In this blog post we present an analysis of a recently detected vulnerability in the ThinkPHP framework, which exposed 10% of all websites using it to remote takeover. The post provides a detailed explanation of an actual code used by an attacker in an attempt to exploit this vulnerability, as well as precise recommendations of how to protect against it (hint: apply the official fix! otherwise, get help from Alibaba Cloud’s Threat Detection Service).

Yohai Einav

Principal Security Researcher, SIL

Background

ThinkPHP is a popular PHP Object-Oriented MVC framework used by many e-commerce, financial and online gaming website. The framework provides support for UTF-8, plugins, role-based-control-access (RBCA), a template control engine and multi-databases. A recent vulnerability in ThinkPHP v5, which was detected by Alibaba Cloud, allowed attackers to remotely execute commands on systems running the framework, and inflict extensive damage.

While an official fix for this critical vulnerability was released on December 10th, 2018, Alibaba Cloud Threat Detection Service (TDS), formerly known as Situational Awareness Service (SAS), has still detected multiple attacks exploiting the vulnerability after the fix. In order to ensure that even users that do not update their systems in a timely manner in the cloud are protected from the vulnerability, Alibaba Cloud TDS offers an Attack Alarm service, which uses its web application firewall (WAF) to synchronously block the vulnerability, and protect all customers from it.

The following provides a comprehensive analysis of the vulnerability’s context, logic and behavior, along with a real-life case analysis.

Vulnerability Analysis

The ThinkPHP v5 framework lacks sufficient security checking of controller names, which allows the attacker to construct a specific request where routing enforcement is disabled. This means that the attacker can run code remotely and gain server permissions.

Versions Affected by the Vulnerability

ThinkPHP v5.0 versions earlier than 5.0.23

ThinkPHP v5.1 versions earlier than 5.1.31

How the Vulnerability Works

With a comparison to the official fix instruction released by ThinkPHP, we analyzed the code under /thinkphp/library/think/Route.php where ThinkPHP schedules for route parsing.

Image for post
Image for post

The “parseUrlPath” function calls the path function and parses the routing information in “pathinfo”. The URL in the function is divided by slashes (/) without applying any filter.

After searching for “pathinfo”, we find that //thinkphp/library/think/Request.phpdefines the "pathinfo" function which gets the URL.

Image for post
Image for post

An attacker can exploit the value of “$_GET” for command injection: the parameter of “var_pathinfo” is “s”, where the function for command injection can be created.

We also analyzed the app.php code for route scheduling, which operates the controller through the “controller” variable, instantiates the controller, and tracks the controller method.

Image for post
Image for post

In //thinkphp/library/think/Loader.php, the controller calls "parseModuleAndClass" to parse "$name" and instantiate "$class". When "$name" matches with a backslash (\), it is used as a method and class in "strpos($name, '\')". An attacker can construct and instantiate any method to be called, and instantiate the "namespaceclass" class to execute the "call_user_func_array" method.

Image for post
Image for post
Image for post
Image for post

Vulnerability Reproduction

We reproduced the effect in ThinkPHP v5.0.22 which also contains the remote code execution vulnerability. The following figure shows that we can run the “ls” command on a vulnerability-infected host to obtain details of all files in the directory:

Image for post
Image for post

Real-Life Case of a Vulnerability Attack

As of December 11, 2018, Alibaba Cloud Threat Detection Service (TDS) found that the vulnerability has been exploited in many ways, mostly in the form of web-shells, “a script that can be uploaded to a web server to enable remote administration of the machine” (https://www.us-cert.gov/ncas/alerts/TA15-314A).

The following is a summary of all existing web shell methods and single out the following popular methods:

1. Exploit the vulnerability, remotely run download commands.

Example:

The following screenshot shows the functions list of this webshell:

Image for post
Image for post

2. Download webshell remotely by using the file_get_contents and file_put_contents functions.

Example:

The following screenshot shows the functions of the webshell:

Image for post
Image for post

3. Put a one-liner webshell by using the file_put_contents function.

Example:

Vulnerability’s Impact and Attack Trends

Our analysis found that about 10% of all websites using ThinkPHP worldwide were exposed to this vulnerability. Alibaba Cloud TDS saw a sharp increase in the number of attacked websites from December 4, 2018 to December 11, 2018.

Image for post
Image for post
Image for post
Image for post

The graph above shows the sharp increase in the number of attacked websites, indicating that the vulnerability is automatically exploited at a large scale soon after being exposed.

Based on the team’s previous experience with exploitation of vulnerabilities, we believe that this vulnerability may be exploited in a variety of additional ways. It is therefore recommended that all enterprises upgrade their ThinkPHP framework to the latest version as soon as possible to protect their websites against attacks and prevent their servers being compromised.

Security Recommendations

Alibaba Cloud security experts remind you that ThinkPHP v5.0.23 and v5.1.31 are secure versions, and recommend to upgrade your ThinkPHP framework to the latest version as soon as possible to fix the vulnerability. If you have not promptly upgraded your ThinkPHP framework, please subscribe to Alibaba Cloud Threat Detection Service (TDS) and Web Application Firewall (WAF) to defend against attacks in a timely manner.

For more information about this vulnerability, see https://blog.thinkphp.cn/869075.

Reference

[1] https://www.researchgate.net/figure/IBM-System-Science-Institute-Relative-Cost-of-Fixing-Defects_fig1_255965523

Reference:https://www.alibabacloud.com/blog/alibaba-cloud-discovers-the-latest-thinkphp-v5-vulnerability_594307?spm=a2c41.12450928.0.0

Written by

Follow me to keep abreast with the latest technology news, industry insights, and developer trends.

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store