Dismissed PHP flaw shown to pose code execution risk

debug_backtrace reloaded

A PHP bug initially dismissed as posing no security threat could potentially enable code execution outside the sandbox in shared-server environments, a new exploit has revealed.

Discovered in the popular website language nearly two years ago, the vulnerability can allow attackers to execute arbitrary code by bypassing restrictions implemented using PHP’s disable_functions.

The initial bug report, posted on PHP’s public bug tracker in March 2018, had suggested that the flaw would simply cause the program to crash.

But in a post published on GitHub yesterday (January 30), researcher mm0r1 (who did not give their real name) said their exploit could “trick [the debug_backtrace() function] into returning a reference to a variable that has been destroyed, causing a use-after-free vulnerability.”

Share and enjoy

Shared hosting, which allows multiple websites to share a single server, offers a cost-effective alternative to dedicated servers but is generally seen as less secure amid the rise of cloud services.

A PHP user said on the bug report thread that “this bug needs to be fixed ASAP”, claiming that “people are already exploiting it in the wild”.

However, a PHP employee (‘Stas’) then downplayed the flaw’s ramifications: “I see that the specific code can trigger UAF [use-after-free vulnerabilities], but there's no security issue there, it's just a regular crash.”

This view was apparently rejected by the PHP security team since a patch landed the very next day (January 31).

Pending the patch’s public release, shared hosting vendors could “use disable_functions to disable debug_backtrace(),” according to PHP user Maarten de Boer (who goes by the handle cursingcucumber), writing on a Reddit thread discussing the exploit.

While the exploit is apparently effective against all versions of PHP between 7.0 to 7.4, vendors using versions older than 7.4 might need to first update to the current latest version since “it appears to be harder to blacklist the getTrace method of the Exception class for PHP < 7.4,” de Boer said.

mm0r1, who developed the exploit, said the proof of concept “was tested on various PHP builds for Debian/Ubuntu/CentOS/FreeBSD with cli/fpm/apache2 server APIs and found to work reliably.”

PHP’s disable_functions was also bypassed in a similar way by a hack using an imap_open exploit in November 2018.

OWASP has issued recommendations, echoed in the PHP advice from many hosting providers, that such risky PHP functions should be disabled unless required.

The Daily Swig has invited the PHP security team and researcher who developed the exploit to comment further.

YOU MIGHT ALSO LIKE CacheOut vulnerability hype comes under fire