PHP 8.1.0-Dev Backdoor
Exploiting 8.1.0-Dev RCE
Background
On March 28, 2021, PHP version 8.1.0-dev was released with a hidden backdoor over which we can perform RCE. The malicious code was promptly detected and removed.
The Malicious Commits
The backdoor was inserted into the PHP source code repository through two fraudulent commits. These commits, attributed to PHP creator Rasmus Lerdorf and maintainer Nikita Popov, appeared to be minor typo corrections at first glance.
However, a deeper inspection revealed that the added code at line 370 contained a backdoor using the zend_eval_string function. This backdoor executed PHP code embedded in the User-Agentt HTTP header, specifically if the string began with zerodium .
Exploitation
Now that we understand the background of the vulnerability, let’s attempt to exploit a vulnerable application based on that particular version. For demonstration purpose, I will be targeting a lab on TryHackMe named Agent T.
Firstly, lets load our target page and see the technology or services that is used on that website. Wappalyzer is used to identify the technology used on the website.
We can now confirm that the website is using the vulnerable version. So, let’s explore how we can exploit this version to perform Remote Code Execution (RCE) on the machine. Let’s inspect the requests sent from the browser.
Initially, the root page is requested from the browser. Since the pushed commit created a sink that takes command from the User-Agentt header when the string starts with zerodium , let's add the User-Agentt header and frame a command with string zerodium .
Payload:
User-Agentt: zerodiumsysytem(“ls”);
As expected, the command was executed on the server’s end. Let’s make a persistent shell. For this purpose, I will be using flast101’s python script.
Let’s run the script.
Next, let’s try to delete a file.
Lastly, let’s reload the page and inspect what it displays.
Here, the server can’t fetch the page as it is deleted, the page is gone. In this way the controversial PHP 8.1.0-dev — ‘User-Agentt’ Backdoor or Remote Code Execution could be exploited.
This short blog discussed the controversial and dangerous PHP 8.1.0-dev backdoor or RCE, highlighting the common use of such open-source frameworks in our projects. Such occurrence emphasizes the critical need for continuous monitoring and prompt security practices to address such vulnerabilities effectively.
