PHP Serialization

Object serialization has always been a tricky subject. Using serialization as a design pattern can always lead to catastrophic consequences such as remote code execution when user input isn't properly validated.

In the past we have released an article covering several PHP serialization related 0-day vulnerabilities and how those were effectively mitigated using those "PHP object serialization injection attempt" signatures: https://devcentral.f5.com/articles/php-7-unserialize-mechanism-0-days-24588

Recently Released CVEs

In the past week we've witnessed several more PHP serialization vulnerabilities (CVE-2017-12932, CVE-2017-12933, CVE-2017-12934), which are not covered by our existing signatures. By inspecting proof-of-concept code related to these vulnerabilities, techniques targeting additional attack surfaces are becoming apparent:

  1. Not only PHP serialized object presents a threat, but a PHP serialized array as well.
  2. A malformed serialized object presents a threat.

The malformed data leads PHP into unexpected behavior such as "heap use after free" and "buffer over-read". As of now, there is no public exploit that demonstrates direct connection to remote code execution using this technique.

Mitigation Using ASM

An Attack Signature Update containing signatures designed to mitigate these vulnerabilities has already been released. The relevant signatures are:

  • 200004268 - PHP array serialization injection attempt (Parameter)
  • 200004269 - PHP array serialization injection attempt (Header)
  • 200004270 - PHP array serialization injection attempt (URI)
  • 200004271 - PHP short object serialization injection attempt (Parameter)
  • 200004272 - PHP short object serialization injection attempt (Header)
  • 200004273 - PHP short object serialization injection attempt (URI)

The following images demonstrate how ASM blocks those exploits: