Let’s play a game: what is the deadly bug here?
Вставка
- Опубліковано 25 січ 2018
- This short php code contains a critical vulnerability. In this video I will explain in detail what I think while analysing it.
Original source of challenge: www.securify.nl/en/blog/SFY20...
Link to tweet: / 951499972582703104
=[ ❤️ Support ]=
→ per Video: / liveoverflow
→ per Month: / @liveoverflow
=[ 🐕 Social ]=
→ Twitter: / liveoverflow
→ Website: liveoverflow.com/
→ Subreddit: / liveoverflow
→ Facebook: / liveoverflow
=[ 📄 P.S. ]=
All links with "*" are affiliate links.
LiveOverflow / Security Flag GmbH is part of the Amazon Affiliate Partner Programm.
#CodeAudit #WebSecurity
Note to self.. Check types of incoming information, not just that it exists.
Note to self.. Do that too
That is called type checking, where have you heard of this before?
Just real escape sting chill
「ᗴᔕ」- EuroSplits Offical Clan Channel
real escape 2 mysql i, couldn't even get escaping right after two attempts.
Only in PHP though, since no other language would be stupid enough to implicitly decode HTTP POST variables into structured data types, thereby burdening all programmers by having to type-check incoming POST variables. :P
Fun fact: in PHP 8 these warnings for incorrect types passed to functions kill the script with an error instead
AT LAST! I've waited through 5 major versions of PHP for them to get rid of this truly awful excuse for an error system.
Ah that's why so much PHP code isn't compatible with PHP 8 :D
@@TheStiepenThat also why PHP8 is actually a useful programing language where you don't have to worry about this type of things
this is why every production php application should hard crash on warnings
try{...} catch (...) {echo "Error!"}; ???????????
@@inx1819 Warnings don't throw exceptions...
You would have to make a plugin/extension of some sorts or call an output checking function after every potentially dangerous call.
Or checking for null on those hmacs...
@@rogercruz1547 Easy to get this setup with set_error_handler and having that handler throw an ErrorException based on what error number is triggered.
Speaking as a PHP developer of many many years.... warnings are a CURSE! ........ PHP is a curse
"Let's craft a cryptographic function which is very likely to be used in security contexts, and let's not fail when unexpected things are passed to us. What could go wrong." I'm livid.
The deadly bug is PHP itself.
Your face seems to be a bigger bug.
Every time I hear of PHP I hear about all these attacks and insecurities. It makes me nervous
Meh, that's bullshit. PHP is the most used web language.
Even Facebook is made with PHP.
MusicAddiction Although Facebook uses their own modified version of PHP, it is the same. Much of their backend servers are implemented in C++ anyways
I think FB is using HHVM aka "Facebook HipHop" or so. But yeah their servers could possibly be C++, but the fact that Facebook's main preferable programming language was PHP proofs all these "PHP sucks" commenters wrong.
That HMAC function definitely should have just thrown an error. It is incumbent on the programmer to know all possible states of a given algorithm, but if you look at the documentation null isn't even listed as a possible return value for hash_hmac. The fact that it's a cryptographic function, I almost have to wonder if that was put there intentionally. This definitely shows the importance of proper user-input sanitization.
Exactly, this function should throw exception for any parameter being null because doing so makes no sense at all. That does not give a good impression on PHP.
The fact that the null output on wrong input type is undocumented in official PHP docs is just terrible. Also, not erroring out when giving inputs of wrong type is not something PHP crypto functions are famous of. A good programmer must always check the types of inputs and also preferably the output type before continuing to keep the code safe.
@@apuherra8864 I get this and agree with you. But when you make a lib you can't expect people to read the source code (if available) and understand what flaws the code you have written can introduce in their code. As a software architect, I always ensure my teams code follow the Design by contract (DbC) principles. In this case, and it's a good one, hash_hmac should check Preconditions and Postconditions (arg types should be strings, not empty and result should not be a predictable result as a hashed \0 string or empty hashed managed string, etc...). This 2 or 3 lines of code could save systems from vulnerabilities and save the purpose of the dev using your lib trying to secure their systems or APIs. I often read or reverse engeneer dotnet framework code and I'm always happy to check that they follow the DbC pattern.
@@BonBaisers I mostly agree, but you _should_ change your "should" mindset to "must" in many places as per RFC 2119. Keeping "shoulds" when designing and not erroring out all the way back to where the error came on unintended circumstances just allows these hash_hmac types of bugs (or _may_ I say, undocumented features) to happen.
# Never trust parameters from the scary internet, only allow the white list through.
I originally thought the "deadly bug" was the use of PHP.
Thanks for the super detailed walkthrough. I love how you concisely laid out your thought process and the various ideas you had or the checks to do, whether they worked or not for this instance.
this is the fourth vid i have watched by you and i have to say, youre a real mvp.
I am interested very much in the stuff you cover on your channel, but not enough to really get into it or to justify dropping other hobbies for it.
Thank you for more or less staying at the same niveau of needed knowledge for the most part. great content, keep it up ^^
"Stupid brain, so unreliable"
Story of my life....
Man you are doing an amazing job at these kind of videos ! Really enjoyed this one ! Keep making similiar kinds of videos . Getting into the nooks-n-crooks of things is what I always wanted !
I watched this video first a year ago, and now I am watching it again. I understand so much more but don’t feel like I could even get close to solving it. December 2020 I will come back and see what I think then.
am waiting for ur comment and i will come in december 2021 cuz itz my firsr time here.
so what happened? did you get close to solving it after 4 years?
@@ZoMbiE4CoBRA you actually reminded him 🤣🤣🤣
I can't code, but you explain well enough that I'm actually beginning to understand bits and pieces and patterns.
Thankyou! as someone trying teach themselves code, your explanations were really informative.
This video after long time reminded me of what amount fun we can have. Thanks for the great video.
Thanks to the subtitles i can underestand all ty liveoverflow
Nice videos. I enjoy them (even though I already know a lot of the stuff). Your way of thinking matches a lot of how I think when looking at code.
I started with Php when I was a young teen... Misplacing the argument/parameters in methods is far too easy and common. Php is a language of inconsistencies, always important to triple check for that sort of thing.
This is absolutely awesome. Thank you for making this.
You left out the Environment Elephant in the code room issue. On unixy servers that have multiple users, it is often easy to see the environment variable values of another user's processes. So if anyone else on that server can see your secret, they could possibly do more damage than just what that one script has access to. This is a known security issue that has popped up at times over the decades.
In hardened OSs, users may be blocked from seeing the process of other users (and thus their environment), but that shouldn't be assumed in web code.
I honestly had no idea you could pass an array like that
This was such a good video! Please make more like this. You've earned a loyal subscriber :)
So... The vulnerability was actually 2 dumb and exploitable vulnerabilities... That hash_hmac function gives a WARNING when fed an array and returns a NULL?? also... the secret can be NULL... (facepalm). What gives? What is the benefit of having a NULL secret? Please, let me know, I'm puzzled.
Maybe it inherited the old minute man nuke doctrine's 00000000 input? Or more seriously it might be a feature for the unit testing framework of the hmac implementation, and it's got hard coded outputs that return sooner than when a secret exists. I doubt oracle has such a unit testing framework for php though, it's one of the buggiest and least consistent languages out there. The most likely scenario is that it just doesn't care if the input is null, and processes it as if it were 0.
It's so that the secret is predictable, so the last if statement would not run and stop the program
RedMikePumpkin Yeah, I got it. I was asking about what were the developers thinking when they coded the function.
@@Otakutaru The core php devs, thinking while coding? That's a new one
NULL == 0 so the secret is really just 0, which makes sense to work.
Thanks for another awesome video!! This channel gets me pumped to capture some flags :D
Every single video on this channel is amazing and 100% informative. .....
I love this channel....
I don't know anything about coding and UA-cam recommended this video. I have no idea what was talked about in this video but keep it up, good stuff.
Awesome video! Really made me understand better how to approach something like this.
I’m surprised you didn’t at least mention the timing unsafe hash comparison. PHP has a built in hash_equals() function to mitigate...
more of these challenges please
Great video, i got to the same part as you at the end but i couldn't figure out what kind of input would change the type, and I got lazy and just watched the video instead
I've watched a few of your videos now and this is the first time I really understood what you were saying. I learned about Hashing algorithms in my SEC+ class. I just wanted to share my happiness for knowing like 80% of what you were saying.
I love how you explain it. :D
Uncovering the deadly bug was truly exciting !
Your logics are amazing!
whatching php bugs is just like watching wheels turn. It never ends.
Amazing video man i have been learning a lot in this lock down this is all because of you and John Thanks a lot for making videos and spreading knowledge amazing work . Lots of respect to all those who share knowledge.....
This is the first time I understand why people dislike PHP ... cheesus. EDIT: is this hash_hmac part of the core lib or some 3rd party screw up?
part of core php.net/manual/en/function.hash-hmac.php
honkatatonka I was thinking the same thing. Wow. I even checked the docs and they didn't mention returning null sometimes. I'm shocked in the nerdiest of ways...
honkatatonka wow this is a new type of language
@@DeusEx3 www.php.net/manual/en/function.hash-hmac.php#122657 remember to read comments. PHP documentation is notoriously incomplete.
Pretty good. Thank you for sharing your knowledge
Love this kind of video and would like to see more like it!
learned a lot , thanks for your video
Very good explanation, but as an habit I always check if a variable is null if the function may return null. That is a great example how it can have effects on live servers, not very visible at the beggining but if someone covers it your data and privacy is gone.
Oh, also your money too.
Great video ... thanks man for sharing
PHP is always so full of surprises!
I really liked this video topic and format. Thanks!
On top of what you found the last line itself is a deadly bug, Passing data directly into exec opens a door for all kinds of injections.
That last line is so obvious that anyone can see. I think the problem was meant for you to find the non-trivial bug, the last line only for getting the content of flag file on the machine (if it was in CTF).
It's php, that's your deadly bug right there.
oh boi if you think that's bad, go look up "Heartbleed" which was written in C. Doesn't really matter the language, most common errors in programming are almost always caused by human error.
KamiKagutsuchi I thought the same thing haha
Come on, C is so barebones. But having such a loose unintuitive API as hash_hmac is just bad
Well this particular error is caused by weak typing and not compiling. You can of course make horrible mistakes in any languages, but those two things really don't help you in preventing mistakes.
honkatatonka true. hash_hmac is just bad in this case. It should never return NULL where you expect it to get a hash. Input type violation should result in a fatal error, not a warning.
I subscribed instantly after the logo animation.
thumbs up for using redstar os. ;)
Excellent explanation. You deserve my subscribe.
This was nice, I thought that too, but only when I ran out of options
Love your channel !!
keep up :p
Very insightful
I'm loving these educational videos! Do you know any good resources for getting started with digital CTF?
Always great!
Bro I am missing your videos 😭😭.. keep upload this type of videos
Another awesome video. Thanks
I expected a completely different approach to that challenge when I reviewed the code in the beginning. I guessed that the challenge description contains an example invocation of that PHP script *without* the optional nonce, so you know the HMAC for one specific safe string like "www.google.com". In that case, you could input the safe string as nonce, and the new nonce-specific secret will be the public HMAC for the safe string, which enables you to calculate the HMAC for any input you want.
Awesome!!! Thanks for sharing.
why does youtube not recommend people like you... why do i have to search so hard!!!
Thanks for the tips!
thx for making videos like this.
Also, timing attack on "!==" might be possible.
how ?
Abdillah Muhamad String-Equals stops as soon as a difference is found. So (simplified) you put in a hmac beginning with an 'a' and measure the time the script takes to run, then you do it with a 'b', 'c',
.. - for one input the string-comparison will take slightly longer because it has to check the second letter as well. That will be your first letter.
Even if you try every start-character 1000x times, it would still only take (256 / 4 = 64'000) requests to the server, which is easily feasible within minutes.
In reality it's a bit harder because string-equals usually checks more than one character at a time.
And if you want to defend against it: look up constant time string equality checks.
Fly - Thanks, I learned something useful today.
sorry but this sounds like a bs. You would need PERFECTLY SAME network and server conditions on EVERY request to even have a chance at measuring execution time. I dont even think you could measure difference between php reaching second or third char
macccu well, you can measure it against your server ping, so then you don't need the same conditions because you have a standard measurement.
And you could just submit more detailed variables, ie have the first 3 digits vary and then you should have a slight difference in the vicinity of the correct string, so you have your first 2 digits, rinse and repeat to get the rest.
Interesting analysis, thanks!
it s so simple sir
and i like you
we love you too buddy!
before watching: does it have to do with the exec? and couldn't you basically use the post value as a way to run code through it? (i never really looked at php, i have little to zero knowledge what the code does but i can assume)
edit: ah nvm
This is such a great video
amazing men! really good content!
Great content, keep it up!
Great thinking. In the end it's all so obvious!
There must be so many vulnerabilities in my code...
I'm worried I have a framework written in this thing... and I'm not sure the hmac bullshittery is documented in the phpsadness page
how did i not know about this channel until now?!
Literally every word went above my head.....
Still watched the whole video xD
Awesome! What do you use to annotate your videos?
Awesome video!
Beautiful.
Thanks TIL you can pass an array as a POST value, nice
Great video. Keet it coming.
Damn that! When I first saw this I didn't couldn't understand shit. But, today I saw it again and now that I understand it, I wanna explore more. Thanks man! You inspire me to keep going
omg this channel is so great ! ! ! !
Wonderful
the biggest bug is that input for the exec was not escaped at all
I watched this video when it came out.
2 years later I am a php developer and I watched it again. It felt completely different :)
why and how?
@@Omar-wm9kz I learned how php works and have worked with it on a daily basis, makes you pick up things almost instantly where otherwise you wouldn't even consider them
مبدع ، great man ✌️
There is no salting value to generate a value to test against the hash issued, no filter_var on the input and no white listing and the exec function can be exploited.
Arrays was my first thought :)
Most PHP frameworks turn warnings/notices/errors into exceptions so that will mitigate these sort of issues.
Would a vulnerability in the code only allow an XXS and SQL attack or are there other attacks that can be executed ?
The host parameter is not sanitized. An attacker can pass extra commands to the exec function and cause them to be executed at the same privilege level as the php script.
An other possibility is PHP is configured so all errors are fatal. If the PHP do not have an error handler, it usually display them with the scope variables. That would expose the value of $secret, allowing you to forge any signature to futur requests.
Huh? Usually when PHP errors for me it just goes 500, not showing any data. If theres any data shown it's in the error.log, which of course someone from outside shouldn't be able to access.
It's a PHP configuration. Some people forget "development" mode that'll format the errors and exceptions into a HTML response
display_errors = On
I actually got as far as determining that the goal here would be to set a value for nonce that would allow you to compute the hmac that made the !== statement true, but I'm not a programmer so wasn't able to determine on my own what to set the nonce to. I was really big into studying the security of the xbox 360 and learning how all the exploits worked so that definitely helped me out here.
9:47 i had to get here and get reminded that you can to client-side php arrays, and then... i bet that if you supply an empty array, isset == true, but then output of the hash functions is either predictable, or a predictable gibberish (for example it spits out null or false or something like that), making all the rest of the checks "pass" == get skipped, basically
I understood none of that, but have the feeling that I learned something.
I also browse the PHP docs in incognito.
I clicked only after you mentioned about the array input trick. It's not even a thing in languages I usually use. They just throw uncaught exceptions and crash.
Subbed, good channel 👍
You could also make 'host' variable an array (and somehow put code that you want to execute in it) and send 'hmac' as null, right? Someone correct me if I'm wrong.
More of this! +1 sub after just 3 minute in.
Great!
first seen code thinking about null bug
There is one thing I didn't get.. the Post-Variable isnt checked anyway so in line 10 as an attacker I could simply put " null,null); exec(evilcode); /* " into the Post['nonce'] and its done anyway ? Am I missing something?
That was awesome!!!