Features ======== Snuffleupagus has a lot of features that can be divided in two main categories: bug-classes killers and virtual-patching. The first category provides primitives to kill various bug families (like arbitrary code execution via ``unserialize`` for example) or raise the cost of exploitation. The second category is a highly configurable system to patch functions in php itself. Bug classes killed or mitigated ------------------------------- ``system`` injections ^^^^^^^^^^^^^^^^^^^^^ The ``system`` function executes an external program and displays the output. It is used to interact with various external tools, like file-format converters. Unfortunately, passing user-controlled parameters to it often leads to arbitrary command execution. When allowing user-supplied data to be passed to this function, use `escapeshellarg()` or `escapeshellcmd()` to ensure that users cannot trick the system into executing arbitrary commands. --- `The PHP documentation about system `_ We're mitigating it by filtering the ``$``, ``|``, ``;``, `````, ``\n`` and ``&`` chars in our default configuration, making it a lot harder for an attacker to inject arbitrary commands. This feature is even more effective when used along with :ref:`readonly_exec `. Examples of related vulnerabilities """"""""""""""""""""""""""""""""""" - `CVE-2013-3630 `__: Authenticated remote code execution in Moodle - `CVE-2014-1610 `__: Unauthenticated remote code execution in DokuWiki - `CVE-2014-4688 `__: Authenticated remote code execution in pfSense - `CVE-2017-7981 `__: Authenticated remote code execution in Tuleap - `CVE-2018-20434 `__: Authenticated remote code execution in LibreNMS - `CVE-2020-5791 `__: Authenticated remote code execution in Nagios XI - `CVE-2020-8813 `__: Unauthenticated remote code execution in Cacti - Every single `modem/router/switch/IoT/… `_. ``mail``-related injections ^^^^^^^^^^^^^^^^^^^^^^^^^^^ This vulnerability has been known `since 2011 `_ and was popularized by `RIPS `_ in 2016. The last flag of the `mail` function can be used to pass various parameters to the underlying binary used to send emails; this can lead to an arbitrary file write, often meaning an arbitrary code execution. The ``additional_parameters`` parameter can be used to pass additional flags as command line options to the program configured to be used when sending mail --- `The PHP documentation about mail `_ We're killing it by preventing any extra options in ``additional_parameters``. This feature is even more effective when used along with :ref:`readonly_exec `. Examples of related vulnerabilities """"""""""""""""""""""""""""""""""" - `CVE-2017-7692 `_: Authenticated remote code execution in SquirrelMail - `CVE-2016-10074 `_: remote code execution in SwiftMailer - `CVE-2016-10033 `_: remote code execution in PHPMailer - `CVE-2016-9920 `_: Unauthenticated remote code execution in Roundcube - `CVE-2019-???? `__: Unauthenticated remote code execution in Horde .. _cookie-encryption-feature: Cookie stealing via XSS ^^^^^^^^^^^^^^^^^^^^^^^ The goto payload for XSS is often to steal cookies. Like *Suhosin*, we are encrypting the cookies with a secret key, an environment variable (usually the IP of the user) and the user's user-agent. This means that an attacker with an XSS won't be able to use the stolen cookie, since he can't spoof the content of the value of the environment variable for the user. Please do read the :ref:`documentation about this feature ` if you're planning to use it. This feature is roughly the same than the `Suhosin one `_. Having a secret server-side key will prevent anyone (even the user) from reading the content of the cookie, reducing the impact of an application storing sensitive data client-side. .. _fileupload-feature: Remote code execution via file-upload ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ Some PHP applications allows users to upload content like avatars to a forum. Unfortunately, content validation often isn't implemented properly (if at all), meaning arbitrary file upload often leads to an arbitrary code execution, contrary to the documentation. Not validating which file you operate on may mean that users can *access sensitive information* in other directories. --- `The PHP documentation about file uploads `_ We're killing it, like Suhosin, by automatically calling a script upon file upload, if it returns something else than ``0``, the file will be removed (or stored in a quarantine, for further analysis). We're recommending to use the `vld `_ project inside the script to ensure the file doesn't contain any valid PHP code, with something like this: :: $ php -d vld.execute=0 -d vld.active=1 -d extension=vld.so $file One could also filter on the file extensions, with something like this: :: #!/bin/bash exit $([[ $SP_FILENAME =~ *\.php* ]]) Examples of related vulnerabilities """"""""""""""""""""""""""""""""""" - `CVE-2017-6090 `_: Unauthenticated remote code execution in PhpCollab - `EDB-38407 `_: Authenticated remote code execution in GLPI - `CVE-2013-5576 `_: Authenticated remote code execution in Joomla - `CVE-2019-15813 `__: Authenticated remote code execution in Sentrifugo - `CVE-2019-17132 `__: Authenticated remote code execution in vBulletin - `CVE-2020-10682 `__: Authenticated remote code execution in CMS Made Simple - `EDB-19154 `_: Authenticated remote code execution in qdPM .. _unserialize-feature: Unserialize-related magic ^^^^^^^^^^^^^^^^^^^^^^^^^ PHP is able to *serialize* arbitrary objects, to easily store them. Unfortunately, as demonstrated by `Stefan Esser `__ in his `Shocking News in PHP Exploitation `__ and `Utilizing Code Reuse/ROP in PHP Application Exploits `__ slides, it is often possible to gain arbitrary code execution upon deserialization of user-supplied serialized objects. Do not pass untrusted user input to ``unserialize()`` regardless of the options value of allowed_classes. Unserialization can result in code being loaded and executed due to object instantiation and autoloading and a malicious user may be able to exploit this. --- `The PHP documentation about serialize `_ We're killing it by exploiting the fact that PHP will discard any garbage found at the end of a serialized object, allowing us to simply append a `HMAC `_ at the end of strings generated by the ``serialize``, hence guaranteeing that any object deserialized came from the application and wasn't tampered with. We aren't encrypting it, like we do with the cookies, allowing this feature to be disabled (or switch into leaning mode) without the need to invalidate any data. .. warning:: This feature can't be deployed on websites that already stored serialized objects (ie. in database), since they are missing the HMAC and thus will be detected as an attack. If you're in this situation, you should use this feature with the ``simulation`` mode, and switch it off once you don't have any messages in your logs. A nice side-effect of this feature is that it will defeat various memory corruption issues related to the complexity of ``unserialize``'s implementation, and the amount of control if provides to an attacker, like `CVE-2016-9137, CVE-2016-9138 `_, `2016-7124 `_, `CVE-2016-5771 and CVE-2016-5773 `_. A less subtle mitigation can be used to simply prevent the deserialization of objects altogether. Examples of related vulnerabilities """"""""""""""""""""""""""""""""""" - `CVE-2012-5692 `_: Unauthenticated remote code execution in IP.Board - `CVE-2014-1691 `_: Unauthenticated remote code execution in Horde - `CVE-2015-7808 `_: Unauthenticated remote code execution in vBulletin - `CVE-2015-8562 `_: Unauthenticated remote code execution in Joomla - `CVE-2016-4010 `_: Unauthenticated remote code execution in Magento - `CVE-2016-5726 `_: Unauthenticated remote code execution in Simple Machines Forums - `CVE-2016-???? `_: Unauthenticated remote code execution in Observium (leading to remote root) - `CVE-2017-2641 `_: Unauthenticated remote code execution in Moodle - `CVE-2018-17057 `__: Unauthenticated remote code execution in LimeSurvey - `CVE-2018-19274 `__: Authenticated remote code execution in phpBB - `CVE-2019-6340 `__: Unauthenticated remote code execution in Drupal .. _harden-rand-feature: Weak-PRNG via rand/mt_rand ^^^^^^^^^^^^^^^^^^^^^^^^^^ The functions ``rand`` and ``mt_rand`` are often used to generate random numbers used in sensitive context, like password generation, token creation. Unfortunately, as stated in the documentation, the quality of their entropy is low, leading to the generation of guessable values. This function does not generate cryptographically secure values, and should not be used for cryptographic purposes. --- `The PHP documentation about rand `_ We're addressing this issue by replacing every call to ``rand`` and ``mt_rand`` with a call to the ``random_int``, a `CSPRNG `_. It's worth noting that the PHP documentation contains the following warning: ``min`` ``max`` range must be within the range ``getrandmax()``. i.e. ``(max - min) <= getrandmax()``. Otherwise, ``rand()`` may return poor-quality random numbers. --- `The PHP documentation about rand `_ This is of course addressed as well by the ``harden_rand`` feature. Examples of related vulnerabilities """"""""""""""""""""""""""""""""""" - `CVE-2015-5267 `_: Unauthenticated accounts takeover in in Moodle - `CVE-2014-9624 `_: Captcha bypass in MantisBT - `CVE-2014-6412 `_: Unauthenticated account takeover in Wordpress - `CVE-2015-???? `_: Unauthenticated accounts takeover in Concrete5 - `CVE-2013-6386 `_: Unauthenticated accounts takeover in Drupal - `CVE-2010-???? `_: Unauthenticated accounts takeover in MyBB - `CVE-2008-4102 `_: Unauthenticated accounts takeover in Joomla - `CVE-2006-0632 `_: Unauthenticated account takeover in phpBB .. _xxe-feature: XXE ^^^ Despite the documentation saying nothing about this class of vulnerabilities, `XML eXternal Entity `_ (XXE) often leads to arbitrary file reading, `SSRF `_ and sometimes even arbitrary code execution. XML documents can contain a `Document Type Definition `_ (DTD), enabling definition of XML entities. It is possible to define an (external) entity by a URI, that the parser will access and embed its content back into the document for further processing. For example, providing an url like ``file:///etc/passwd`` will read the file's content. Since the file is not valid XML, the application will spit it out in an error message, thus leaking its content. We're killing this class of vulnerabilities by calling the `libxml_disable_entity_loader `_ function with its parameter set to ``true`` at startup, and then *nop'ing* it, so it won't do anything if ever called again. Examples of related vulnerabilities """"""""""""""""""""""""""""""""""" - `CVE-2015-5161 `_: Unauthenticated arbitrary file disclosure on Magento - `CVE-2014-8790 `_: Unauthenticated remote code execution in GetSimple CMS - `CVE-2011-4107 `_: Authenticated local file disclosure in PHPMyAdmin .. _auto-cookie-secure-feature: Cookie stealing via HTTP MITM ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ While it's possible to set the ``secure`` flag on cookies to prevent them from being transmitted over HTTP, and only allow its transmission over HTTPS. Snuffleupagus can automatically set this flag if the client is accessing the website over a secure connection. This behaviour is suggested in the documentation: On the server-side, it's on the programmer to send this kind of cookie only on secure connection (e.g. with respect to ``$_SERVER["HTTPS"]``). --- `The PHP documentation about setcookie `_ Exploitation, post-exploitation and general hardening ----------------------------------------------------- .. _virtual-patching-feature: Virtual-patching ^^^^^^^^^^^^^^^^ PHP itself exposes a number of functions that might be considered **dangerous** and that have limited legitimate use cases. ``system()``, ``exec()``, ``dlopen()`` - for example - fall into this category. By default, PHP only allows us to globally disable some functions. However, (ie. ``system()``) they might have legitimate use cases in processes such as self upgrade etc., making it impossible to effectively disable them - at the risk of breaking critical features. Snuffleupagus allows the user to restrict usage of specific functions per file, or per file with a matching (sha256) hash, thus allowing the use of such functions **only** in the intended places. It can also restrict per `CIDR `__, to restrict execution to users on the LAN for example. There are a *lot* of different filters, so make sure to read the :ref:`corresponding documentation `. Furthermore, running the `following script `_ will generate an hash and line-based whitelist of dangerous functions, droping them everywhere else: .. literalinclude:: ../../scripts/generate_rules.php :language: php The intent is to make post-exploitation process (such as backdooring of legitimate code, or RAT usage) a lot harder for the attacker. .. _global-strict-feature: Global strict mode ^^^^^^^^^^^^^^^^^^ By default, PHP will coerce values of the wrong type into the expected one if possible. For example, if a function expecting an integer is given a string, it will be coerced in an integer. PHP7 introduced a **strict mode**, in which variables won't be coerced anymore, and a `TypeError `_ exception will be raised if the types aren't matching. `Scalar type declarations `_ are optional, but you don't have to use them in your code to benefit from them, since every internal function from php has them. This option provides a switch to globally activate this strict mode, helping to uncover vulnerabilities like the classical `strcmp bypass `_ and various other types mismatch. This feature is largely inspired from the `autostrict `_ module from `krakjoe `__. PHP8 already has `this feature `__ for internal functions. .. _sloppy-comparisons-feature: Preventing sloppy comparisons ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ The aforementioned :ref:`strict mode ` only works with annotated types and native functions, so it doesn't cover every instances of `type juggling `__ during comparisons. Since comparison between different types in PHP is `notoriously `__ difficult to get right, Snuffleupagus offers a way to **always** use the ``identical`` operator instead of the ``equal`` one (see the `operator section `__ for PHP's documentation for more details), so that values with different types will always be treated as being different. Keep in mind that this feature will not only affect the ``==`` operator, but also the `in_array `__, `array_search `__ and `array_keys `__ functions. PHP8 is implementing `a subset `__ of this feature. .. _readonly-exec-feature: Preventing execution of writable PHP files ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ If an attacker manages to upload an arbitrary file or to modify an existing one, odds are that (thanks to the default `umask `_) this file is writable by the PHP process. Snuffleupagus can prevent the execution of this kind of file. A good practice would be to use a different user to run PHP than for administrating the website, and using this feature to lock this up. .. _stream-wrapper-whitelist-feature: Whitelist of stream-wrappers ^^^^^^^^^^^^^^^^^^^^^^^^^^^^ Php comes with a `lot of different `__ `stream wrapper `__, and most of them are enabled by default. The only way to tighten a bit this exposition surface is to use the `allow_url_fopen/allow_url_include `__ configuration options, but it's `not possible `__ to deactivate them on an individual basis. Examples of related vulnerabilities """"""""""""""""""""""""""""""""""" - `RCE via phar:// `__ - `Data exfiltration via stream wrapper `__ - `Inclusion via zip/phar `__ .. _eval-feature: White and blacklist in ``eval`` ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ While `eval `__ is a dangerous primitive, tricky to use right, with almost no legitimate usage besides templating and building mathematical expressions based on user input, it's broadly (mis)used all around the web. Snuffleupagus provides a white and blacklist mechanism, to explicitly allow and forbid specific function calls from being issued inside ``eval``. While it's heavily recommended to only use the whitelist feature, the blacklist one exists because some sysadmins might want to use it to catch automated script-kiddies attacks, while being confident that doing so won't break a single website. .. _samesite-feature: Protection against cross site request forgery ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ Cross-site request forgery, sometimes abbreviated as *CSRF*, is when unauthorised commands are issued from a user that the application trusts. For example, if a user is authenticated on a banking website, an other site might present something like ````, effectively transferring money from the user's account to the attacker one. Snuffleupagus can prevent this (in `supported browsers `__) by setting the `samesite `__ attribute on cookies. Dumping capabilities ^^^^^^^^^^^^^^^^^^^^ It's possible to apply the ``dump()`` filter to any virtual-patching rule, to dump the complete web request, along with the filename and the corresponding line number. By using the *right* set of restrictive rules (or by using the *overly* restrictives ones in ``simulation`` mode), you might be able to gather interesting vulnerabilities used against your website. Dumps are stored in the folder that you pass to the ``dump()`` filter, in files named ``sp_dump.SHA`` with ``SHA`` being the *sha256* of the rule that matched. This approach allows to mitigate denial of services attacks that could fill up your filesystem. Misc low-hanging fruits in the default configuration file ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ Snuffleupagus is shipping with a default configuration file, containing various examples and ideas of things that you might want to enable (or not). Available functions recon """"""""""""""""""""""""" Usually after compromising a website the attacker does some recon within its webshell, to check which functions are available to execute arbitrary code. Since it's not uncommon for some web-hosts to disable things like ``system`` or ``passthru``, or to check if mitigations are enabled, like ``open_basedir``. This behaviour can be detected by preventing the execution of functions like ``ini_get`` or ``is_callable`` with *suspicious* parameters. ``chmod`` hardening """"""""""""""""""" Some PHP applications are using broad rights when using the ``chmod`` function, like the infamous ``chmod(777)`` command, effectively making the file writable by everyone. Snuffleupagus is preventing this kind of behaviour by restricting the parameters that can be passed to ``chmod``. Arbitrary file inclusion hardening """""""""""""""""""""""""""""""""" Arbitrary file inclusion is a common vulnerability, that might be detected by preventing the inclusion of anything that doesn't match a strict set of file extensions in calls to ``include`` or ``require``. Enforcing certificate validation when using curl """""""""""""""""""""""""""""""""""""""""""""""" While it might be convenient to disable certificate validation on preproduction or during tests, it's `common `__ to see that people are disabling it on production too. We're detecting/preventing this by not allowing the ``CURLOPT_SSL_VERIFYPEER`` and ``CURLOPT_SSL_VERIFYHOST`` options from being set to ``0``. *Cheap* error-based SQL injections detection """""""""""""""""""""""""""""""""""""""""""" If a function performing a SQL query returns ``FALSE`` (indicating an error), it might be useful to dump the request for further analysis.