Massive security vulnerability with Autoloaders

[nickl-]

This is huge!!!

Makes XSS and SQLI seem like way too much effort in comparison.

Exploit: PHP include & require exposes the current context to the included file.

i.o.w. you have unrestricted access to $this == (the autoloader instance) from within the include

HOWTO:

Add the following inside a file which will be included by the autoloader

<?php
     echo "<h2>Reflection knows:</h2><pre>",  \ReflectionObject::export($this, true),  "</pre>";

Result:

from using Symfony's UniversalClassLoader, for example, but same goes for any other autoloader as I have not seen one with even the slightest consideration for this vulnerability:

Reflection knows:

<?php
/**
 * UniversalClassLoader implements a "universal" autoloader for PHP 5.3.
 *
 * It is able to load classes that use either:
 *
 *  * The technical interoperability standards for PHP 5.3 namespaces and
 *    class names (https://github.com/php-fig/fig-standards/blob/master/accepted/PSR-0.md);
 *
 *  * The PEAR naming convention for classes (http://pear.php.net/).
 *
 * Classes from a sub-namespace or a sub-hierarchy of PEAR classes can be
 * looked for in a list of locations to ease the vendoring of a sub-set of
 * classes for large projects.
 *
 * Example usage:
 *
 *     $loader = new UniversalClassLoader();
 *
 *     // register classes with namespaces
 *     $loader->registerNamespaces(array(
 *         'Symfony\Component' => __DIR__.'/component',
 *         'Symfony'           => __DIR__.'/framework',
 *         'Sensio'            => array(__DIR__.'/src', __DIR__.'/vendor'),
 *     ));
 *
 *     // register a library using the PEAR naming convention
 *     $loader->registerPrefixes(array(
 *         'Swift_' => __DIR__.'/Swift',
 *     ));
 *
 *
 *     // to enable searching the include path (e.g. for PEAR packages)
 *     $loader->useIncludePath(true);
 *
 *     // activate the autoloader
 *     $loader->register();
 *
 * In this example, if you try to use a class in the Symfony\Component
 * namespace or one of its children (Symfony\Component\Console for instance),
 * the autoloader will first look for the class under the component/
 * directory, and it will then fallback to the framework/ directory if not
 * found before giving up.
 *
 * @author Fabien Potencier 
 *
 * @api
 */
Object of class [  class Symfony\Component\ClassLoader\UniversalClassLoader ] {
  @@ /path/to/src/ClassLoader/UniversalClassLoader.php 61-319

  - Constants [0] {
  }

  - Static properties [0] {
  }

  - Static methods [0] {
  }

  - Properties [5] {
    Property [  private $namespaces ]
    Property [  private $prefixes ]
    Property [  private $namespaceFallbacks ]
    Property [  private $prefixFallbacks ]
    Property [  private $useIncludePath ]
  }

  - Dynamic properties [0] {
  }

  - Methods [17] {
    /**
     * Turns on searching the include for class files. Allows easy loading
     * of installed PEAR packages
     *
     * @param Boolean $useIncludePath
     */
    Method [  public method useIncludePath ] {
      @@ /path/to/src/ClassLoader/UniversalClassLoader.php 75 - 78

      - Parameters [1] {
        Parameter #0 [  $useIncludePath ]
      }
    }

    /**
     * Can be used to check if the autoloader uses the include path to check
     * for classes.
     *
     * @return Boolean
     */
    Method [  public method getUseIncludePath ] {
      @@ /path/to/src/ClassLoader/UniversalClassLoader.php 86 - 89
    }

    /**
     * Gets the configured namespaces.
     *
     * @return array A hash with namespaces as keys and directories as values
     */
    Method [  public method getNamespaces ] {
      @@ /path/to/src/ClassLoader/UniversalClassLoader.php 96 - 99
    }

    /**
     * Gets the configured class prefixes.
     *
     * @return array A hash with class prefixes as keys and directories as values
     */
    Method [  public method getPrefixes ] {
      @@ /path/to/src/ClassLoader/UniversalClassLoader.php 106 - 109
    }

    /**
     * Gets the directory(ies) to use as a fallback for namespaces.
     *
     * @return array An array of directories
     */
    Method [  public method getNamespaceFallbacks ] {
      @@ /path/to/src/ClassLoader/UniversalClassLoader.php 116 - 119
    }

    /**
     * Gets the directory(ies) to use as a fallback for class prefixes.
     *
     * @return array An array of directories
     */
    Method [  public method getPrefixFallbacks ] {
      @@ /path/to/src/ClassLoader/UniversalClassLoader.php 126 - 129
    }

    /**
     * Registers the directory to use as a fallback for namespaces.
     *
     * @param array $dirs An array of directories
     *
     * @api
     */
    Method [  public method registerNamespaceFallbacks ] {
      @@ /path/to/src/ClassLoader/UniversalClassLoader.php 138 - 141

      - Parameters [1] {
        Parameter #0 [  array $dirs ]
      }
    }

    /**
     * Registers a directory to use as a fallback for namespaces.
     *
     * @param string $dir A directory
     */
    Method [  public method registerNamespaceFallback ] {
      @@ /path/to/src/ClassLoader/UniversalClassLoader.php 148 - 151

      - Parameters [1] {
        Parameter #0 [  $dir ]
      }
    }

    /**
     * Registers directories to use as a fallback for class prefixes.
     *
     * @param array $dirs An array of directories
     *
     * @api
     */
    Method [  public method registerPrefixFallbacks ] {
      @@ /path/to/src/ClassLoader/UniversalClassLoader.php 160 - 163

      - Parameters [1] {
        Parameter #0 [  array $dirs ]
      }
    }

    /**
     * Registers a directory to use as a fallback for class prefixes.
     *
     * @param string $dir A directory
     */
    Method [  public method registerPrefixFallback ] {
      @@ /path/to/src/ClassLoader/UniversalClassLoader.php 170 - 173

      - Parameters [1] {
        Parameter #0 [  $dir ]
      }
    }

    /**
     * Registers an array of namespaces
     *
     * @param array $namespaces An array of namespaces (namespaces as keys and locations as values)
     *
     * @api
     */
    Method [  public method registerNamespaces ] {
      @@ /path/to/src/ClassLoader/UniversalClassLoader.php 182 - 187

      - Parameters [1] {
        Parameter #0 [  array $namespaces ]
      }
    }

    /**
     * Registers a namespace.
     *
     * @param string       $namespace The namespace
     * @param array|string $paths     The location(s) of the namespace
     *
     * @api
     */
    Method [  public method registerNamespace ] {
      @@ /path/to/src/ClassLoader/UniversalClassLoader.php 197 - 200

      - Parameters [2] {
        Parameter #0 [  $namespace ]
        Parameter #1 [  $paths ]
      }
    }

    /**
     * Registers an array of classes using the PEAR naming convention.
     *
     * @param array $classes An array of classes (prefixes as keys and locations as values)
     *
     * @api
     */
    Method [  public method registerPrefixes ] {
      @@ /path/to/src/ClassLoader/UniversalClassLoader.php 209 - 214

      - Parameters [1] {
        Parameter #0 [  array $classes ]
      }
    }

    /**
     * Registers a set of classes using the PEAR naming convention.
     *
     * @param string       $prefix The classes prefix
     * @param array|string $paths  The location(s) of the classes
     *
     * @api
     */
    Method [  public method registerPrefix ] {
      @@ /path/to/src/ClassLoader/UniversalClassLoader.php 224 - 227

      - Parameters [2] {
        Parameter #0 [  $prefix ]
        Parameter #1 [  $paths ]
      }
    }

    /**
     * Registers this instance as an autoloader.
     *
     * @param Boolean $prepend Whether to prepend the autoloader or not
     *
     * @api
     */
    Method [  public method register ] {
      @@ /path/to/src/ClassLoader/UniversalClassLoader.php 236 - 239

      - Parameters [1] {
        Parameter #0 [  $prepend = false ]
      }
    }

    /**
     * Loads the given class or interface.
     *
     * @param string $class The name of the class
     */
    Method [  public method loadClass ] {
      @@ /path/to/src/ClassLoader/UniversalClassLoader.php 246 - 251

      - Parameters [1] {
        Parameter #0 [  $class ]
      }
    }

    /**
     * Finds the path to the file where the class is defined.
     *
     * @param string $class The name of the class
     *
     * @return string|null The path, if found
     */
    Method [  public method findFile ] {
      @@ /path/to/src/ClassLoader/UniversalClassLoader.php 260 - 318

      - Parameters [1] {
        Parameter #0 [  $class ]
      }
    }
  }
}

So how do you like them apples? With access to the autoloader there's no limit to the evil that can be done from here.

[nickl-]

Another example: Composer\Autoload\ClassLoader

But you catch my drift.

Reflection knows:

<?php
/**
 * ClassLoader implements a PSR-0 class loader
 *
 * See https://github.com/php-fig/fig-standards/blob/master/accepted/PSR-0.md
 *
 *     $loader = new \Composer\Autoload\ClassLoader();
 *
 *     // register classes with namespaces
 *     $loader->add('Symfony\Component', __DIR__.'/component');
 *     $loader->add('Symfony',           __DIR__.'/framework');
 *
 *     // activate the autoloader
 *     $loader->register();
 *
 *     // to enable searching the include path (eg. for PEAR packages)
 *     $loader->setUseIncludePath(true);
 *
 * In this example, if you try to use a class in the Symfony\Component
 * namespace or one of its children (Symfony\Component\Console for instance),
 * the autoloader will first look for the class under the component/
 * directory, and it will then fallback to the framework/ directory if not
 * found before giving up.
 *
 * This class is loosely based on the Symfony UniversalClassLoader.
 *
 * @author Fabien Potencier 
 * @author Jordi Boggiano 
 */
Object of class [  class Composer\Autoload\ClassLoader ] {
  @@ /Users/inspirex/code/flow/work/aRESTedAPI/vendor/composer/ClassLoader.php 43-205

  - Constants [0] {
  }

  - Static properties [0] {
  }

  - Static methods [0] {
  }

  - Properties [4] {
    Property [  private $prefixes ]
    Property [  private $fallbackDirs ]
    Property [  private $useIncludePath ]
    Property [  private $classMap ]
  }

  - Dynamic properties [0] {
  }

  - Methods [11] {
    Method [  public method getPrefixes ] {
      @@ /Users/inspirex/code/flow/work/aRESTedAPI/vendor/composer/ClassLoader.php 50 - 53
    }

    Method [  public method getFallbackDirs ] {
      @@ /Users/inspirex/code/flow/work/aRESTedAPI/vendor/composer/ClassLoader.php 55 - 58
    }

    Method [  public method getClassMap ] {
      @@ /Users/inspirex/code/flow/work/aRESTedAPI/vendor/composer/ClassLoader.php 60 - 63
    }

    /**
     * @param array $classMap Class to filename map
     */
    Method [  public method addClassMap ] {
      @@ /Users/inspirex/code/flow/work/aRESTedAPI/vendor/composer/ClassLoader.php 68 - 75

      - Parameters [1] {
        Parameter #0 [  array $classMap ]
      }
    }

    /**
     * Registers a set of classes
     *
     * @param string       $prefix The classes prefix
     * @param array|string $paths  The location(s) of the classes
     */
    Method [  public method add ] {
      @@ /Users/inspirex/code/flow/work/aRESTedAPI/vendor/composer/ClassLoader.php 83 - 100

      - Parameters [2] {
        Parameter #0 [  $prefix ]
        Parameter #1 [  $paths ]
      }
    }

    /**
     * Turns on searching the include path for class files.
     *
     * @param bool $useIncludePath
     */
    Method [  public method setUseIncludePath ] {
      @@ /Users/inspirex/code/flow/work/aRESTedAPI/vendor/composer/ClassLoader.php 107 - 110

      - Parameters [1] {
        Parameter #0 [  $useIncludePath ]
      }
    }

    /**
     * Can be used to check if the autoloader uses the include path to check
     * for classes.
     *
     * @return bool
     */
    Method [  public method getUseIncludePath ] {
      @@ /Users/inspirex/code/flow/work/aRESTedAPI/vendor/composer/ClassLoader.php 118 - 121
    }

    /**
     * Registers this instance as an autoloader.
     *
     * @param bool $prepend Whether to prepend the autoloader or not
     */
    Method [  public method register ] {
      @@ /Users/inspirex/code/flow/work/aRESTedAPI/vendor/composer/ClassLoader.php 128 - 131

      - Parameters [1] {
        Parameter #0 [  $prepend = false ]
      }
    }

    /**
     * Unregisters this instance as an autoloader.
     */
    Method [  public method unregister ] {
      @@ /Users/inspirex/code/flow/work/aRESTedAPI/vendor/composer/ClassLoader.php 136 - 139
    }

    /**
     * Loads the given class or interface.
     *
     * @param  string    $class The name of the class
     * @return bool|null True, if loaded
     */
    Method [  public method loadClass ] {
      @@ /Users/inspirex/code/flow/work/aRESTedAPI/vendor/composer/ClassLoader.php 147 - 154

      - Parameters [1] {
        Parameter #0 [  $class ]
      }
    }

    /**
     * Finds the path to the file where the class is defined.
     *
     * @param string $class The name of the class
     *
     * @return string|null The path, if found
     */
    Method [  public method findFile ] {
      @@ /Users/inspirex/code/flow/work/aRESTedAPI/vendor/composer/ClassLoader.php 163 - 204

      - Parameters [1] {
        Parameter #0 [  $class ]
      }
    }
  }
}

[nickl-]

A Solution:

<?php
            call_user_func(function () use ($file) {
                ob_start();
                require $file;
                ob_end_clean();
            });

This also ensures no source mistakenly outputted by php due to faulty script tags and effectively disables your phissing capabilities which exposed this vulnerability in the first place.

[alganet]

Great job! That was unexpected.

We really need to hide the loader instance with no option to turn this off, but there are ways to code an application that controls the output buffer enough to prevent injections outside the loader (using Respect\Template that would be easy), and those guys would want to turn that off for performance, so I belive the ob_* should be optional. What do you think? @augustohp @henriquemoody

I've imagined three use cases for this exploit: infected componentes being used (someone using a component which was hacked to be evil), remote file inclusion through apache log inclusion or something like this and folder permission problems).

The case 2 and 3 can be avoided with open_basedir and proper folder permissions. We could check this on the Loader instantiation. The case 1 is harder and the hacked component could be even not aware of that (since it's possible to inject malicious code without breaking tests and it's possible that some commit passes without full code review).

Any other use case I haven't considered? We should document those to guide our implementation.

[nickl-]

If you are able to access the classmap there's really no end to the liberties it affords you and all it would take is a strategically placed php file and managing to inject a single class_exists(). This would more than do the trick and allow you lots of room to play as class_exists is expected to fail yet autoloaders do not take this into account and it really only fails after it has had the opportunity to try every option available to it before it happily tries again.

We really need to do some benchmarks although speculating that it would cause a bit of overhead can be imagined. That said I am not too concerned about the performance on the first run and would gladly sacrifice a few cycles towards peace of mind knowing that the cache is based on a secure replication of the current state which reflects the components actually required by the application. It might very well mean that you could create the cache in an offline or DMZ environment and not be exposed to any of these vulnerabilities when in the cloud. Bottom line: rather than spending time on perfecting something that is already broken. But it all boils down to benchmarking which I think should be started post haste as these will be the deciding factors ultimately. Agree?

[nickl-]

If anyone else has access to other autoloaders at hand please post the results here so we can help them get fixed before the word gets out and the script kiddies run wild with it.

I vote we first identify and fix all those affected before we kindle the furnace with brilliant ideas of mischief.

[alganet]

I'm more focused identifying how a user could damage the system when he gets in. Getting inside the autoloader is easy, but that doesn't mean that he will be able to do something. For now, the problem only happens when an unexcpected malicious file is autoloaded, and that can be prevented (with open_basedir, for example). Wondering if it's possible to exploit that in different ways.

[mxrth]

Just out of interest: what is the actual attack vector described in this issue?
I don't see how the autoloader is responsible for securing included scripts or even able to do so.
Just consider the following script being loaded by the autoloader as an example: https://gist.github.com/3289058
The autoloader can do absolutely nothing against an attacker controlled file, or did I miss sth. completely?

[alganet]

@DrAk3 I'm not sure either and I also would like to understand this issue better, and more important, how this exploit differs from any other file inclusion exploit.

It seems that the main difference is that the attacker has access to the autoloader instance from inside and can bypass its visibility declarations, being able to access any private and protected attributes and methods. He can't override methods from that, which makes your gist look harmless, but often autoloaders have some kind of path and cache control which can be changed (since they often rely on protected properties).

Summing it up: fixing this prevents your autoloader from being changed by classes you load, which is something we already expected from any autoloader and now seems to have a rough edge.

From the inside, anything is possible. The attacker could change the autoloader to load a different, hacked Doctrine connection class and steal connection information right from the instance configuration, for example. What I would like to know is how an attacker could in fact trick any system to load the malicious code.

[nickl-]

@DrAk3 how did you manage to get loader to load your attack? For a PSR-0 autoloader it is hardly necessary to specifically make a call to loadfile or include yourself manually, the loader will find you and it is eager to do so.

You may have been mislead by my choice of showing the content definition from ReflectionObject::export($this, true) of the loader as seen in the examples above. Maybe a var_dump($this) or the popular print_r($this) would've gotten the point across better or facilitated a better explanation, we can only hope.

As oppose to your solution/attack where you managed to read the content of the loader source code, after having inbound knowledge of its location and assumed read access privileges granted all you've accomplished is to obtain some reading material for your favourite syntax highlighted pager, but the server is still far from being yours you may be able to run your own copy at will from there but that is about it.

Instead what you see here is the the result from a script file i.e. your attack.php being loaded automagically by the autoloader but where this differs from yours is that we are in the context of tho object instance, we are the autoloader, the reference $this = the autoloader instance currently working/serving the application. We do not care where the source file is located, we do not have to eval or do anything else, we have total control over the loader and share the same privileges it has on the system.

To use your example:

<?php

      /** We don't need an instance of the loader */
     $loader = new TestLoader();
     /** nor do we have to settle for it's publicly exposed interfaces alone */
     $loader->loadFile('attack.php');

     /** Because we are the loader instance itself */
     $this->loadFile('attack.php'); // publicly accessible facility as per 
                                    // previous example but from the $this reference

     /** but also we enjoy complete access to it's resources protected and private as well */
     $this->_private_classmap[] = 'add/mapping/to/this/file.php';
     $this->_log_writer = $my_dev_slash_null_writer;  // ssssshh don't tell anyone

     /** Something you will not be privileged to from your approach */
     file_put_content('for_prying_eyes.only', var_export($this->_current_cache));

I hope you see now why it is MASSIVE! Your system can be compromised and you will never know about it and once I've had these liberties I can easily guarantee my continued presence whether you restart, clear cache, even fixing the vulnerability later will have no effect. This is not something I hope to see happening at all!

@alganet wrote:

What I would like to know is how an attacker could in fact trick any system to load the malicious code.

All I need is to discover one factory that prompts an exception telling me class/type/object not found and the door is open, I would imagine that you can easily inject the script from a remote resource with no need for physical access on the filesystem. I really hope they realize the extend of this vulnerability and start fixing the auto-loaders it would really be a pity if they wait for someone to make an example of one first before they catch a wake-up, too late. =(

I take no responsibility for what happens!!! washing hands