PHP 7 Unserialize Mechanism 0-days

Recently researchers at "Check Point" have uncovered 3 new previously unknown vulnerabilities in the new version of PHP. CVE-2016-7479 and  CVE-2016-7480 could result in attackers taking a full control of the target server, while CVE-2016-7478 causes a Denial of Service condition resulting in server hang. 

Those vulnerabilities are related to triggering unwanted behaviour when PHP un-serializes objects. Such malicious objects might be sent to any PHP application as HTTP parameter, cookie or header values.

 

Mitigation with Big-IP ASM

BigIP-ASM customers are already protected against the new 0-days, while the attack will be detected and blocked by existing "Server Side Code Injection" signatures, specifically:

• "PHP object serialization injection attempt (Parameter)" (200004188)
• "PHP object serialization injection attempt (Header)" (200004189)
• "PHP object serialization injection attempt (URI)" (200004190)

 

Following are examples of the blocked attack vectors related to those CVEs and the invoked attack signatures:

 

Figure 1: Denial of Service attack vector (CVE-2016-7478) blocked with Attack Signature (200004188)

 

Figure 2: CVE-2016-7479 proof of concept exploit

 

Figure 3: CVE-2016-7479 POC exploit is being blocked with Attack Signature (200004188)

 

Figure 4: CVE-2016-7479 "DateInterval" attack vector blocked with Attack Signature (200004188)