ThinkPHP 6.0.0 - 6.0.1 Arbitrary File Write Vulnerability
ThinkPHP is an open source PHP development framework for agile web application development. The framework is vastly adopted worldwide, a quick Shodan search shows more than 40,000 active deployments.
On the 15th of January a new vulnerability in ThinkPHP was disclosed after being patched by the vendor. The vulnerability allows the attacker to write or overwrite arbitrary files in the system. The root cause of the vulnerability is session management functionality using the user-controlled value of the session cookie as the name of a file saved in the file system. By using directory traversal, an attacker can save the file anywhere in the system. If the content of the file, which depends on a specific application logic, is also controllable, the attacker could write a web shell to the system and access it.
It is important to note, that the session initiation is not enabled by default and requires a manual change in configuration. The vulnerability affects ThinkPHP versions 6.0.0 - 6.0.1.
The attacker sends a custom PHPSESSID to the server:
Figure 1: A request with user-controlled session cookie
The server handles the request and uses the PHPSESSID cookie value to set the user's session:
Figure 2: Setting the session ID with a user-controlled value
The application verifies that the PHPSESSID value is a 32-byte string, if the condition is met than the session value is accepted and set:
Figure 3: Verifying the value is a 32-byte string
After establishing the session ID value, while constructing the response, the application saves the session information to a file with the session ID value as its name:
Figure 4, 5: Writing a file to the system with the value of the session cookie
Figure 6: The file created on the file system
The vendor patched ThinkPHP and added an additional check for the PHPSESSID value allowing only alphanumeric characters, preventing the possibility of directory traversal:
Mitigating the vulnerability with BIG-IP ASM
BIG-IP ASM customers under any supported BIG-IP version are already protected against this vulnerability. While exploiting this vulnerability attacker will try to send payloads containing directory traversal. The exploitation attempt will be detected by existing attack signatures.
Figure 8: Exploit blocked with Attack Signature (200000190)
Figure 9: Exploit blocked with Attack Signature (200101550)
In addition, if the attacker will try to inject PHP code to stored in the session file for further exploitation, it will be detected by signatures which can be found in signature sets that include "Command Execution" and "Server Side Code Injection" attack types or "PHP" system.