on 31-Aug-2017 07:25
Object serialization has always been a tricky subject. Using serialization as a design pattern can always lead to catastrophic consequences such as remote code execution when user input isn't properly validated.
In the past we have released an article covering several PHP serialization related 0-day vulnerabilities and how those were effectively mitigated using those "PHP object serialization injection attempt" signatures: https://devcentral.f5.com/s/articles/php-7-unserialize-mechanism-0-days-24588
In the past week we've witnessed several more PHP serialization vulnerabilities (CVE-2017-12932, CVE-2017-12933, CVE-2017-12934), which are not covered by our existing signatures. By inspecting proof-of-concept code related to these vulnerabilities, techniques targeting additional attack surfaces are becoming apparent:
The malformed data leads PHP into unexpected behavior such as "heap use after free" and "buffer over-read". As of now, there is no public exploit that demonstrates direct connection to remote code execution using this technique.
An Attack Signature Update containing signatures designed to mitigate these vulnerabilities has already been released. The relevant signatures are:
The following images demonstrate how ASM blocks those exploits: