cancel
Showing results for 
Search instead for 
Did you mean: 
Login & Join the DevCentral Connects Group to watch the Recorded LiveStream (May 12) on Basic iControl Security - show notes included.
Gal_Goldshtein
F5 Employee
F5 Employee

ThinkPHP is an open source PHP development framework for agile web application development. The framework is vastly adopted worldwide, a quick Shodan search shows more than 40,000 active deployments.

Recently, an unauthenticated remote code execution vulnerability was discovered in ThinkPHP, which was quickly adopted by large amount of threat actors who started scanning for vulnerable instances.

The root cause of the vulnerability is the way that ThinkPHP parses the requested controller and executes the requested function. The patch committed to the Github repository by the maintainers showed that a regular expression validating the supplied controller name was added.

0151T000003d7I2QAI.png

Figure 1: Vulnerability patched by adding a Regular expression that validates the supplied controller name

The reason for this addition is because ThinkPHP receives the requested module, controller and function to execute within a query parameter and splits it by using the ‘/’ character as a delimiter.

0151T000003d7I3QAI.png

Figure 2: ThinkPHP splits the received string in order to get the module and controller names

Once ThinkPHP parsed the controller name and function, it first creates an instance of the supplied controller name by using reflection and then executes the requested function.

0151T000003d7I4QAI.png

Figure 3: ThinkPHP creates an instance of the requested controller and executes the requested function

 

The two publicly disclosed vectors leading to arbitrary command execution are attempting to load a valid class of ThinkPHP. The two payloads are:

http://thinkphp/public/index.php?s=/index/\think\app/invokefunction&function=call_user_func_array&vars[0]=system&vars[1][]=ls%20-l

http://thinkphp/public/index.php?s=/index/\think\request/cache&key=ls%20-l|system

The first attack vector will attempt to execute the “invokeFunction” method of the ThinkPHP App class, which allows specifying an arbitrary function to execute and passes the required arguments for this function.

0151T000003d7I5QAI.png

Figure 4: invokeFunction method of ThinkPHP App class

 

The second attack vector attempts to execute the cache function of ThinkPHP Request class which attempts to split between a function name and parameter by using the ‘|’ character as delimiter.  And, it later attempts to execute the function with its parameters.

0151T000003d7I6QAI.png

Figure 5: cache method of ThinkPHP Request class

Mitigating the vulnerability with BIG-IP ASM

BIG-IP ASM customers under any supported BIG-IP version are already protected against this vulnerability. The exploitation attempt will be detected by a dedicated attack signature recently released to mitigate the mentioned exploitation attempts which can be found in signature sets that include the “Server Side Code Injection” attack type or the “PHP” system.

0151T000003d7I7QAI.png

Figure 6: Exploitation attempt blocked by signature id 200004481

Advanced WAF customers with Threat Intelligence subscription are protected with the following Threat Campaigns:

- ThinkPHP Remote Code Execution - HelloThinkPHP

- ThinkPHP Remote Code Execution - curl zz

Version history
Last update:
‎18-Dec-2018 09:42
Updated by:
Contributors