Help
Technical Articles
F5 SMEs share good practice.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Technical Forum Quicklinks: No Replies | Active-Not Solved | Recent Solutions
Custom Alert Banner

F5 AppWorld 2024 session proposal deadline extended to Friday, December 8th!

ThinkPHP 6.0.0 - 6.0.1 Arbitrary File Write Vulnerability

Eli_Kreminchuke
F5 Employee
F5 Employee

on ‎16-Jan-2020 07:37

ThinkPHP is an open source PHP development framework for agile web application development. The framework is vastly adopted worldwide, a quick Shodan search shows more than 40,000 active deployments.


On the 15th of January a new vulnerability in ThinkPHP was disclosed after being patched by the vendor. The vulnerability allows the attacker to write or overwrite arbitrary files in the system. The root cause of the vulnerability is session management functionality using the user-controlled value of the session cookie as the name of a file saved in the file system. By using directory traversal, an attacker can save the file anywhere in the system. If the content of the file, which depends on a specific application logic, is also controllable, the attacker could write a web shell to the system and access it.


It is important to note, that the session initiation is not enabled by default and requires a manual change in configuration. The vulnerability affects ThinkPHP versions 6.0.0 - 6.0.1.


Technical details


The attacker sends a custom PHPSESSID to the server:

0151T000003lUotQAE.PNG

Figure 1: A request with user-controlled session cookie


The server handles the request and uses the PHPSESSID cookie value to set the user's session:

0151T000003lUouQAE.PNG

Figure 2: Setting the session ID with a user-controlled value


The application verifies that the PHPSESSID value is a 32-byte string, if the condition is met than the session value is accepted and set:

0151T000003lUoyQAE.PNG

Figure 3: Verifying the value is a 32-byte string


After establishing the session ID value, while constructing the response, the application saves the session information to a file with the session ID value as its name:

0151T000003lUp3QAE.PNG


0151T000003lUpIQAU.PNG

Figure 4, 5: Writing a file to the system with the value of the session cookie


0151T000003lUpNQAU.PNG

Figure 6: The file created on the file system


The vendor patched ThinkPHP and added an additional check for the PHPSESSID value allowing only alphanumeric characters, preventing the possibility of directory traversal: 


0151T000003lUpSQAU.PNG


Mitigating the vulnerability with BIG-IP ASM

BIG-IP ASM customers under any supported BIG-IP version are already protected against this vulnerability. While exploiting this vulnerability attacker will try to send payloads containing directory traversal. The exploitation attempt will be detected by existing attack signatures.

0151T000003lUpXQAU.PNG

Figure 8: Exploit blocked with Attack Signature (200000190)

0151T000003lUpcQAE.PNG

Figure 9: Exploit blocked with Attack Signature (200101550)


In addition, if the attacker will try to inject PHP code to stored in the session file for further exploitation, it will be detected by signatures which can be found in signature sets that include "Command Execution" and "Server Side Code Injection" attack types or "PHP" system.

Labels:
0 Kudos
Version history
Last update:
‎16-Jan-2020 07:37
Updated by:
F5 Employee
Contributors
Copyright © 2023 Khoros, LLC