Reevaluate “low-risk” PHP unserialization vulnerabilities, researcher says

LAS VEGAS — In cybercrime, as in most areas of crime (or business), the more things change, the more they stay the same.

The emergence of Petya/NotPetya and other virulent forms of malware have showcased how the best and most successful black-hat hacks are not entirely new—bad actors simply take older, more established approaches or attack vectors and add a new twist. And so it is with PHP unserialization attacks, as showcased at the Black Hat conference earlier this month by Sam Thomas, director of research for Secarma Ltd, an information security consultancy.

Thomas was able to demonstrate a new exploitation method that makes it easier for cyber-criminals to generate critical deserialization vulnerabilities in the PHP programming language using functions previously considered low-risk. PHP unserialization vulnerabilities, or object injection vulnerabilities as they have also been called, allow hackers to perform different kinds of attacks by supplying malicious inputs to the “unserialize” PHP function. (Serialization is the process of converting data objects into a plain string, and the unserialize function recreates an object back from a string.) This attack vector has been documented since 2009, so the fact that these flaws exist is nothing new.

Indeed, OWASP added PHP deserialization to its Top 10 list, and last year’s massive Equifax breach was reportedly initiated through deserialization.