Posted on April 10, 2021 at 2:10 PM
Recently, a hacking group attacked and compromised the self-managed Git server owned by the PHP programming language maintainers. According to what is known, the attack is classified as a software supply chain attack, and it saw the hackers compromise the server and insert a backdoor.
However, the PHP language server maintainers managed to avert the attack, which took place on March 28th, 2021. As for the server itself, it served as a Git repository of a new version of PHP that is currently still in development.
Several PHP contributors inspected the code after the attack, discovering that there were several changes made to it.
What were the hackers hoping to achieve?
The hackers’ true goal is not known, but so far, it seems that they targeted any server that uses PHP ZLib compression when sending data. A large majority of servers uses this functionality on pretty much all content that is being transmitted, apart from some examples, such as images and archives that are already size-optimized.
After analyzing the attack, researchers believe that the goal was to turn PHP into a remote web shell, which attackers would be able to use to execute pretty much any command later down the road, with no authentication required. Essentially, they would have the same privileges as the server that is running PHP.
The backdoor would be triggered whenever a new request containing a trigger word ‘zerodium’ would arrive. Provided that this condition is met, PHP would execute the code in the User-Agent request header, as experts explained it.
Another thing of note is that the header looks very similar to the PHP User-Agent request for checking the properties of the browser.
So, provided that the trigger word is included, the system would treat the rest of the request as a command, and it would execute it using the server’s privileges, regardless of what the command says. As a result, hackers would be able to run any command they wanted, without requiring further privileges.
Zerodium itself is actually a company that works as a vulnerability broker. Essentially, it purchases zero-day vulnerabilities, and then re-sells them to government agencies. However, the company firmly denied having anything to do with this particular attack. In fact, its CEO, Chaouki Bekrar, has even gone as far as to accuse the researchers of installing the backdoor themselves, and then trying to sell it. Then, when they couldn’t find buyers for it, they decided to disclose the flaw.
However, given the lifetime of the backdoor, the accusation does not make much sense.
The attack was committed by using the names of the PHP project author, Rasmus Lerdorf, and Nikita Popov.
The consequences of the attack
According to Nikita Popov, a major PHP contributor working at JetBrains, the team did not yet manage to establish how the intrusion occurred in the first place. One possible explanation is that the git.php.net server was compromised, and this is believed to be far more likely than the possibility of the Git account itself being compromised.
But, regardless of how the attackers managed to compromise the server, the team members said that maintaining a Git infrastructure is an unnecessary security risk. As a result, they decided to discontinue using the server. They also made the repositories stored on Github the new canonical copies for future releases, as the version on the server got compromised.
Furthermore, PHP contributors need to be added as part of the organization on Github, and pass the 2FA, which makes it a much safer place to work and hold copies of the PHP.
On top of that, Popov also said that there are plans to review the PHP codebase, beyond just the malicious commits. The public was also invited to review the code and raise the alarm if it notices anything suspicious.
As for the rest of the PHP team, they have implemented a home-grown privilege management system, which they named Karma, and it now resides on their own Git server. But, there was no evidence that Karma was used for compromising the servers in any way.
It is also worth noting that this was not the first time that the Git server was compromised. Back in 2019, the team also had to temporarily shut down the server upon discovering that an unknown attacker replaced the official PEAR (PHP Extension and Application Repository) with a malicious copy. Since PHP currently powers approximately 80% of all websites in the world, a successful supply chain attack could have catastrophic consequences.
Fortunately, it is highly unlikely that any compromise might affect PHP users in the wild. For all that the team can say, it might be possible that the hackers simply did this just to prove that they can do it.