So I started a new part-time position this week and today was my first day - remote, ofcourse. I’m supposed to be a Malware Analyst - analyzing malwares and creating reports. It’s a new role for me since most of my experience has been in development, but I have always wanted to give core Security roles a try so I’m looking forward to this.
But anyways, point being - while researching today, I came across this hack that occurred in March earlier this year:
Attackers spoofed 2 commits to the official PHP Repo - supposedly as “typo fixes” (which as we can see, clearly were not).
These added lines looked for a new USER_AGENTT header in a request and executed whatever came after the string zerodium, as PHP code.
I actually didn’t come across this news directly. I found some delibrately malicious programs during my research that had a very similar code in Python. They create a new endpoint via Flask and intercepted the USER_AGENTT header’s value to any request made.
I was a bit confused when I first came across this exploit. Being the noob I am, I got hung up on the fact that they only ran
the string as code when zerodium was present as a prefix. “Is there someone/some organization by the name of ‘Zerodium’ that gets to control what is executed?” I thought I was onto something big for a second.
And then I Googled and realised it was an actual thing that had occurred in the past. What’s more, “Zerodium” was indeed the name of a company that bought exploits/bugs for large sums of money. However, they didn’t have anything to do with this - it was merely a troll from the attackers to use their name, claiming to have sold it to them.
I wanted to mess around with it a bit so I replicated the Python implementation in another file, fired up the Flask server and sent some requests via Postman to see it in action. And sure enough:
I suppose this is quite straightforward and something like this is not likely to happen so easily. Only reason this was even possible was because PHP’s git server got compromised. The actual saunce behind the whole attack probably lies there. The maintainers did switch completely to GitHub shortly after where organizational access and other security measures would prevent something like this from happening in the future.
In anycase, I thought this was something cool + it’s my first time doing this kind of research so I guess I was just a bit excited :P
Well anyways, till next time.
