Hello and welcome to the Thursday, September 8, 2020 edition of the Sands Internet Storm Center's Stormcast.

My name is Johannes Ulrich, and today I'm recording from Jacksonville, Florida.

Today I wrote up a quick wall on a belief scan I spotted against our own Internet Storm Center website that attempted to detect deserilization vulnerabilities.

Now, probably no secret that our website is running PHP.

So does PHP have deseralsation issues?

Sure, it may, any object-oriented language can be used to create code that's subject to deseralization vulnerabilities.

So it is not a Java or dot-net-only vulnerability.

That's, of course, where we most often talk about deserilization vulnerabilities.

But any object-oriented language where you are instantiating, basically arbitrary objects

without taking the necessary care, are susceptible to deseralization vulnerabilities.

All it takes is really a gadget, as they call it, an object that can be used to execute arbitrary

code as it is instantiated. In this particular case, they used a well-known gadget for

PHP, the Guzzle HTTP object. This is a simple HTTP client, a little bit sort of an abstraction

of a curl, which sort of comes

built in with PHP and has been well documented in how to use it in order to exploit

deseralization vulnerabilities. Like I said, this was a vulnerability scan, so it only attempted to exploit

or execute PHP info,

which of course would basically just deliver some details about the PHP configuration on the

system if we were vulnerable, which we weren't. And if you're following Brad's Malware

Analysis Diaries, you probably remember him talking about

malware that's part of the TA 505 group.

It's a very prolific crimeware family, and the write-ups that Brad usually produces are talking

...