Blog
Debugging With Redis MONITOR
Published: October 12, 2017
Today I learned about the Redis MONITOR command. Running it is basically like tail -f-ing Redis…it prints every command issued against the Redis instance, kind of like varnishncsa.
Per the docs…
MONITOR is a debugging command that streams back every command processed by the Redis server
Preventing Pages From Being Overwritten By Directories When Using wget -r
Published: September 29, 2017
When you envoke wget with the -r flag it will attempt to clone an entire website…a handy feature. However, by default you can end up with some pages being overwritten by directories.
Here, we’ll investigate the problem in more detail and lay out a solution.
Preserving The Hash And Query String With Jekyll Redirects
Published: September 21, 2017
If you’re running Jekyll on GitHub pages and looking to set up redirects, there’s a good chance you stumbled upon jekyll-redirect-from. It’s a nice little tool for creating redirects, simply by declaring them in a page’s front matter. However, if you create a redirect using jekyll-redirect-from, there’s an issue that you might be concerned about…it does not preserve the query string or hash from the original request URL when redirecting the user.
There’s an issue in the repo about this which, at the time of writing this, has been open for nearly a year. There’s also a PR to fix it. However, in the interest of keeping jekyll-redirect-from simple and lightweight it seems unlikely that this will be fixed.
Fortunately, I’ve found a workaround that allows redirects on GitHub pages and preserves the query string and hash.
Java Serialized Object Detection
Published: September 12, 2017
I’m currently working on a tool that, among other things, attempts to detect if a string represents a serialized Java object.
I spent a while trying to find the best means for doing this and ultimately found the answer to my question in the slides for a talk titled “Deserialize My Shorts Or How I learned to Start Worrying and Hate Java Object Deserialization” by Christopher Frohoff.
Using CVE-2016-4010's POP Chain In Magento 1
Published: September 10, 2017
CVE-2016-4010 is an object injection vulnerability whereby an attacker can trick Magento into unserializing user controlled input.
Additionally, its author identified a POP chain that allows arbitrary file write. The chain, which was discovered in the Magento 2 code base, works like this…
1. Credis_Client::__destruct
Trick Magento into unserializing an instance of Credis_Client. __destruct is automatically called on the instance as a result of unserialization.
2. Magento\Sales\Model\Order\Payment\Transaction::close()
Credis_Client calls close on its protected redis property, for which an instance of Magento\Sales\Model\Order\Payment\Transaction is injected.
3. Magento\Framework\Simplexml\Config\Cache\File::save
Magento\Sales\Model\Order\Payment\Transaction calls save on its _resource property, for which an instance of Magento\Framework\Simplexml\Config\Cache\File is injected.
4. file_put_contents
Magento\Framework\Simplexml\Config\Cache\File::save will call file_put_contents using stat_file_name and components. Those properties can also be injected allowing complete control over both the contents and the location of the file (including filename).
A pretty nasty sequence of events…
I decided to do a little investigation into the feasibility of using this POP chain against Magento 1. Here I’ll share my findings…
PHP Property Type Hints For Security
Published: September 5, 2017
Recently I’ve been spending a lot of time experimenting with PHP unserialize object injection vulnerabilities. Frequently, exploits against these types of vulnerabilities involve chaining together multiple objects to call unexpected methods on unexpected properties. This technique is known as creating a POP (property oriented programming) chain. Here are a few examples of how that plays out in PHP world…
- File write in Magento 2 using a POP chain
- RCE in Zend Framework 1 using a POP chain (example starting on page 41)
In fact, there’s even a new project on GitHub called phpgcc which is building a list of generic POP chains (“gadgets”), similar to ysoserial in the Java world.