Hunting for PHPUnit Installed via Composer

Published: 2021-11-30
Last Updated: 2021-11-30 14:04:18 UTC
by Johannes Ullrich (Version: 1)
0 comment(s)

One rather persistent pattern in our honeypot logs is attacks against older PHPUnit flaws. These attacks appear to exploit CVE-2017-9841, a simple remote code execution vulnerability [1]. Back in 2019, Imperva called it "one of the most exploitable CVEs of 2019", and even now, attacks keep coming in [2]. After tuning one of our honeypots to be more sensitive to these attacks, we saw one to two thousand attacks against the honeypot a day (the honeypot covers multiple IP addresses).

Number of attacks/day exploiting CVE-2017-9841

So why is a four-year-old vulnerability still so popular? Looking at the exploited URLs, one pattern emerged is the inclusion of WordPress plugins and other addons that administrators may install via composer. The most common URLs are:

/sites/all/libraries/mailchimp/vendor/phpunit/phpunit/src/Util/PHP/eval-stdin.php
/laravel/vendor/phpunit/phpunit/src/Util/PHP/eval-stdin.php
/wp-content/plugins/dzs-videogallery/class_parts/vendor/phpunit/phpunit/src/Util/PHP/eval-stdin.php
/wp-content/plugins/jekyll-exporter/vendor/phpunit/phpunit/src/Util/PHP/eval-stdin.php
/wp-content/plugins/cloudflare/vendor/phpunit/phpunit/src/Util/PHP/eval-stdin.php
/wp-content/plugins/mm-plugin/inc/vendors/vendor/phpunit/phpunit/src/Util/PHP/eval-stdin.php
/modules/gamification/vendor/phpunit/phpunit/src/Util/PHP/eval-stdin.php
/modules/autoupgrade/vendor/phpunit/phpunit/src/Util/PHP/eval-stdin.php
/modules/ps_facetedsearch/vendor/phpunit/phpunit/src/Util/PHP/eval-stdin.php
...

One issue may be that administrators installing these plugins and extensions may not be aware that they will install and enable PHPUnit as they install the respective extension. A typical composer.json file used to install the extension will include an extension like

"require-dev": {
    "phpunit/phpunit": "^6.2.2"
},

The example above includes version 6.2.2 or later of PHPUnit if the respective module is installed with the "dev" option (composer install --dev). Luckily, only PHPUnit before 5.6.3 or 4.8.27 is vulnerable. I took a quick look at the respective composer.json files, and none of the current files requires such an old version (if it is still available). But I guess, given the heavy scanning for this vulnerability, there may still be sufficient numbers of vulnerable systems around.

This is also more of a "composer" vs. a WordPress problem. While WordPress remains a favorite target of attackers due to its popularity, composer like many similar technologies (npm, pip...) obscures some of the dependencies installed automatically and makes inventorying dependencies more difficult. As a   quick test, you could run this command:

find . -name 'composer.json' -exec egrep -H phpunit {} \;

to find all composer.json files that include a reference to PHPUnit

[1] https://nvd.nist.gov/vuln/detail/CVE-2017-9841
[2] https://www.imperva.com/blog/the-resurrection-of-phpunit-rce-vulnerability/

---
Johannes B. Ullrich, Ph.D. , Dean of Research, SANS.edu
Twitter|

0 comment(s)
ISC Stormcast For Tuesday, November 30th, 2021 https://isc.sans.edu/podcastdetail.html?id=7774

Comments

What's this all about ..?
password reveal .
<a hreaf="https://technolytical.com/">the social network</a> is described as follows because they respect your privacy and keep your data secure:

<a hreaf="https://technolytical.com/">the social network</a> is described as follows because they respect your privacy and keep your data secure. The social networks are not interested in collecting data about you. They don't care about what you're doing, or what you like. They don't want to know who you talk to, or where you go.

<a hreaf="https://technolytical.com/">the social network</a> is not interested in collecting data about you. They don't care about what you're doing, or what you like. They don't want to know who you talk to, or where you go. The social networks only collect the minimum amount of information required for the service that they provide. Your personal information is kept private, and is never shared with other companies without your permission
https://thehomestore.com.pk/
<a hreaf="https://defineprogramming.com/the-public-bathroom-near-me-find-nearest-public-toilet/"> public bathroom near me</a>
<a hreaf="https://defineprogramming.com/the-public-bathroom-near-me-find-nearest-public-toilet/"> nearest public toilet to me</a>
<a hreaf="https://defineprogramming.com/the-public-bathroom-near-me-find-nearest-public-toilet/"> public bathroom near me</a>
<a hreaf="https://defineprogramming.com/the-public-bathroom-near-me-find-nearest-public-toilet/"> public bathroom near me</a>
<a hreaf="https://defineprogramming.com/the-public-bathroom-near-me-find-nearest-public-toilet/"> nearest public toilet to me</a>
<a hreaf="https://defineprogramming.com/the-public-bathroom-near-me-find-nearest-public-toilet/"> public bathroom near me</a>
https://defineprogramming.com/
https://defineprogramming.com/
Enter comment here... a fake TeamViewer page, and that page led to a different type of malware. This week's infection involved a downloaded JavaScript (.js) file that led to Microsoft Installer packages (.msi files) containing other script that used free or open source programs.
distribute malware. Even if the URL listed on the ad shows a legitimate website, subsequent ad traffic can easily lead to a fake page. Different types of malware are distributed in this manner. I've seen IcedID (Bokbot), Gozi/ISFB, and various information stealers distributed through fake software websites that were provided through Google ad traffic. I submitted malicious files from this example to VirusTotal and found a low rate of detection, with some files not showing as malware at all. Additionally, domains associated with this infection frequently change. That might make it hard to detect.
https://clickercounter.org/
Enter corthrthmment here...

Diary Archives