It's a PHP Unserialization Vulnerability Jim, but Not as We Know It

Conference:  BlackHat USA 2018



The presentation discusses the vulnerability of PHP stream wrappers and the potential for attackers to exploit them to gain control of data. The speaker focuses on the far stream wrapper and the far archive file format, and provides examples of how attackers can use this vulnerability to execute arbitrary code.
  • PHP stream wrappers are a feature that can cause complex functionality to kick in from any file operation
  • The far stream wrapper is a type of archive file format that can be exploited by attackers to execute arbitrary code
  • The speaker provides examples of how attackers can use far planting to get a far archive onto a target and use PHP GGC to encapsulate payloads in the far file format
  • Real-world case studies are presented to illustrate the potential impact of this vulnerability
  • The speaker briefly discusses how to defend against this issue
The speaker provides an example of how this vulnerability can be exploited in WordPress through a legacy functionality for dealing with thumbnails. By partially controlling the value of a variable called thumb file, attackers can execute arbitrary code by triggering a function defined by a property of an array iterator class. Despite the fact that the system being attacked is Linux-based, attackers can set the value of the variable to look like a Windows path in order to exploit this vulnerability.


Recent years have seen the emergence of PHP unserialization vulnerabilities as a viable route to remote code execution or other malicious outcomes. The presentation will start with a brief refresher on the issue as it has previously been understood before introducing new research which shows how unserialization can be induced when other types of vulnerability occur, including some that would previously have been considered low impact. The presentation will include demos of long lived and previously unidentified RCE exploits against some of the most widely deployed open source PHP web applications and libraries.