Site icon LIFARS, a SecurityScorecard company

Official PHP Git Repository Was Compromised

Official PHP Git Repository Was Compromised

Official PHP Git Repository Was Compromised

Do you remember the SolarWinds supply chain compromise, was revealed in December 2020? It seems that a similar issue affects PHP, the server-side programming language powering over 79% of the websites on the Internet.

What Happened?

On March 28th, 2021, two commits to the source code of PHP were more than extraordinary. They contained a backdoor which would execute if HTTP_USER_AGENTT string starts with ‘zerodium’. This change can be misused to achieve remote code execution by attackers. True ‘authors’ of commits tried to disguise them, pretending that commits took place to correct a typo.

Figure 1: Malicious commit signed-off as R. Lerndorf:

 

Affected commits:

Soon after the community members started to wonder what this ’new feature’ is supposed to do, PHP maintainers published the announcement.

Nikita Popov stated that two malicious commits were pushed to the php-src repo from the names of Rasmus Lerdorf and his own. Investigation is ongoing and PHP maintainers are reviewing their repositories for any corruption beyond the two referenced commits. It is not known how it happened, but according to the published announcement, everything points towards a compromise of the git.php.net server, rather than a compromise of an individual git account.

In prompt response to the incident, Nikita Popov announced that they will discontinue using git.php.net, as maintaining their own git infrastructure is an unnecessary security risk. GitHub repositories will become canonical instead. This means that PHP contributors will now need to be part of the PHP organization on GitHub. Enabling MFA is required for any potential member.

Ultimately, malicious commits were identified and reverted.

The change in code could be misused to achieve RCE (Remote Code Execution). Line 370 executes PHP code from within the UserAgent HTTP header, if the string starts with ‘zerodium’. Variable ‘enc’ is set on line 366 and contains whatever was submitted in the HTTP_USER_AGENTT header.

Figure 2: Details of backdoor code functionality. Observations discussed by contributors.

 

Recommendations

We recommend performing the following activities:

 

 

References

Changes to Git commit workflow

Exit mobile version