Attacker updates PHP source code to include backdoor
Third-party risk management, application security, breach notification
Open-Source Project Team Says Change Could Be Replaced With White Hat or Script Kiddie
Mathew J. Schwartz (euroinfosec) •
March 29, 2021
An attacker added a backdoor to a code repository for the widely used and open-source server-side scripting language PHP, the project developers have warned.
In an alert on Sunday, PHP contributor Nikita Popov said attackers appear to have infiltrated the project’s self-hosted Git server. Git is widely used open source version control software.
An attacker made two “malicious commits on Git,” Popov said in the security alert. Validations refer to adding “safe” code to a project’s source code repository so that it is contained in the next release.
Web Technology Surveys market research reports that at least 79% of all websites use PHP.
The flaw appears to have been first spotted by PHP developers, including Michael Voříšek, who were investigating a code change allegedly added to resolve a typo. But they found that if an attacker sent an HTTP request starting with “zerodium” to a website using PHP, it would allow the attacker to execute arbitrary code.
Malicious addition excised
On Monday morning, the code was rolled back to a previous version that did not contain the backdoor. It is not yet known whether the backdoor code was downloaded and added to public websites by anyone handling beta code. But the latest stable PHP release to be released, version 8.0.3, was released on March 4, well before the malicious commit was made on Sunday.
Popov, who is also a PHP-focused software developer for software development company JetBrains, says a malicious commit was made on his behalf and another on behalf of PHP co-author Rasmus Lerdorf.
The two say they didn’t make those commitments, and Popov notes that key members of the project team are investigating. “We don’t know exactly how it happened yet, but everything points to a compromise of the git.php.net server (rather than a compromise of an individual git account),” he says.
“While the investigation is still ongoing, we have decided that maintaining our own git infrastructure is an unnecessary security risk, and that we will shut down the git.php.net server,” he adds. “Instead, repositories on GitHub, which were previously just mirrors, will become canonical. This means that changes must go directly to GitHub rather than git.php.net.”
Popov issued the alert after consulting with other team members via a discussion on the PHP support group on Stack Overflow.
“I think this is an invaluable opportunity to shut down git.php.net and declare the github repository canonical,” he posted.
“Yeah, burn it with fire, having our own git servers complicates it, it’s a waste of time all over the place,” PHP contributor Joe Watkins said in response. “The facts are, we [expletive] suck to keep things safe, and should pass the baton to the pros. “
Popov notes that “previously write access to repositories was handled by our local karma system,” while now anyone who wants to contribute code will have to register with PHP’s GitHub organization. “Joining the organization requires the activation of 2FA,” he says, meaning anyone who tries to push code will have to use multi-factor authentication to validate their identity.
Zerodium named in Backdoor
Confusion persists as to what the attacker could have tried to accomplish.
The fake commit calls for Zerodium, a Washington-based security company that specializes in buying and selling zero-day vulnerabilities.
In 2017, a zero-day PHP flaw was sold to Zerodium, as noted by Mikko Hypponen, director of research at Finnish security firm F-Secure.
“REMOVETHIS: sold to Zerodium, mid 2017”#PHP
– @mikko (@mikko) March 29, 2021
In other words, whoever added the code doesn’t seem to have tried to be stealthy.
“It’s weird, because it’s so… totally obvious,” said a participant in PHP’s Stack Overflow discussion board. “It was the ‘REMOVETHIS: sold to Zerodium, mid 2017’ that confused / worried me. What was sold in 2017?”
“Well, I think it could have been a poorly delivered whitehat, tbqh,” replied Sara Golemon, a PHP project developer, who served as the release manager for the current 7.2 and 8.0 branches of PHP, referring to hacker hat. white trying to do good. “Or a totally inept skript-kiddie. Hard to say sometimes.”
“It doesn’t matter that we don’t know how we won, every win counts,” said Watkins.
But Chaouki Bekrar, CEO of Zerodium, suggests that one or more attackers had failed to find a zero-day broker who wanted to buy the underlying bug or exploit, “so they burned it for fun.”
Well done to the troll who put “Zerodium” in today’s compromised PHP commits. Obviously, we have nothing to do with it.
Probably the researcher (s) who found this bug / exploit tried to sell it to many entities but none wanted to buy this shit, so they burned it for fun.
– Chaouki Bekrar (@cBekrar) March 29, 2021
Malicious additions to the PHP source code had been eliminated by Monday morning, and Popov says a more in-depth review of the PHP source code is underway. “We review the repositories for any corruption beyond the two referenced commits,” he says. “Please contact [email protected] if you notice anything.”
This story has been updated with comments from Zerodium CEO Chaouki Bekrar.