The PHP programming language maintainers averted a software supply chain attack when unknown threat actors compromised the self-managed Git server and inserted a backdoor.
The malicious commits were made on May 28, 2021 to a Git repository of a still-in-development version of PHP.
However, PHP contributors Markus Staab, Jake Birchallf, and Michael Voříšek noticed the changes during the post-commit code review.
Supply chain attack targeted Zlib library, turned PHP into a remote web shell
The supply chain attack targeted any server that uses PHP ZLib compression when sending data. Most servers use this functionality on almost all content except images and archives that are already size optimized.
The supply chain attack would have turned PHP into a remote web shell through which the attackers could execute any command without authentication. This is because the malicious attackers would have the same privileges as the web server running PHP.
The backdoor is triggered at the start of a request by checking if the request contains the word “zerodium.” If this condition was met, PHP executes the code in the “User-Agentt” request header.
The header closely resembles the PHP “User-Agent” request for checking for browser properties.
The rest of the request would thus be treated as a command that could be executed on a PHP server using the server’s privileges. This would allow the hackers to run any arbitrary command without the need for further privileges.
Zerodium, the company mentioned in the hack, is a vulnerability broker that buys zero-day vulnerabilities and sells them to government agencies. However, it denied any involvement in the PHP Git server compromise.
Zerodium CEO Chaouki Bekrar accused the researchers of introducing the backdoor and trying to sell it, only to disclose the vulnerability after failing to secure buyers. However, the accusation is preposterous given the lifetime of the backdoor.
The malicious commits were pushed using Rasmus Lerdorf, the PHP project author, and Nikita Popov, a major PHP contributor working at JetBrains names. The attackers described the commits as intended to fix typo on…