What the f*ck is a Snuffleupagus?
Ever wonder what happened to PHP Suhosin?
We all remember the great days of the Suhosin patch & extension for PHP, finally the language that runs so much of our web getting some much needed core security, meaning more hosts could sleep at night knowing their users were not totally exposing them at application level. I will just go through the basic premise again for those who missed out first time round.
The patch
First off the Suhosin ‘patches’ the core PHP engine, allowing it to fix such vulnerabilities like buffer overflows at the low level, this led to even some *nix distros shipping their PHP with the patch already applied and web hosting panels to adopt it too.
Here is a list of some of the patch benefits taken from their own site:
- Protects the internal memory manager against buffer overflows with Canary and SafeUnlink Protection
- Protects Destructors of Zend Hash-tables
- Protects Destructors of Zend Linked-Lists
- Protects the PHP core and extensions against format string vulnerabilities
- Protects against errors in certain libc realpath() implementations
The extension
The extension has a lot more to it, this not only focuses on fixing/protecting the core PHP implementation but the key bit is how it protects applications because so much widely used PHP projects such as CMS like Wordpress, Joomla (lets face it Joomla was terrible for security!), Drupal etc — they were all racking up a seriously impressive amount of security vulnerabilities from the trivial to the “just let yourself in, sir” kind.
Suhosin allowed you to enable/disable certain rules and rulesets just like a firewall that would allow/disallow certain suspicious or unsafe function calls, operations, ini_set changes and such so that you could tweak the security of any code running in your PHP environment regardless of website or user.
This was especially useful when major very popular exploits would surface — meaning you could update your Suhosin rules to temporarily fix the execution of the malicious attack until all your users got round to updating their software or patching their own code. This was a godsend for shared hosting companies.
Here is some major features listed for the extension:
- Transparent Cookie Encryption :!:
- Protects against different kinds of (Remote-)Include Vulnerabilities
- Disallows Remote URL inclusion (optional: black-/whitelisting)
- Disallows inclusion of uploaded files
- Optionally stops directory traversal attacks
- Allows disabling the preg_replace() /e modifier
- Allows disabling eval()
- Protects against infinite recursion through a configurable maximum execution depth
- Supports per Virtual Host / Directory configurable function black- and whitelists
- Supports a separated function black- and whitelist for evaluated code
- Protects against HTTP Response Splitting Vulnerabilities
- Protects against scripts manipulating the memory_limit
- Protects PHP‘s superglobals against extract() and import_request_vars()
- Adds protection against newline attacks to mail()
- Adds protection against 0 attack on preg_replace()
That's just some of the main options and protections this Suhosin offers.
The problem?
Now you're wondering why I am notifying you all of something that has been around a long time, we get finally to: the problem.
Suhosin does not properly support PHP7. Now you might be about to comment with the link to the Suhosin PHP7 development repo, I’ll do that for you: https://github.com/sektioneins/suhosin7
You will notice that nothing has been updated in ‘3 years’ and the notice at the beginning reads:
WARNING: THIS SOFTWARE IS PRE-ALPHA SOFTWARE. DO NOT ATTEMPT TO RUN IN PRODUCTION
Suhosin seems to have stalled development for a long time, leaving hosts/admins that want to use it stuck offering only PHP5 installations. This is now getting a bigger problem since PHP released 7.3, adoption of the many new features now forcing a wider backwards-compatible gap. CMS giants are now starting the haul to full PHP7 times, gradual typing is becoming popular rather than shunned.
I did some research and read forum posts where certain popular pieces of software have lost actual amounts of users because they are limited to PHP5 still because of Suhosin.
The solution: A Snuffle-what-amus?
snuffleupagus might just be the rescue your after from these dark exploitable times.
Snuffleupagus is a PHP7+ module designed to drastically raise the cost of attacks against websites. This is achieved by killing entire bug classes and providing a powerful virtual-patching system, allowing the administrator to fix specific vulnerabilities without having to touch the PHP code.
Snuffleupagus is rapidly becoming the Suhosin for PHP7. It supports up to 7.3, has fairly active development and it works for production environments. It works purely as an extension, so no need to patch your PHP core.
It provides some decent documentation on its uses, limitations and how to write the configuration file for your exact needs — using its intuitive PHP style configuration format that allows for easy virtual-patching of functions. This allows for the same fixing of application level attacks environment-wide.
Here is some example lines from their default provided config file:
# Harden the PRNG
sp.harden_random.enable();
# Disabled XXE
sp.disable_xxe.enable();# Harden the `chmod` function
sp.disable_function.function("chmod").param("mode").value_r("^[0-9]{2}[67]$").drop();
# Prevent various `mail`-related vulnerabilities
sp.disable_function.function("mail").param("additional_parameters").value_r("\\-").drop();
# Since it's now burned, me might as well mitigate it publicly
sp.disable_function.function("putenv").param("setting").value_r("LD_").drop()
As you can see, it really allows you to change the behaviour of functions at runtime and to disable/enable their use based on multiple properties at their time of calling. It also enables various attack vector fixes such as hardening unserialize() method by using HMAC verification and hardening cookies to stop cookie hijacking.
If this hasn’t sold you into utilising Snuffleupagus yet, I am sure PHP7 will eventually force you away from Suhosin — a project that seems never to reach the updated compatibility. Just incase though I will leave the installation quick-start instructions here:
git clone https://github.com/nbs-system/snuffleupagus
cd snuffleupagus/src
phpize
./configure --enable-snuffleupagus
make
make installMake sure to read the full documentation & test your rulesets properly before deploying in a production environment!
A special thanks goes out to Suhosin and Snuffleupagus for helping keep PHP a safer engine for many admins for years :)
