php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login

go to bug id or search bugs for

Request #49712 create_function designed for unwanted obfuscation
Submitted: 2009-09-29 15:20 UTC Modified: 2010-12-16 10:11 UTC
Votes:1
Avg. Score:5.0 ± 0.0
Reproduced:1 of 1 (100.0%)
Same Version:0 (0.0%)
Same OS:0 (0.0%)
From: list2009 at lunch dot za dot net Assigned: jani (profile)
Status: Closed Package: *General Issues
PHP Version: 5.2.11 OS: any
Private report: No CVE-ID: None
View Developer Edit
Welcome back! If you're the original bug submitter, here's where you can edit the bug or add additional notes.
If you forgot your password, you can retrieve your password here.
Password:
Status:
Package:
Bug Type:
Summary:
From: list2009 at lunch dot za dot net
New email:
PHP Version: OS:

 

 [2009-09-29 15:20 UTC] list2009 at lunch dot za dot net 
Description:
------------
Unlike eval(), create_function can be called by reference.  It provides
an excellent hook for php obfuscation that is difficult to detect in an
automated way.  

I would like to define a list of functions that can NOT be called by
reference, and this function is first in my list, closely followed by
the other functions in this snippet, system(), ob_flush(), etc.  

Obfuscated code is one thing - obfuscated code that looks innocent is
another.

Reproduce code:
---------------
---
From manual page: function.create-function#Description
---
Note that this code does not contain a single string for a scanner.  Only a php interpreter can determine that this is obfuscated code, and calls str_rot13, base64_decode and runs the base64 encoded code.
<?php
$v="_"; $v.="rot"; $v.=14-1; $v="str$v";
$w=$v("onfr64_qrpbqr");
$x=$w('Y3JlYXRlX2Z1bmN0aW9u');
$y=$w('ZWNobyAiVSBSIHB3bmRcbiI7Cg==');
$z=$x('',$y);
$z();


Expected result:
----------------
Fatal error: Call to undefined function create_function()
or
Fatal error: function create_function cannot be called by reference.


Actual result:
--------------
U R pwnd

Patches

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2010-12-14 17:28 UTC] jani@php.net
-Status: Open +Status: Closed -Package: Feature/Change Request +Package: *General Issues -Assigned To: +Assigned To: jani
 [2010-12-14 17:28 UTC] jani@php.net 
With 5.3.4:

# php -d disable_functions=create_function t.php

Warning: create_function() has been disabled for security reasons in /home/jani/t.php on line 6
 [2010-12-15 07:01 UTC] list2009 at lunch dot za dot net 
disable_functions simply disables a function.  This is not what I need: I needed to disable calling the function by reference, ie: $moo="create_function"; $moo(); but not simple create_function().  preg_replace can be used instead of eval and create_function, but preg_replace cannot be disabled in most production environments.  With calling by reference, and it provides a ready path to obfuscated php injection - with code that looks like a mathematical calculation.  If I'm wasting my time here, maybe I should rather write the ultimate php obfuscater with some watermark, and see how long it goes before I detect that watermark in code hiding c99shell shell or V64.worm.php.2011 on my own systems...
 [2010-12-16 10:11 UTC] jani@php.net 
Then you need to look at Suhosin which provides such things like disabling the 'e' modifier for preg_replace(): http://www.hardened-php.net/index.html
 
PHP Copyright © 2001-2025 The PHP Group
All rights reserved. 		Last updated: Sun Jul 27 20:00:02 2025 UTC