php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login

go to bug id or search bugs for

Request #49712 create_function designed for unwanted obfuscation
Submitted: 2009-09-29 15:20 UTC Modified: 2010-12-16 10:11 UTC
Votes:1
Avg. Score:5.0 ± 0.0
Reproduced:1 of 1 (100.0%)
Same Version:0 (0.0%)
Same OS:0 (0.0%)
From: list2009 at lunch dot za dot net Assigned: jani (profile)
Status: Closed Package: *General Issues
PHP Version: 5.2.11 OS: any
Private report: No CVE-ID: None
View Developer Edit
 [2009-09-29 15:20 UTC] list2009 at lunch dot za dot net 
Description:
------------
Unlike eval(), create_function can be called by reference.  It provides
an excellent hook for php obfuscation that is difficult to detect in an
automated way.  

I would like to define a list of functions that can NOT be called by
reference, and this function is first in my list, closely followed by
the other functions in this snippet, system(), ob_flush(), etc.  

Obfuscated code is one thing - obfuscated code that looks innocent is
another.

Reproduce code:
---------------
---
From manual page: function.create-function#Description
---
Note that this code does not contain a single string for a scanner.  Only a php interpreter can determine that this is obfuscated code, and calls str_rot13, base64_decode and runs the base64 encoded code.
<?php
$v="_"; $v.="rot"; $v.=14-1; $v="str$v";
$w=$v("onfr64_qrpbqr");
$x=$w('Y3JlYXRlX2Z1bmN0aW9u');
$y=$w('ZWNobyAiVSBSIHB3bmRcbiI7Cg==');
$z=$x('',$y);
$z();


Expected result:
----------------
Fatal error: Call to undefined function create_function()
or
Fatal error: function create_function cannot be called by reference.


Actual result:
--------------
U R pwnd

Patches

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2010-12-14 17:28 UTC] jani@php.net
-Status: Open +Status: Closed -Package: Feature/Change Request +Package: *General Issues -Assigned To: +Assigned To: jani
 [2010-12-14 17:28 UTC] jani@php.net 
With 5.3.4:

# php -d disable_functions=create_function t.php

Warning: create_function() has been disabled for security reasons in /home/jani/t.php on line 6
 [2010-12-15 07:01 UTC] list2009 at lunch dot za dot net 
disable_functions simply disables a function.  This is not what I need: I needed to disable calling the function by reference, ie: $moo="create_function"; $moo(); but not simple create_function().  preg_replace can be used instead of eval and create_function, but preg_replace cannot be disabled in most production environments.  With calling by reference, and it provides a ready path to obfuscated php injection - with code that looks like a mathematical calculation.  If I'm wasting my time here, maybe I should rather write the ultimate php obfuscater with some watermark, and see how long it goes before I detect that watermark in code hiding c99shell shell or V64.worm.php.2011 on my own systems...
 [2010-12-16 10:11 UTC] jani@php.net 
Then you need to look at Suhosin which provides such things like disabling the 'e' modifier for preg_replace(): http://www.hardened-php.net/index.html
 
PHP Copyright © 2001-2025 The PHP Group
All rights reserved. 		Last updated: Sun Jul 27 20:00:02 2025 UTC