Malicious Git repository commits for PHP signed off by attackers under names of known developers and maintainers infect victims with a remote code execution backdoor.
On February 28, bad actors made two malicious commits to the php-src Git repository maintained by the PHP team on their git.php.net server. The threat actors had signed these commits as if these had been made by Rasmus Lerdorf and Nikita Popov, a PHP author and legitimate PHP contributor.
PHP is the server-side programming language that powers nearly 80% of the websites on the Internet.
The attackers published a mysterious change upstream in the malicious commits. They commented they did a minor typographical correction to “fix typo.”
Having taken a closer look at the added line 370 where zend_eval_string function is called, the researchers found the added line plants a backdoor that allows Remote Code Execution on a website running the infected version of PHP.
A developer Michael Voříšek was the first to point out the malicious commit.
“This line executes PHP code from within the useragent HTTP header, if the string starts with ‘zerodium’,” said PHP developer Jake Birchall.
In an email exchange with BleepingComputer, PHP maintainer Nikita Popov told:
“The first commit was found a couple hours after it was made, as part of routine post-commit code review. The changes were rather obviously malicious and reverted right away,” Popov told BleepingComputer.
The commits were signed off as coming from Rasmus Lerdorf and Nikita Popov. On Git, it is possible to sign-off a commit under someone else’s name and then upload the forged commit to the remote Git server.
Ina an official announcement, PHP maintainers said this issue stemmed from the compromised git.php.net server, and not from a compromise of an individual Git account.
As a precaution, PHP maintainers migrated the official PHP source code repository to GitHub.
“While investigation is still underway, we have decided that maintaining our own git infrastructure is an unnecessary security risk, and that we will discontinue the git.php.net server. Instead, the repositories on GitHub, which were previously only mirrors, will become canonical,” announced Popov.
Developers interested in contributing to the PHP project now need to join PHP organization on GitHub. The instructions are provided in the PHP’s security announcement.
PHP mountaineers assured that code with malicious commits had been distributed:
“The changes were on the development branch for PHP 8.1, which is due to release at the end of the year,” Popov further told BleepingComputer.
