Web-App Remote Code Execution Via Scripting Engines.

Rahul Sasi(fb1h2s)

Who am I ?

• Rahul Sasi (fb1h2s)• Security Researcher @ • Member Garage4Hackers.

Garage 4 HackersInformation Security professionals from Fortune 500, Security research and Consulting firms from all across the world.

•Security Firms•Consulting Firms•Research Firms•Law Enforcements

http://www.Garage4Hackers.com

I

• Defensive Security , sort of an investment or many considers it waste of money.

• Offensive Security(Hacking) is Money Making Business.

Why Offensive Security?

Web-App Remote Code Execution Via Scripting Engines.

What is the Difference between a Web App Pen-tester and a Paid Hacker with

Malicious Intend ?

Web App-Pen tester is paid and given One week to find all the vulnerabilities in the Application.

Hacker is paid with no time constrains to find just one vulnerability to get

into the system.

Attacking Web Applications via Scripting Engines .

Agenda

• Apache PHP Architecture .• Web App Exploitation• Local PHP Vulnerabilities.• Source Code Auditing.• Memory Corruptions . [ROP Chains]• Remote PHP Vulnerabilities • File formats and Remote Exploitation.

Common Web Test

• Manipulates Input and check for responses from the app.

• Exploiting Scripting Engines.

Digging Deep for Treasure.

Exploiting Scripting Engines

• PHP• ASPX (.NET)• Python• Perl• Etc..

PHP Architecture

PHP + Apache Security Architecture

for

Attacking PHP Engines

• For Privilege Escalation • Code Execution in Protected Environments • Bypassing Security Restrictions

PHP Local Exploits

Attacking PHP EnginesLocal Attacks

• History of PHP Exploits Used in the WildPHP Symlink ExploitPHP Nginx Exploit

• 0days

PHP Windows COM 0-day

PHP Symlink Exploit

• Privilege Escalation • IF pak.com and IN.com are on the same

server. Used Widely

• Demo

0-days (Win)• 0-day Markets. Huge 10,000 USD• PHP Dom 0-day on Windows

• The Vulnerable Function

• Com_event_sink()

• ROP Chains

Php Com_event_sink()

The Bug

Code Execution (ROP ing)• The general idea is to use the already existing

pieces of code and redirect the flow of the application.

• Add the desired Shellcode and jump to it.

Code Execution

• Get an Interactive Shell on the System.

Remote Exploits

Attacking PHP :Remote Exploits:

• History Of Bugs:

CVE-ID: 2012-0057, Arbitrary file creation via libxslt. CVE-2012-2329 (Apache Request Header)CVE-2012-1823,CVE-2012-2311 ( php-cgi bug “=“ )

• 0-days PHP GD bugs.

php-cgi bug “=“ CVE-2012-1823

• The BugIndex.php?-s Will show the source, we can inject PHP

command line arguments to the compiler.The attack.http://www.badguys.com/index.php-s

CVE-2012-2311 php-cgi bug “=“

Demo

PHP GD Bugs

PHP GD

• Image processing Algorithms .

• Takes input (images) and output processed image

• Could trigger memory corruption via Input images and trigger code execution.

Detecting them .

• An Example of Our Exploration .

• Processed Images insert Meta tags , which informs about the PHP functions used.

• “CREATOR: gd-jpeg v1.0 (using IJG JPEG v80), quality = 75”

• We Analyzed the Source code of GD engine and figured out the exact function used.

• Fuzzed using our GD Fuzzer , made a reliable exploit. 0-day

0-days in GD Engine.

Demo

Thanks

• http://www.twitter.com/fb1h2s• http://www.garage4hacers.com