среда, 9 декабря 2015 г.

One more useful PHP class for unserialize() bugs

In a hurry to share PHP common class for deserialization vulnerabilities.
It's FileCookieJar class of Guzzle project.

Look at its destructor https://github.com/guzzle/guzzle/blob/master/src/Cookie/FileCookieJar.php#L37-L61:
<?
    public function __destruct()
    {
        $this->save($this->filename);
    }
    /**
     * Saves the cookies to a file.
     *
     * @param string $filename File to save
     * @throws \RuntimeException if the file cannot be found or created
     */
    public function save($filename)
    {
        $json = [];
        foreach ($this as $cookie) {
            /** @var SetCookie $cookie */
            if (CookieJar::shouldPersist($cookie, $this->storeSessionCookies)) {
                $json[] = $cookie->toArray();
            }
        }
        if (false === file_put_contents($filename, json_encode($json))) {
            throw new \RuntimeException("Unable to save file {$filename}");
        }
    }
?>
Who can construct valid exploit without hints? ;)
It's easy.

пятница, 6 ноября 2015 г.

Increases the power of PAM steal module.

A year ago we released our PAM steal module.
It's easiest and safest way to steal passwords and local privilege escalation.

Basically it catch passwords from sudo/su and local services which used PAM.
But not SSH daemon by default.
The fact that it uses the challenge-response authentication scheme. In this case password will be used to generate response (hash) on client side. And will not be going to server.

To fix this "issue" you can edit sshd.conf to disable
ChallengeResponseAuthentication
    Specifies whether challenge-response authentication is allowed
    (e.g. via PAM or though authentication styles supported in
    login.conf(5)) The default is ``yes''.
https://www.freebsd.org/cgi/man.cgi?query=sshd_config&sektion=5

That's all. Now all passwords from SSH will be logged as well as $su typed passwords.
NOTICE! Please, use key-based auth anytime and sudo!