18
PHP-CGI Argument Injection (CVE-2012-1823) Stuart Gregg
| Date post: | 14-Apr-2017 |
| Category: |
Documents |
| Upload: | stuart-gregg |
| View: | 264 times |
| Download: | 0 times |
PHP-CGI Argument Injection
(CVE-2012-1823)
Stuart Gregg
Table of Contents
Introduction ........................................................................................................... 1.0
Vulnerability ........................................................................................................... 2.0
Exploit & Attack Software ..................................................................................... 2.1
Anatomy of Attack................................................................................................. 3.0
Information Gathering .......................................................................................... 3.1
Exploitation .......................................................................................................... 3.2
Post exploitation ................................................................................................... 3.3
Actions for maintaining access and covering tracks ............................................. 3.4
Recommendations for Preventing an Attack ...................................................... 4.0
Related Software ................................................................................................... 5.0
Critical Reflection .................................................................................................. 6.0
Conclusions ........................................................................................................... 7.0
References ............................................................................................................ 8.0
1.0 - Introduction
This report will cover all the stages of an attack on a vulnerable piece of software.
The report will go into technical depth and show all aspects of the attack from the
information gathering stage right through to covering your tracks and maintaining
access.
The attack software that will be used in this report is the Metasploit framework. This
can be found preinstalled within Kali Linux, a version of Linux preloaded with a wide
range of tools. “Metasploit Framework, the Metasploit Project's best-known creation,
is a software platform for developing, testing, and executing exploits. It can be used
to create security testing tools and exploit modules and also as a penetration testing
system. It was originally created as a portable network tool in 2003 by HD Moore.”
(Rouse, 2011)
The vulnerability that will be looked at sits within the PHP execution engine. The
vulnerability allows the attacker to execute arbitrary PHP code on the server. This
vulnerability relies on the server being configured to redirect PHP files to PHP CGI.
This is configured within the php.ini file. The vulnerability works when the web server
runs in a CGI environment. Common Gateway Interface (CGI) is a method used by a
lot of developers as a way to dynamically generate content on webpages and
applications. This works by the PHP interpreter using the CGI mode (PHP CGI). The
model for this is the web server will input a PHP file (normally already on the
webserver) and the output will be HTML code (this usually displays on the browser)
(Cid, 2012). Simply putting ‘?-s’ (“show source”) at the end of an URL you are
looking at can reveal if it’s vulnerable and produces the PHP source code (see fig 1),
an example of this; http://localhost/index.php?-s
(Fig 1 – Example source code with the ‘?-s’ vulnerability)
2.0 - Vulnerability
PHP is the most dominate server side language used within the majority of web
applications today (see fig 2). This among many other factors demands a lot of
enquiry into the security and vulnerability of the language.
(Fig 2 – Statistics showing PHP as the most used online programming language)
The vulnerability researched within this report is a programming mistake which
allows the attackers to see the PHP source code and even achieve code execution.
Remote code execution is gained in this instance by the attacked using the ‘-d’
option (this allows the manipulation of PHP and the security settings) this will then
bypass any security checks and allow the attacker to place PHP command line
options in the query string (Shulman, 2014).
This vulnerability can only be seen if the PHP is being used in a CGI based
environment which usually includes an Apache mod_cgid. Once the attackers knows
that the victim’s set up they can pass multiple command line switches including -s, -d
and even -c, this then gets processed by the php-cgi binary which in result can
reveal source code or allow arbitrary code execution (Cid, 2012) .
This vulnerability has been rated CVSS v2 base score of 7.5 (HIGH) with and impact
score of 6.4.
This vulnerability exists due to developers modifying php.ini files to allow their sites
to run through a CGI wrapper. The vulnerability exists in all earlier PHP versions
including 5.2.0/17 - 5.3.0/13 and 5.4.0/2 but before 5.4.3. This vulnerability can only
been exploited if the PHP files are configured as a CGI script.
This vulnerability could allow the follow;
1. Modify database and retrieve password information
2. Locate files on the server – including download and edit files
3. DoS – Denial of service attack
4. Execute code on the server
The category this vulnerability sits in is a command injection (see fig 3). Command
injection enables the attacker execution of arbitrary commands. This usually is
possible through a vulnerable application which does not validate input/output
options to an extent that it should. This happens by the attacker adding code
injection between the client and the server. The server which normally allows the
query from the client also allows the additional commands from the attacker. Which
have not been properly filtered. Resulting in the retrieval of additional information
from the server.
(Fig 3 – Example code injection illustration)
2.1 - Exploit & Attack Software
The attack software used to exploit the vulnerability is Metasploit. The Metasploit
framework is used by many people, including penetration testers. It contains a huge
database of exploits, payloads and much more. The framework allows for very little
set up and simply requires the attackers to choose the exploit, set the parameters
and exploit. The framework will then do all the work for you, including setting up a
shell for your code execution (Goodin, 2012). The Metasploit framework will be used
as it has the exploit preloaded into the framework. The exploit is a Ruby file and all
that is needed is a few parameters to be set and the vulnerability is ready to be
exploited.
The vulnerability itself has a multiple of different avenues it can be exploited;
1. The most used and well-known attack vector is code disclosure with the ‘?-s’.
If the webserver is vulnerable this will reveal the source code. The source
code will then be displayed in the client’s browser. The code will be PHP code
stored on the server.
2. DoS attack. This can be executed with the ‘?-T+1000’. This will then request
the webpage as many times as you have stated. Be aware with this attack as
it will render your browser in an unusable state when the attack is happening.
3. Remote code execution ‘/?-d%20allow_url_include%3DOn+-
d%20auto_prepend_file%3dhttp’ this can be seen on line 14 on fig 4. This
then allows the attacker to place code execution on the server. This is the
biggest vulnerability, as this allows the attacker to gain information from the
server or edit anything on the server with the correct read/write permissions.
The vulnerability is within the PHP set up. When the webserver or application is set
up in CGI environment the attacker is able to exploit the vulnerability where the
query string cannot handle the absence of an = (equals sign) character. This then
allows the attacker execute command line code within the string. Once this is sent to
the server the command line code is also sent and executed. This then allows the
attacker unauthorised options on the server. A quick and easy way to exploit this
vulnerability is using attack software such as Metasploit, where the exploit is
preconfigured. All the attacker needs to do is set the remote host to attack the
payload and let the script scan the host, see if vulnerable and then use the exploit to
gain root access to the server. Once the attacker has this ability they can send any
commands they wish. They can even edit, delete or move any files they wish; they
have the same privileges as the server’s admin.
(Fig 4 – PHP-CGI exploit code)
3.0 - Anatomy of Attack
3.1 - Information Gathering
In this stage the report will talk about how the attacker is able to gain information
about the victim’s machine in order to deem them vulnerable and then in case launch
an attack. First off the attacker will check the broadcast length on their network and
identify their own IP address. This will then allow the attacker to see the IP address
range they need to scan. Within Kali Linux this can be done with the command
‘ifconfig’ (see fig 5)
Looking at fig 5 the attacker can identify the network address range of 255. This can
be seen by looking at the Bcast: 172.16.29.255 the last digits show the range the
network is broadcasting on, therefore the attacker knows the range to scan. Within
this the attacker can also identify their own local IP address 172.16.29.129
Now the attacker knows the network range, a ping sweep can be performed to see
what hosts are alive. This can be done with a tool within Kali Linux called nmap.
Using the command ‘nmap -sn 172.16.29.0-255’ will tell nmap to ping sweep the IP
range and list live hosts within the range of 0-255. The -sn command will do this
scan without listing any ports that are open this can be done at a later stage (see fig
6).
(Fig 6 – nmap ping sweep command)
(Fig 5 – ifconfig command in Kali Linux)
Now the attacker had identified the live hosts, they can start to dig deeper and see
what ports are open. This also can be done within Kali Linux using nmap. The
command ‘nmap -sS 172.16.29.130’ will scan the chosen host and list any open
services. The -sS indicates that you are performing TCP SYN scan, this type of scan
does not perform a full TCP connection and is classed as unobtrusive and stealthy.
This is performed by sending a SYN packet and waiting for a SYN/ACK (response)
this then indicates the port it alive and listening. If you were to receive a RST (reset)
this then indicates the port is inactive. The type of scan does not open a full TCP
connection (see fig 7) (Lyon, 2012).
Now the attacker knows the IP
address range, the victims IP
address and the services running
on the host. The next stage will be
to find the current operating system
running on the victim’s machine.
This can be done running the
command ‘nmap -O
172.16.29.130’ with the -O stating
you wish to see the OS information
(see fig 8).
With this information the attacker now knows the OS version the machine is running
on. As can be seen the machine is running Linux 2.6.9 – 2.6.33. Another test the
hacker can do is type the victims IP address into a web browser to see if the
machine is hosting anything, this could detect if the machine is a web server.
By doing this the
attacker can now see the
server is hosting
webpages (see fig 10)
and start to plan an
attack. Using another
Kali Linux tool amap the
attacker can see what
applications and
versions are being run.
(Fig 7 – nmap TCP SYN scan)
(Fig 9 – amap scan)
(Fig 8 – nmap OS scan)
Using the command ‘amap -bqv 172.16.29.130 80’ while the 80 on the end of the
command states the port you wish to see (see fig 9).
As you can see within the output, the application used is Apache 2.2.8 (Ubuntu)
DAV/2. The attacker can also see the
version of PHP 5.2.4 being used.
Another way the attacker could find
this information out is by using a tool
within Kali Linux called netcat. This
tool uses TCP/UDP protocol to read
data across network connections. The
command required is ‘nc
172.16.29.130 80’ and then ‘HEAD /
HTTP/1.0’ (see fig 11).
Now the attack knows the IP address, the open ports, the operating system software
and the application services being used. Once all this is known the attacker can pick
a vulnerability which exploits the current set up of the victim. Knowing that the server
is running on Apache and a vulnerable version of PHP the attacker can start to plan
the vulnerability they are going to use. In this case a PHP-CGI vulnerability is the
choice. One way to see if the server is vulnerable to this exploit is by using the ‘?-s’
(see fig 12).
(Fig 11 – netcat scan)
(Fig 10 – Victim’s hosted home webpage)
(Fig 12 – Vulnerability showing source code)
3.2 - Exploitation
The attack software Metasploit will be used for launching the exploit against the
vulnerability. Now the attacker has identified all the possible attack vectors, the next
stage will be picking an exploit and using it. Looking into vulnerability databases
such as Security Focus (see fig 13) you can see if an exploit you wish to use
matches with the victim’s current setup. This website also provides example attack
codes and solutions for the fix. This is not needed as Metasploit has the exploit
preloaded.
First you need to open the Metasploit framework; to
do this the command is ‘msfconsole’ (see fig 14).
Once the console is open you can search for the specific exploit you wish to use.
Metasploit has a huge database full of exploit and payloads for an attacker to use.
Once you have found the relevant exploit that will work on the victim’s current set up
use the command ‘use exploit/multi/http/php_cgi_arg_injection’ and that exploit
will be loaded.
Once you have selected your exploit the attacker will then need to set the victims IP
address as the remote host within Metasploit. The RHOST is the remote host you
wish the exploit to connect on. This is the victims IP address. The LHOST is the local
IP address and should automatically be set as your own IP address. If not you will
need to set this.
Next stage will be selecting a payload to use. In this case we are using payload
php/meterpreter/blind_tcp. This will set up a blind TCP connection to the victim’s
machine (see fig 15).
(Fig 14 – Metasploit framework) (Fig 13 – Security Focus database)
(Fig 15 – Payload loaded within Metasploit)
3.3 - Post exploitation
Once the exploit has finished there are many additional things they can do. The
attacker can edit the web pages that have been hosted. This is possible by using
standard Linux editing commands. Metasploit will make a temporary copy of the file
you wish to edit. Once you have finished making alterations to the file you can simply
use the writequit command to save the new version to the server. The command ‘ls’
will list all the current directory contents (see fig 16).
Looking at the directory listing we can see the hosted webpage ‘index.php’ (see fig
17) the command ‘edit index.php’ will allow the attacker to make any alterations to
the document (see fig 18).
(Fig 16 – ls command)
(Fig 17 – Victim’s home page before attack)
Now the attacker has made the changes to the document the command ‘:wq’ will
then write the new changes to the document and quit out of the editor. The changes
will now be hosted on the server (see fig 19). The attacker can also edit any links
within the home page to direct to another website of their choice. This could be
dangerous if the visitor to the webpage trusts the site and links and is unaware of the
changes made to the document.
(Fig 18 – Linux file editor)
(Fig 19 – Victim’s home page after attack)
Another post exploitation attack that can be performed is creating new directories.
The attacker as the ability to not only create new directories but to upload files into
them directories (see fig 20). This therefore could trick the admin of the server into
thinking it is a genuine file and even execute it. This could include a backdoor into
the server for future access.
The attacker can also download any files that resides on the server. This could be
dangerous if there are files that contain user’s passwords or any other valuable
information (see fig 21).
(Fig 20 – Creating directories and uploading files into them)
(Fig 21 – Downloading files from the victim’s server)
3.4 - Actions for maintaining access and covering tracks
Covering your tracks once you have made an attack is just as important as the initial
information gathering. If the attacker wants any chance to exploit the victim again
you need to ensure any trails you left behind are removed or overwritten. One way to
do this is by removing any files left on the victim’s machine that could suggest a
possible attack has happened. The command “shred” can write over a file to delete
any trace of an attack (see fig 22).
The attacker could also change the process they are using to another one to
maintain access. Using the command ‘getpid’ will show the current process you are
using. The attacker can then use ‘ps’ to load all current running processes and use
the migrate function to switch to another process.
The attacker could also use the following;
1. Persistent Backdoors – After the attacker has successfully completed an
exploit on a vulnerable they will want a way to get back into the system on a
later date. This is particularly useful if the vulnerability has been fixed by the
victim, having another way into the system will ensure the attacker can keep
gaining information while the victim is unaware. The attacker can use already
made backdoors or even create their own using the Metasploit framework and
simply upload this to the victim’s machine.
2. Clear event logs – On Linux system the event logs are stored under the
directory /var/log/messages. Once you have located the event history logs
you need to open these up in a text editor and delete all the entries, or if you
have more time and probably the better option would be to delete only the
entries that apply to the actions you have done on the system.
(Fig 22 – Shred command on victim’s machine)
4.0 - Recommendations for Preventing the Attack
Since this vulnerability has been made public there has been a multiple of patches
released by PHP to try and solve this issue. The main attack avenue was to use the
query string to directly input commands to the server. In fig 23 shows a patch from
PHP which has a small wrapper which strips any argument that tries to invocate the
php-cgi when called as a CGI handler. Looking at fig 23 on line 31 you can see the
start of the wrapper which only passes to the next function on line 40 if meets the
new patch requirements. The function that starts on line 40 will then show relevant
information about the server and software.
The main way to preventing attacks of this kind is ensuring you are keeping you
programs up to date with the latest patches. In particular this kind of attack relies on
the fact that the victims does not properly validate input or output queries.
Training developers on this issues is a massive factor to help resolve and reduce
possible attacks. The more training that has been given on this the less likely
attackers are going to find exploits in the code in the first place.
(Fig 23 – PHP wrapper fix for php-cgi argument vulnerability)
5.0 - Related Software
The attack software used within this report is the Metasploit framework. The
framework consists of a huge database of ruby scripts which are used to launch
attacks against vulnerable systems. The software can be used to launch any exploit
which is loaded within the database. The framework also has the ability to upload
custom made scripts and launch them against vulnerable systems. Armitage is a
GUI version to Metasploit. Armitage is very easy to use and eliminates the need to
work on a CLI. Any input within Armitage is translated into a command the Metasploit
framework understands.
6.0 - Critical Reflection
Overall the underlying deficiency within this vulnerability is developers not fully
testing for all the different vectors the language can be manipulated. The
vulnerability simply comes from the developer not understanding the possible ways
an attacker can retrieve information they should not be allowed. The information the
attacker can retrieve is only possible due to the data that is inputted and outputted
has not been fully sanitized and therefore leaks information. This then allows for
commands to be directly injected into the query without proper validation.
Any business or organisation who have this set up and may be vulnerable should
update and fix with the latest patches available from PHP. Any information stored on
servers that have this vulnerability can be seen by an attacker and even downloaded
or edited. The attacker also has the ability to deface your hosted webpages and
cause a DoS attack. These all can be extremely damaging to your organisations
image and may lead to a loss in business.
To solve this more training and education needs to be provided for anyone using the
language and this setup. The more training around security and vulnerabilities will
then give developers a greater understanding of the attacks that may happen and
resolutions to fight against them.
7.0 - Conclusion
To conclude this report showed all the stages of an attack on a vulnerable system. It
showed how information is gathered and used to gear up for an attack. It
demonstrated in both images and illustration the loading of an exploit within the
Metasploit framework and how to use your previously gained information about the
victims IP address and current set up to your advantage to launch an exploit.
The report also talks about a multiple of different attack vectors for the same
vulnerability, giving the attacker a wide range of attack vectors so they are not just
limited to just one. Along with the attack the report also demonstrates how to cover
your tracks once the exploit has happened and how to maintain access while you’re
in the victims system.
The report shows a multiple of different options you can use while in the post
exploitation phase including the uploading of files to the victim’s server which could
involve a backdoor for future access.
The report also talks about how a victim can fight against possible attacks and what
the necessary steps are including the PHP patch source code.
8.0 - References
Margaret Rouse. (2011). Metasploit Project - Metasploit Framework. Available:
http://searchsecurity.techtarget.in/definition/Metasploit-Project-Metasploit-
Framework. Last accessed 1st April 2015.
Daniel Cid. (2012). PHP-CGI Vulnerability Exploited in the Wild. Available:
http://blog.sucuri.net/2012/05/php-cgi-vulnerability-exploited-in-the-wild.html. Last
accessed 1st April 2015.
Amichai Shulman. (2014). Threat Advisory: PHP-CGI At Your Command. Available:
http://blog.imperva.com/2014/03/threat-advisory-php-cgi-at-your-command.html. Last
accessed 1st April 2015.
Christopher Kunz. (2012). NEW PHP-CGI EXPLOIT: CVE-2012-1823, POC
EXPLOIT. Available: http://www.php-security.net/archives/9-New-PHP-CGI-exploit-
CVE-2012-1823,-PoC-exploit.html. Last accessed 2nd April 2015.
Michael Orlando. (2013). Vulnerability Note VU#520827. Available:
https://www.kb.cert.org/vuls/id/520827. Last accessed 2nd April 2015.
OWASP. (2104). Command Injection. Available:
https://www.owasp.org/index.php/Command_injection. Last accessed 2nd April
2015.
Dan Goodin . (2012). Attackers target unpatched PHP bug allowing malicious code
execution. Available: http://arstechnica.com/business/2012/05/attackers-target-
unpatched-php-bug-allowing-malicious-code-execution/. Last accessed 2nd April
2015.
Imperva, (2014), Fig 1. Available at:
http://a7.typepad.com/6a017ee8761ce7970d01a73d94402f970d-pi Last accessed
2nd April 2015
Wikibon, (2011), Fig 2. Available at: http://www.veracode.com/security/ldap-injection
Last accessed 2nd April 2015
Gordon Lyon. (2010). Port Scanning Techniques. Available:
http://nmap.org/book/man-port-scanning-techniques.html. Last accessed 7th April
2015.
