web-app remote code execution via scripting engines
DESCRIPTION
Web-App Remote Code Execution Via Scripting Engines by Rahul Sasi at c0c0n - International Cyber Security and Policing Conference http://is-ra.org/c0c0n/speakers.htmlTRANSCRIPT
![Page 1: Web-App Remote Code Execution Via Scripting Engines](https://reader035.vdocument.in/reader035/viewer/2022062300/557630cfd8b42a015c8b4a7f/html5/thumbnails/1.jpg)
Web-App Remote Code Execution Via Scripting Engines.
Rahul Sasi(fb1h2s)
![Page 2: Web-App Remote Code Execution Via Scripting Engines](https://reader035.vdocument.in/reader035/viewer/2022062300/557630cfd8b42a015c8b4a7f/html5/thumbnails/2.jpg)
Who am I ?
• Rahul Sasi (fb1h2s)• Security Researcher @ • Member Garage4Hackers.
![Page 3: Web-App Remote Code Execution Via Scripting Engines](https://reader035.vdocument.in/reader035/viewer/2022062300/557630cfd8b42a015c8b4a7f/html5/thumbnails/3.jpg)
Garage 4 HackersInformation Security professionals from Fortune 500, Security research and Consulting firms from all across the world.
•Security Firms•Consulting Firms•Research Firms•Law Enforcements
http://www.Garage4Hackers.com
![Page 4: Web-App Remote Code Execution Via Scripting Engines](https://reader035.vdocument.in/reader035/viewer/2022062300/557630cfd8b42a015c8b4a7f/html5/thumbnails/4.jpg)
I
![Page 5: Web-App Remote Code Execution Via Scripting Engines](https://reader035.vdocument.in/reader035/viewer/2022062300/557630cfd8b42a015c8b4a7f/html5/thumbnails/5.jpg)
• Defensive Security , sort of an investment or many considers it waste of money.
• Offensive Security(Hacking) is Money Making Business.
![Page 6: Web-App Remote Code Execution Via Scripting Engines](https://reader035.vdocument.in/reader035/viewer/2022062300/557630cfd8b42a015c8b4a7f/html5/thumbnails/6.jpg)
Why Offensive Security?
![Page 7: Web-App Remote Code Execution Via Scripting Engines](https://reader035.vdocument.in/reader035/viewer/2022062300/557630cfd8b42a015c8b4a7f/html5/thumbnails/7.jpg)
Web-App Remote Code Execution Via Scripting Engines.
![Page 8: Web-App Remote Code Execution Via Scripting Engines](https://reader035.vdocument.in/reader035/viewer/2022062300/557630cfd8b42a015c8b4a7f/html5/thumbnails/8.jpg)
What is the Difference between a Web App Pen-tester and a Paid Hacker with
Malicious Intend ?
![Page 9: Web-App Remote Code Execution Via Scripting Engines](https://reader035.vdocument.in/reader035/viewer/2022062300/557630cfd8b42a015c8b4a7f/html5/thumbnails/9.jpg)
Web App-Pen tester is paid and given One week to find all the vulnerabilities in the Application.
Hacker is paid with no time constrains to find just one vulnerability to get
into the system.
![Page 10: Web-App Remote Code Execution Via Scripting Engines](https://reader035.vdocument.in/reader035/viewer/2022062300/557630cfd8b42a015c8b4a7f/html5/thumbnails/10.jpg)
Attacking Web Applications via Scripting Engines .
![Page 11: Web-App Remote Code Execution Via Scripting Engines](https://reader035.vdocument.in/reader035/viewer/2022062300/557630cfd8b42a015c8b4a7f/html5/thumbnails/11.jpg)
Agenda
• Apache PHP Architecture .• Web App Exploitation• Local PHP Vulnerabilities.• Source Code Auditing.• Memory Corruptions . [ROP Chains]• Remote PHP Vulnerabilities • File formats and Remote Exploitation.
![Page 12: Web-App Remote Code Execution Via Scripting Engines](https://reader035.vdocument.in/reader035/viewer/2022062300/557630cfd8b42a015c8b4a7f/html5/thumbnails/12.jpg)
Common Web Test
• Manipulates Input and check for responses from the app.
• Exploiting Scripting Engines.
![Page 13: Web-App Remote Code Execution Via Scripting Engines](https://reader035.vdocument.in/reader035/viewer/2022062300/557630cfd8b42a015c8b4a7f/html5/thumbnails/13.jpg)
![Page 14: Web-App Remote Code Execution Via Scripting Engines](https://reader035.vdocument.in/reader035/viewer/2022062300/557630cfd8b42a015c8b4a7f/html5/thumbnails/14.jpg)
Digging Deep for Treasure.
Exploiting Scripting Engines
• PHP• ASPX (.NET)• Python• Perl• Etc..
![Page 15: Web-App Remote Code Execution Via Scripting Engines](https://reader035.vdocument.in/reader035/viewer/2022062300/557630cfd8b42a015c8b4a7f/html5/thumbnails/15.jpg)
PHP Architecture
![Page 16: Web-App Remote Code Execution Via Scripting Engines](https://reader035.vdocument.in/reader035/viewer/2022062300/557630cfd8b42a015c8b4a7f/html5/thumbnails/16.jpg)
PHP + Apache Security Architecture
for
![Page 17: Web-App Remote Code Execution Via Scripting Engines](https://reader035.vdocument.in/reader035/viewer/2022062300/557630cfd8b42a015c8b4a7f/html5/thumbnails/17.jpg)
Attacking PHP Engines
• For Privilege Escalation • Code Execution in Protected Environments • Bypassing Security Restrictions
![Page 18: Web-App Remote Code Execution Via Scripting Engines](https://reader035.vdocument.in/reader035/viewer/2022062300/557630cfd8b42a015c8b4a7f/html5/thumbnails/18.jpg)
PHP Local Exploits
![Page 19: Web-App Remote Code Execution Via Scripting Engines](https://reader035.vdocument.in/reader035/viewer/2022062300/557630cfd8b42a015c8b4a7f/html5/thumbnails/19.jpg)
Attacking PHP EnginesLocal Attacks
• History of PHP Exploits Used in the WildPHP Symlink ExploitPHP Nginx Exploit
• 0days
PHP Windows COM 0-day
![Page 20: Web-App Remote Code Execution Via Scripting Engines](https://reader035.vdocument.in/reader035/viewer/2022062300/557630cfd8b42a015c8b4a7f/html5/thumbnails/20.jpg)
PHP Symlink Exploit
• Privilege Escalation • IF pak.com and IN.com are on the same
server. Used Widely
• Demo
![Page 21: Web-App Remote Code Execution Via Scripting Engines](https://reader035.vdocument.in/reader035/viewer/2022062300/557630cfd8b42a015c8b4a7f/html5/thumbnails/21.jpg)
0-days (Win)• 0-day Markets. Huge 10,000 USD• PHP Dom 0-day on Windows
• The Vulnerable Function
• Com_event_sink()
• ROP Chains
![Page 22: Web-App Remote Code Execution Via Scripting Engines](https://reader035.vdocument.in/reader035/viewer/2022062300/557630cfd8b42a015c8b4a7f/html5/thumbnails/22.jpg)
Php Com_event_sink()
![Page 23: Web-App Remote Code Execution Via Scripting Engines](https://reader035.vdocument.in/reader035/viewer/2022062300/557630cfd8b42a015c8b4a7f/html5/thumbnails/23.jpg)
The Bug
![Page 24: Web-App Remote Code Execution Via Scripting Engines](https://reader035.vdocument.in/reader035/viewer/2022062300/557630cfd8b42a015c8b4a7f/html5/thumbnails/24.jpg)
Code Execution (ROP ing)• The general idea is to use the already existing
pieces of code and redirect the flow of the application.
• Add the desired Shellcode and jump to it.
![Page 25: Web-App Remote Code Execution Via Scripting Engines](https://reader035.vdocument.in/reader035/viewer/2022062300/557630cfd8b42a015c8b4a7f/html5/thumbnails/25.jpg)
Code Execution
• Get an Interactive Shell on the System.
![Page 26: Web-App Remote Code Execution Via Scripting Engines](https://reader035.vdocument.in/reader035/viewer/2022062300/557630cfd8b42a015c8b4a7f/html5/thumbnails/26.jpg)
Remote Exploits
![Page 27: Web-App Remote Code Execution Via Scripting Engines](https://reader035.vdocument.in/reader035/viewer/2022062300/557630cfd8b42a015c8b4a7f/html5/thumbnails/27.jpg)
Attacking PHP :Remote Exploits:
• History Of Bugs:
CVE-ID: 2012-0057, Arbitrary file creation via libxslt. CVE-2012-2329 (Apache Request Header)CVE-2012-1823,CVE-2012-2311 ( php-cgi bug “=“ )
• 0-days PHP GD bugs.
![Page 28: Web-App Remote Code Execution Via Scripting Engines](https://reader035.vdocument.in/reader035/viewer/2022062300/557630cfd8b42a015c8b4a7f/html5/thumbnails/28.jpg)
php-cgi bug “=“ CVE-2012-1823
• The BugIndex.php?-s Will show the source, we can inject PHP
command line arguments to the compiler.The attack.http://www.badguys.com/index.php-s
![Page 29: Web-App Remote Code Execution Via Scripting Engines](https://reader035.vdocument.in/reader035/viewer/2022062300/557630cfd8b42a015c8b4a7f/html5/thumbnails/29.jpg)
CVE-2012-2311 php-cgi bug “=“
![Page 30: Web-App Remote Code Execution Via Scripting Engines](https://reader035.vdocument.in/reader035/viewer/2022062300/557630cfd8b42a015c8b4a7f/html5/thumbnails/30.jpg)
Demo
![Page 31: Web-App Remote Code Execution Via Scripting Engines](https://reader035.vdocument.in/reader035/viewer/2022062300/557630cfd8b42a015c8b4a7f/html5/thumbnails/31.jpg)
PHP GD Bugs
![Page 32: Web-App Remote Code Execution Via Scripting Engines](https://reader035.vdocument.in/reader035/viewer/2022062300/557630cfd8b42a015c8b4a7f/html5/thumbnails/32.jpg)
PHP GD
• Image processing Algorithms .
• Takes input (images) and output processed image
• Could trigger memory corruption via Input images and trigger code execution.
![Page 33: Web-App Remote Code Execution Via Scripting Engines](https://reader035.vdocument.in/reader035/viewer/2022062300/557630cfd8b42a015c8b4a7f/html5/thumbnails/33.jpg)
Detecting them .
• An Example of Our Exploration .
• Processed Images insert Meta tags , which informs about the PHP functions used.
• “CREATOR: gd-jpeg v1.0 (using IJG JPEG v80), quality = 75”
![Page 34: Web-App Remote Code Execution Via Scripting Engines](https://reader035.vdocument.in/reader035/viewer/2022062300/557630cfd8b42a015c8b4a7f/html5/thumbnails/34.jpg)
• We Analyzed the Source code of GD engine and figured out the exact function used.
• Fuzzed using our GD Fuzzer , made a reliable exploit. 0-day
![Page 35: Web-App Remote Code Execution Via Scripting Engines](https://reader035.vdocument.in/reader035/viewer/2022062300/557630cfd8b42a015c8b4a7f/html5/thumbnails/35.jpg)
0-days in GD Engine.
![Page 36: Web-App Remote Code Execution Via Scripting Engines](https://reader035.vdocument.in/reader035/viewer/2022062300/557630cfd8b42a015c8b4a7f/html5/thumbnails/36.jpg)
Demo
![Page 37: Web-App Remote Code Execution Via Scripting Engines](https://reader035.vdocument.in/reader035/viewer/2022062300/557630cfd8b42a015c8b4a7f/html5/thumbnails/37.jpg)
Thanks
• http://www.twitter.com/fb1h2s• http://www.garage4hacers.com