Web-App Remote Code Execution Via Scripting Engines

1. Web-App Remote Code Execution Via Scripting Engines.Rahul Sasi(fb1h2s) 2. Who am I ?• Rahul Sasi (fb1h2s)• Security Researcher @• Member Garage4Hackers. 3. Garage 4 Hackers Information Security professionals from Fortune 500, Security research and Consulting firms from all across the world.•Security Firms•Consulting Firms•Research Firms•Law Enforcementshttp://www.Garage4Hackers.com 4. I 5. • Offensive Security(Hacking) is Money MakingBusiness.• Defensive Security , sort of an investment ormany considers it waste of money. 6. Why Offensive Security? 7. Web-App Remote Code Execution Via Scripting Engines. 8. What is the Difference between a WebApp Pen-tester and a Paid Hacker withMalicious Intend ? 9. Web App-Pen tester is paid and given One week to find all the vulnerabilities in the Application. Hacker is paid with no time constrainsto find just one vulnerability to get into the system. 10. Attacking Web Applications viaScripting Engines . 11. Agenda• Apache PHP Architecture .• Web App Exploitation• Local PHP Vulnerabilities.• Source Code Auditing.• Memory Corruptions . [ROP Chains]• Remote PHP Vulnerabilities• File formats and Remote Exploitation. 12. Common Web Test• Manipulates Input and check for responsesfrom the app.• Exploiting Scripting Engines. 13. Digging Deep for Treasure.Exploiting Scripting Engines• PHP• ASPX (.NET)• Python• Perl• Etc.. 14. PHP Architecture 15. PHP + Apache Security Architecturefor 16. Attacking PHP Engines• For Privilege Escalation• Code Execution in Protected Environments• Bypassing Security Restrictions 17. PHP Local Exploits 18. Attacking PHP Engines Local Attacks• History of PHP Exploits Used in the WildPHP Symlink ExploitPHP Nginx Exploit• 0days  PHP Windows COM 0-day 19. PHP Symlink Exploit• Privilege Escalation• IF pak.com and IN.com are on the sameserver. Used Widely• Demo 20. 0-days (Win)• 0-day Markets.  Huge 10,000 USD• PHP Dom 0-day on Windows• The Vulnerable Function• Com_event_sink()• ROP Chains 21. Php Com_event_sink() 22. The Bug 23. Code Execution (ROP ing)• The general idea is to use the already existingpieces of code and redirect the flow of theapplication.• Add the desired Shellcode and jump to it. 24. Code Execution• Get an Interactive Shell on the System. 25. Remote Exploits 26. Attacking PHP : Remote Exploits:• History Of Bugs: CVE-ID: 2012-0057, Arbitrary file creation via libxslt. CVE-2012-2329 (Apache Request Header)CVE-2012-1823,CVE-2012-2311 ( php-cgi bug “=“ )• 0-days  PHP GD bugs. 27. php-cgi bug “=“ CVE-2012-1823• The BugIndex.php?-s Will show the source, we can inject PHPcommand line arguments to the compiler.The attack.http://www.badguys.com/index.php-s 28. CVE-2012-2311 php-cgi bug “=“ 29. Demo 30. PHP GD Bugs 31. PHP GD• Image processing Algorithms .• Takes input (images) and output processedimage• Could trigger memory corruption via Inputimages and trigger code execution. 32. Detecting them .• An Example of Our Exploration .• Processed Images insert Meta tags , whichinforms about the PHP functions used.• “CREATOR: gd-jpeg v1.0 (using IJG JPEG v80),quality = 75” 33. • We Analyzed the Source code of GD engineand figured out the exact function used.• Fuzzed using our GD Fuzzer , made a reliableexploit. 0-day 34. 0-days in GD Engine. 35. Demo 36. Thanks• http://www.twitter.com/fb1h2s• http://www.garage4hacers.com