FUSE: Finding File Upload Bugs via Penetration Testing Taekjin Lee, - - PowerPoint PPT Presentation

FUSE: Finding File Upload Bugs via Penetration Testing

Taekjin Lee, Seongil Wi, Suyoung Lee, Sooel Son KAIST

Upload Functionality

• Sharing user-provided content has become a de facto

standard feature of modern web applications

2

File Uploading Procedure

3

NDSS.png Upload request PHP interpreter File Web application

Web server

NDSS.png Content-filtering checks [HTTP(S) POST]

Disable uploading specified file types

Extractor User A

File Uploading Procedure

4

User B Access

https://wsplab.com/NDSS.png

Download

https://wsplab.com/NDSS.png

User A NDSS.png Upload request PHP interpreter File Web application

Web server

NDSS.png Extractor Content-filtering checks

Disable Uploading Malicious Files

5

Attacker Upload request

5

PHP interpreter File Web application

Web server

Extractor Content-filtering checks Discard webshell.php

webshell.php <?php system(‘ls’); ?>

6

<?php $black_list = array(‘js’,‘php’,‘html’,...) if (!in_array(ext($file_name), $black_list)) { move($file_name, $upload_path); } else { message('Error: forbidden file type'); } ?>

Content-filtering checks

php

Content-filtering Checks

webshell.php <?php system(‘ls’); ?> PHP interpreter Error: forbidden file type

File Upload Vulnerabilities - Server Side

7

Attacker Upload request

7

PHP interpreter File Web application

Web server

Extractor Content-filtering checks

webshell.php <?php system(‘ls’); ?> webshell.php <?php system(‘ls’); ?>

What will be happening?

Discard webshell.php

Potential code execution Unrestricted File Upload (UFU)

File Upload Vulnerabilities - Server Side

8

PHP interpreter File Web application

Web server

Extractor Content-filtering checks

webshell.php <?php system(‘ls’); ?>

Potential code execution Unrestricted File Upload (UFU)

Attacker Access

https://wsplab.com/webshell.php

Arbitrary code execution via a URL Unrestricted Executable File Upload (UEFU)

File Upload Vulnerabilities - Client Side

9

PHP interpreter File Web application

Web server

Extractor Content-filtering checks

xss.html <html> <script> alert(‘xss’); </script> </html> <html> <script> alert(‘xss’); </script> </html> xss.html

Victim Access

https://wsplab.com/xss.html

https://wsplab.com/xss.html

Attacker Upload request

Arbitrary code execution via a URL Unrestricted Executable File Upload (UEFU) Unrestricted File Upload (UFU)

How to Find UEFU Vulnerabilities?

10

Attacker Upload request

10

PHP interpreter File Web application

Web server

Extractor Content-filtering checks

#1: Bypassing application-specific checks

Executable

How to Find UEFU Vulnerabilities?

11

Attacker Upload request

11

PHP interpreter File Web application

Web server

Extractor Content-filtering checks

#1: Bypassing application-specific checks

Executable

Victim

https://wsplab.com/Executable

#2: Preserving the execution semantic

#2: Preserving the Execution Semantic

12

Attacker Upload request

12

PHP interpreter File Web application

Web server

Extractor Content-filtering checks

webshell.foo <?php system(‘ls’); ?> webshell.foo <?php system(‘ls’); ?>

php → foo

#1: Bypassing application-specific checks

#2: Preserving the Execution Semantic

13 13

PHP interpreter File Web application

Web server

Extractor Content-filtering checks

webshell.foo <?php system(‘ls’); ?>

Potential code execution

#1: Bypassing application-specific checks

13

Attacker Access

https://wsplab.com/webshell.foo

A web server does not execute webshell.foo (Not a php-style extension) #2: Preserving the execution semantic

Summary

14

Attacker Upload request

14

PHP interpreter File Web application

Web server

Extractor Content-filtering checks

#1: Bypassing application-specific checks

Executable

Victim

https://wsplab.com/Executable

#2: Preserving the execution semantic

Previous Studies

• Static analysis

− Pixy, Oakland ’06 − Merlin, PLDI ’09

• Dynamic analysis

− Saner, Oakland ’08 − Riding out DOMsday, NDSS ’18

• Symbolic execution

− NAVEX, USENIX ’18 − SAFERPHP, PLAS ’11

15

Few studies have addressed finding U(E)FU vulnerabilities!

16

How we address all the challenges?

17

We propose

FUSE

Our Approach

18 18

PHP interpreter File Web application

Web server

Extractor Content-filtering checks Initial upload request

FUSE

Rejected

Our Approach - Mutate Upload Request

19 19

PHP interpreter File Web application

Web server

Extractor Content-filtering checks

FUSE

Rejected Mutated upload request UEFU vulnerability

Our Approach

20 20

PHP interpreter File Web application

Web server

Extractor Content-filtering checks Initial upload request

FUSE

Executable

#1: Bypassing application-specific checks #2: Preserving the execution semantic

Victim

https://wsplab.com/Executable

Investigate root causes

• f U(E)FU bugs

Analyze web servers and browsers

Our Approach

21 21

PHP interpreter File Web application

Web server

Extractor Content-filtering checks Initial upload request

FUSE

Executable

Victim

https://wsplab.com/Executable

Analyze web servers and browsers Investigate root causes

• f U(E)FU bugs

Analyze web servers and browsers

Web server

Mutate Upload Request

22 22

Initial upload request

FUSE

Investigate root causes

• f U(E)FU bugs

Analyze web servers and browsers

Web server

Design 13 mutation operations

Mutate

Our Goal: Finding U(E)FU Bugs

23

Uploader

Mutated upload request

Mutator

Our Goal: Finding U(E)FU Bugs

24

Uploader

UFU and UEFU vulnerabilities

Mutated upload request Upload information

Mutator Validator

Upload Request

25

FUSE

Web server

filename content-type content

Upload request

Upload Request

26

xss.html

<html> <script> alert(‘xss’); </script> </html> Upload request

filename content-type content

xss.html <html><script>al ert(‘xss’)</scri pt></html> text/html

Mutation Objectives

27

if (finfo_file(content) not in expected_type) reject(file); if (ext(file_name) not in expected_ext) reject(file); if (expected_keyword in content) reject(file); if (content_type not in expected_type) reject(file); accept(file)

Content-filtering checks Five objectives that trigger common mistakes in implementing checks

filename content-type content

xss.html <html><script>al ert(‘xss’)</scri pt></html> text/html Upload request

if (finfo_file(content) == ‘text/html’) reject(file); if (ext(file_name) == ‘php’) reject(file); if (‘<?php’ in content) reject(file); if (content_type == ‘text/html’) reject(file); accept(file)

Content-filtering checks

Mutation Objectives #1

28

Exploiting the absence of content-filtering checks

No mutation

filename content-type content

xss.html <html><script>al ert(‘xss’)</scri pt></html> text/html Upload request

if (finfo_file(content) == ‘text/html’) reject(file); if (ext(file_name) == ‘php’) reject(file); if (‘<?php’ in content) reject(file); if (content_type == ‘text/html’) reject(file); accept(file)

Content-filtering checks

Mutation Objectives #2

29

Causing incorrect type inferences based on content

M1: Prepending a resource header

‘image/png’

filename content-type content

xss.html <html><script>al ert(‘xss’)</scri pt></html> text/html \x89\x50\x4e\x47 \x0d\x0a\x1a... <html><script>al ert(‘xss’)</scri pt></html>

PNG header

Upload request

webshell.php webshell.php5

application/x-php

if (finfo_file(content) == ‘text/html’) reject(file); if (ext(file_name) == ‘php’) reject(file); if (‘<?php’ in content) reject(file); if (content_type == ‘text/html’) reject(file); accept(file)

Mutation Objectives #3

30

Content-filtering checks

Exploiting incomplete blacklist based on extension

M4: Changing a file extension

‘php5’

filename content-type content

<?php system(‘ls’); ?> Upload request

if (finfo_file(content) == ‘text/html’) reject(file); if (ext(file_name) == ‘php’) reject(file); if (‘<?php’ in content) reject(file); if (content_type == ‘text/html’) reject(file); accept(file)

Mutation Objectives #4

31

Content-filtering checks

Bypassing keyword checks based on content

M5: Replace PHP tags with short tags

‘<?’

application/x-php filename content-type content

webshell.php <?php system(‘ls’); ?> <? system(‘ls’); ?> Upload request

Mutation Objectives #5

32

if (finfo_file(content) == ‘text/html’) reject(file); if (ext(file_name) == ‘php’) reject(file); if (‘<?php’ in content) reject(file); if (content_type == ‘text/html’) reject(file); accept(file)

Content-filtering checks

Bypassing filtering logic based on content-type

M3: Changing the content-type of an upload request

‘image/png’

filename content-type content

xss.html <html><script>al ert(‘xss’)</scri pt></html> text/html image/png Upload request

Combinations of Mutation Operations

33

if (finfo_file(content) == ‘text/html’) reject(file); if (ext(file_name) == ‘php’) reject(file); if (‘<?php’ in content) reject(file); if (content_type == ‘text/html’) reject(file); accept(file)

Content-filtering checks

co

filename content-type content

xss.html <html><script>al ert(‘xss’)</scri pt></html> text/html \x89\x50\x4e\x47 \x0d\x0a\x1a... <html><script>al ert(‘xss’)</scri pt></html>

+

image/png

‘image/png’ ‘image/png’

M1: Prepending a resource header M3: Changing the content-type of an upload request Upload request

More in the Paper

• M2: Inserting a seed into metadata
• M6: Converting HTML into EML
• M7: Removing a file extension
• M8: Converting a file in SVG
• M9: Prepending an HTML comment
• M10: Changing a file extension to an arbitrary string
• M11: Converting a file extension to uppercase
• M12: Prepending a file extension
• M13: Appending a resource header

34

Evaluation

35

Uploader

UFU and UEFU vulnerabilities

Mutated upload request Upload information

Mutator Validator

Experimental Setup

• 33 popular PHP web applications
• Web server: Apache 2.4
• PHP engine: PHP 5.6, 7.0, 7.1

36

WordPress Joomla Concrete5 OsCommerce2 Monstra Drupal ZenCart Bludit Textpattern CMSMadeSimple Pagekit Backdrop CMSimple Composr OctoberCMS phpBB3 Elgg Microweber XE SilverStripe ECCube3 GetSimpleCMS DotPlant2 MyBB HotCRP Subrion SymphonyCMS AnchorCMS WeBid Collabtive X2engine ClipperCMS Codiad

Real-World UEFU Finding

• Found 30 UEFU vulnerabilities in 23 applications with 176

distinct upload request −WordPress, Concrete5, OsCommerce2, ZenCart, …

• Reported all the vulnerabilities

−15 CVEs from 9 applications

• 8 bugs have been patched
• 5 bugs are being patched

37

<?php system(‘ls’); ?>

Case Study - Microweber

38

if (finfo_file(content) == ‘application/x-php’) reject(file); if (ext(file_name) == ‘php’) reject(file); if (‘<?php’ in content) reject(file); if (content_type == ‘text/html’) reject(file); accept(file)

Content-filtering checks

co

M13: Appending a resource header + M4: Changing a file extension

application/x-php filename content-type content

webshell.php <?php system(‘ls’); ?> \xff\xd8\xff\xee \x00\x10JF webshell.pht

‘application/octet-stream’ ‘pht’

8 bytes header

• f a JPG file

Upload request

• vs. State-of-the-Arts
• Fuxploider: open-source upload vulnerability scanning tool
• UploadScanner: an extension for Burp Suit Pro, a commercial

platform for web application security testing

• Ran on the same benchmarks and counted vulnerabilities

39

Vulnerability (Seed) FUSE Fuxploider UploadScanner UEFU (PHP) 12 7 5 UEFU (HTML) 23 N/A 14 UFU (JS) 26 N/A 21

Why FUSE found more bug than the others?

40

Vulnerability (Seed) FUSE Fuxploider UploadScanner UEFU (PHP) 12 7 5 UEFU (HTML) 23 N/A 14 UFU (JS) 26 N/A 21

• Better extension coverage (pht, php7, …)
• Better mutation operation coverage
• M9: Prepending an HTML comment
• M13: Appending a resource header
• Combination: M4+M13
• …
• Implementational Issues
• Retrieving URLs

Vulnerability Causes

41

Causes Description UFU + UEFU Bugs Found #1 Exploiting the absence of checks 27 #2 Causing incorrect type inferences based on content 5 #3 Exploiting incomplete blacklist based on extension 35 #4 Bypassing keyword checks based on content 6 #5 Bypassing checks based on content-type 5 #2+#3 Combined Operation 6 #2+#3+#4 Combined Operation 1 Inferring upload file types based on user-provided extensions opens a door for further attacks

Limitation

• There may exist other mutation operations that we didn’t

consider

• Manually examined the execution constraints of browsers and

PHP interpreters

42

Conclusion

• Propose FUSE, a penetration testing tool designed to find

U(E)FU vulnerabilities

• Present 13 operations that mutate upload request to bypass

content-filtering checks, but to remain executable in target execution environments

• Found 30 UEFU vulnerabilities including 15 CVEs from 33 PHP

applications

43

Open Science

44

https://github.com/WSP-LAB/FUSE

45

Question?

Previous Work: UChecker, DSN ’2019

46

Attacker Upload request

46

PHP interpreter File Web application

Web server

Extractor Content-filtering checks

Conducting symbolic execution

Executable PHP

Previous Work: UChecker, DSN ’2019

47

Attacker Upload request

47

PHP interpreter File Web application

Web server

Extractor Content-filtering checks

Executable PHP

#1: Bypassing application-specific checks

#2: Preserving the execution semantic Reachability constraint Extension constraint

Challenges in UChecker

48

Attacker Upload request

48

PHP interpreter File Web application

Web server

Extractor Content-filtering checks

Executable PHP

Reachability constraint Extension constraint Require deep understanding Limited search space

Found only 3 bugs from 9,160 WordPress plugins

Seed Files

• We selected these file types because they are directly involved

in code executions (CEs) or potential code executions (PCEs) in Web execution environments.

49

Why XHTML Seed File?

• More structural
• More strict for grammar – Mutation is different
• MIME type is different with html

50

• vs. State-of-the-Arts
• First attempts to find UEFU vulnerabilities by leveraging

penetration testing

• Baseline for further research
• More comprehensive mutation operation
• M5: Replacing PHP tags with short tags
• M7: Removing a file extension
• M9: Prepending an HTML comment
• M10: Changing a file extension to an arbitrary string
• M13: Appending a resource header
• Comprehensive combination of mutation operation
• File monitoring system

51

• vs. Symbolic Execution
• Modeling the relationships of the symbol for various PHP built-in

function is different

• Hard to pinpoint reachable sink from the source
• Path explosion
• Penetration testing is more efficient

52

Admin Required

• Among the 30 UEFU vulnerabilities, 14 bugs required an

administrator-level privilege for their exploitation

• Web hosting administrator often separates application

administrators from the host management

• CSRF…,

53

Execution Constraints

• We manually analyzed the source code of Chrome 74, Firefox

68, eight different versions of Apache mod_php modules, and PHP 5.6 interpreter engines

54

Execution Constraints

• A PHP interpreter executes a PHP file that contains the PHP

start tag (i.e., <?php or <?)

• An Apache mod_php module requires an executable PHP file to

have one of the seven PHP-style file extensions (e.g., php3, phar) for its execution via direct URL invocations

• In the Chrome and Firefox browsers, we also identified that an

executable HTML file must start with pre-defined start tags within its first 512 bytes with subsequent valid HTML code

• An executable XHTML file shares the same constraints as the

HTML case but requires the presence of xmlns tags

• …

55

56

Chain Length

57

CVEs

58

Mutation Conflicts

• For a given operation (M1), we defined a conflicting mutation

(M2) as when

• 1. both M1 and M2 revise the same portion of a mutation

vector, or

• 2. M1 combined with M2 causes a CE failure, thus rendering

M2 unnecessary.

59

60

How Validator Works?

• 1. Check uploading
• 2. Extract URL

− Common prefix of URLs − Upload response and summary webpage − File Monitor

• 3. Validate Bugs

− PHP: Sting checking − HTML, JS, XHTML: Checks whether the Content-Type header in the response is among our selections of 10 MIME types

61