Web-App Remote Code Execution Via Scripting Engines by Rahul Sasi at c0c0n - International Cyber Security and Policing Conference http://is-ra.org/c0c0n/speakers.html

1. Web-App Remote Code Execution
Via Scripting Engines.
Rahul Sasi(fb1h2s)

2. Who am I ?
• Rahul Sasi (fb1h2s)
• Security Researcher @
• Member Garage4Hackers.

3. Garage 4 Hackers
Information Security
professionals from
Fortune 500, Security
research and Consulting
firms from all across the
world.
•Security Firms
•Consulting Firms
•Research Firms
•Law Enforcements
http://www.Garage4Hackers.com

4. I

5. • Offensive Security(Hacking) is Money Making
Business.
• Defensive Security , sort of an investment or
many considers it waste of money.

6. Why Offensive Security?

7. Web-App Remote Code Execution
Via Scripting Engines.

8. What is the Difference between a Web
App Pen-tester and a Paid Hacker with
Malicious Intend ?

9. Web App-Pen tester is paid and given
One week to find all the vulnerabilities
in the Application.
Hacker is paid with no time constrains
to find just one vulnerability to get into
the system.

10. Attacking Web Applications via
Scripting Engines .

11. Agenda
• Apache PHP Architecture .
• Web App Exploitation
• Local PHP Vulnerabilities.
• Source Code Auditing.
• Memory Corruptions . [ROP Chains]
• Remote PHP Vulnerabilities
• File formats and Remote Exploitation.

12. Common Web Test
• Manipulates Input and check for responses
from the app.
• Exploiting Scripting Engines.

14. Digging Deep for Treasure.
Exploiting Scripting Engines
• PHP
• ASPX (.NET)
• Python
• Perl
• Etc..

15. PHP Architecture

16. PHP + Apache Security Architecture
for

17. Attacking PHP Engines
• For Privilege Escalation
• Code Execution in Protected Environments
• Bypassing Security Restrictions

18. PHP Local Exploits

19. Attacking PHP Engines
Local Attacks
• History of PHP Exploits Used in the Wild
PHP Symlink Exploit
PHP Nginx Exploit
• 0days
 PHP Windows COM 0-day

20. PHP Symlink Exploit
• Privilege Escalation
• IF pak.com and IN.com are on the same
server.
Used Widely
• Demo

21. 0-days (Win)
• 0-day Markets.
 Huge 10,000 USD
• PHP Dom 0-day on Windows
• The Vulnerable Function
• Com_event_sink()
• ROP Chains

22. Php Com_event_sink()

23. The Bug

24. Code Execution (ROP ing)
• The general idea is to use the already existing
pieces of code and redirect the flow of the
application.
• Add the desired Shellcode and jump to it.

25. Code Execution
• Get an Interactive Shell on the System.

26. Remote Exploits

27. Attacking PHP :
Remote Exploits:
• History Of Bugs:
 CVE-ID: 2012-0057, Arbitrary file creation via libxslt.
 CVE-2012-2329 (Apache Request Header)
CVE-2012-1823,CVE-2012-2311 ( php-cgi bug “=“ )
• 0-days
 PHP GD bugs.

28. php-cgi bug “=“ CVE-2012-1823
• The Bug
Index.php?-s
 Will show the source, we can inject PHP
command line arguments to the compiler.
The attack.
http://www.badguys.com/index.php-s

29. CVE-2012-2311 php-cgi bug “=“

30. Demo

31. PHP GD Bugs

32. PHP GD
• Image processing Algorithms .
• Takes input (images) and output processed
image
• Could trigger memory corruption via Input
images and trigger code execution.

33. Detecting them .
• An Example of Our Exploration .
• Processed Images insert Meta tags , which
informs about the PHP functions used.
• “CREATOR: gd-jpeg v1.0 (using IJG JPEG v80),
quality = 75”

34. • We Analyzed the Source code of GD engine
and figured out the exact function used.
• Fuzzed using our GD Fuzzer , made a reliable
exploit. 0-day

35. 0-days in GD Engine.

36. Demo

37. Thanks
• http://www.twitter.com/fb1h2s
• http://www.garage4hacers.com