[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Hack attempt

To: aderkach@spymac.com
Subject: Re: Hack attempt
From: Cedric Blancher <blancher@cartel-securite.fr>
Date: Sat, 24 Jul 2004 08:54:50 +0200
Cc: focus-linux@securityfocus.com
Delivered-to: shane@homeo.stud.ntnu.no
Delivered-to: mailing list focus-linux@securityfocus.com
Delivered-to: moderator for focus-linux@securityfocus.com
In-reply-to: <20040723020400.GA17351@relex>
List-help: <mailto:focus-linux-help@securityfocus.com>
List-id: <focus-linux.list-id.securityfocus.com>
List-post: <mailto:focus-linux@securityfocus.com>
List-subscribe: <mailto:focus-linux-subscribe@securityfocus.com>
List-unsubscribe: <mailto:focus-linux-unsubscribe@securityfocus.com>
Mailing-list: contact focus-linux-help@securityfocus.com; run by ezmlm
Organization: Cartel Securite
References: <20040721170230.3e78829b.norbert.crettol@idiap.ch> <20040723020400.GA17351@relex>

Le ven 23/07/2004 à 04:04, Alex Derkach a écrit :
> Not really an exploit IMO. It is a feature in PHP which you should 
> disable if you don't use it. (Edit php.ini OR httpd.conf and add a 
> disable_functions directive).

IMHO, if the exploit is quite simple, it points out strong issues
regarding this webserver configuration :

. Web application is poorly developped
	. technic shows user input direct usage and no validation
	  (baaad)
  This is a common web apps vulnerabilites. User input must never be
  trusted and must be validated in any case.

. PHP is not configured properly :
	. technic shows fopen URL wrapper set to 1 (baaaad)
	. successful command execution shows safe_mode desactivated
  PHP Safe_mode allows one to put restriction on stuff like file
  including from scripts, command execution, uploading, etc.

. Webserver host is poorly filtered
	. actions shows intruder is able to download stuff from the
	  Internet, then probably bind a shell, launch eggdrop and so on
  The host should be restricted to the only connections it is supposed
  to receive and initiate, no more. This can prevent an intruder to
  perform a complete intrusion. In this case, a proper network filtering
  could have prevent the host from including distant URL...

> You shouldn't be too worried, the 'hacker' can't get access to
> anything that the web server user doesn't have access to, but don't
> take any chances either. (a simple rm -rf can wipe you out and leave
> you wishing you had backups)

I disagree. Considering the fact there's a lot of kernel local root
exploits around, there's not much to do to get root
http://www.linuxsecurity.com/feature_stories/feature_story-117.htmlshell
if server has strong availability restriction that could have refrain
admin from upgrading kernel. Not mentionning vulnerable third party 
applications... Intruder actions have to get verified in order to
validate the fact he couldn't get further priviledges.

Anyway, to my mind, this webserver should be completely wiped away,
reinstalled and reconfigured properly from a clean system base
implementing strong restrictions for web apps and correct network
connections filtering. Good start for PHP secure installation can be :

	http://www.linuxsecurity.com/feature_stories/feature_story-117.html

There's a lot of paper on web apps security around.


-- 
http://www.netexit.com/~sid/
PGP KeyID: 157E98EE FingerPrint: FA62226DA9E72FA8AECAA240008B480E157E98EE
>> Hi! I'm your friendly neighbourhood signature virus.
>> Copy me to your signature file and help me spread!

References:
- Hack attempt
  - From: Norbert Crettol <norbert.crettol@idiap.ch>
- Re: Hack attempt
  - From: Alex Derkach <aderkach@spymac.com>

Prev by Date: Re: Hack attempt
Next by Date: Re: Hack attempt
Previous by thread: Re: Hack attempt
Next by thread: Re: Hack attempt
Index(es):
- Date
- Thread