Tuesday, 22 May 2012

CMS exploits


A path to experience

CMS exploit development has been running rampant around places like exploit-db for ages. I took to doing a few of my own with positive results a few months back. But why is it so popular? And is it really worth doing?

CMS sploiting for fun '; -- and profit

Content Management Systems (CMS), are used to make developing and running web sites simple. They come fully loaded with useful tools and db plugins, giving a quick, professional look. No wonder they are used in their droves to produce many of the web sites we visit. There are many to choose from and range from the strictly amateur to the professional/expensive.
Exploit development has been a serious past-time for the following reasons:
    - Many of them are open source
    - They can be set up offline, speeding up/legalising the hacking process
    - They are used in real life, so the results of finding vulns are more rewarding

CMSs are therefore a cheap, easy way to get into web exploit development and source code review. No wonder juniors everywhere are using them to cut their teeth on web app pen testing and exploit development.

But surely they have been done to death. Is it still worth it? Are their vulnerabilities out there?

CMS 2012

Certainly finding straight SQL injection on the home page is only going to be the case if you're looking at an old, poorly maintained or infrequently used CMS. Not really rewarding and unless you are just starting out, not very educational. You therefore have two options:
 #1 - Find low risk vulns (reflected XSS, CSRF)
 #2 - Dive into source code

I'm not going to talk about #1 aside from the fact that I'm not a fan. Instead I wanted to run through a better CMS analysis method. I'm afraid you will need to look at the source. This may take the fun out of it for most, but if you want to find a worthwhile vuln that is actually respectable, then you need to broaden your game.
    1. Start by grepping
        You need to know key functions that will give you the big wins. Things like exec(), sql_query() and fopen() are gold. If you can find these in the files, then you have a starting point.
    2. Find out their variables
        Do they take variables? If so start following the breadcrumbs. There are some basic tools for this but they aren't particularly good and may lead to false negatives. In any case, this is a learning process so take the time to do it by hand, at least at first. Are they in functions or classes? Are these functions or classes called anywhere?
    3. Edit the script to make life easier
        The joy of offline analysis is that you can change the code. Add in a few extra echos to help follow through the code as it gets executed. It won't be like that in the end, but then you will have the exploit ready and no longer need them.

That's really it. I wanted to write this because there is so much good development in the CMS community and they're getting stronger and stronger for it. It's also infinitely more rewarding to get code execution from a CMS that is really out there and being used. Far better than dull little unrealistic test sites. Just be ethical with your disclosure!

Wednesday, 9 May 2012

CSRF - improving the basic attack

CSRF is a low risk vuln for script kiddies

I think Cross site request forgery (CSRF, which I've always been alone in calling see-surf) gets a pretty bad rap, not least because script kiddies are flooding exploitdb with boring CSRF attacks against CMSs that no-one uses. But let's not write off CSRF as a bland client-side attack just because people are using it poorly. CSRF actually has very viable and useful applications that takes a little longer to create, but the results are totally worth it.

It all revolves around how we are trusted when we log in. Normally this means C-surfers go looking for all the functions that doesn't require creds or authentication to complete. Most half decent apps will therefore check and protect against this. But quite often they make a mistake.

A better surf

Lets take an example:
 Joe's email web portal allows users to log in and then allows passwords to be changed. Fearful of CSRFing, they make the user include their old password in the request. Solved! But of course the user is who they say they are, so don't limit them on retries when they get the password wrong....

Yep. We can run dictionary attacks through CSRF.

So is this so great? It's a little slow (maybe a couple of minutes to run through a decent dictionary and ultimately still limited to having people visit your site that have to be logged in to the site you want to hit to be vulnerable. So yes it's still a limited client side attack, but it's one that works on some pretty popular apps.
Just load a dictionary into a JavaScript array and run it in a loop. JavaScript can handle GET and POST.

The only problem is that it's blind. We could change 50 people's passwords with this attack, but how do we know it's worked, and to whom?

Consequences....did it work?

Obviously this is easy if there's other attack vectors, like XSS but then if you've got cross site, then you hardly need CSRFing. The important point here is that other lower vulns can be used alongside this one to build a more valid attack vector.

Enumeration of usernames allows trying the altered password against the list. As you're only trying one password on each account, it shouldn't cause a lockout.

CSRFing multiple points can make the attack victims more visible. Changing a profile value may be pretty lame by itself, but if it is done along side the password change, it would become a flag to compromised accounts.