Abusing?PHP?Sockets For?Fun?And?Profit

2013 年 2 月 14 日4040

? ?

Abusing?PHP?Sockets

For?Fun?And?Profit

Rodrigo?Marcos

rodrigo.marcos@secforce.co.uk

www.secfoce.co.uk

OWASP?April?2008

? ?

Agenda

鈼 Introduction

鈼 Windows?Sockets?Reuse

鈼 Apache?Web?Server

鈼 PHP?Socket?Library

鈼 Vectors?of?Attack

鈼 Demo

鈼 Conclusions

? ?

Introduction

鈼 Lot's?of?research?on?Apache

鈼 Lot's?of?research?on?PHP?applications

鈼 This?talk?will?focus?on?PHP?functionality?from?an?

offensive?point?of?view

鈼 Interesting?vectors?of?attack?re-using?Windows?

sockets

? ?

Windows?Socket?Reuse

鈼 The?SO_REUSEADDR?socket?option?allows?a?

socket?to?forcibly?bind?to?a?port?in?use?by?

another?socket

鈼 The?behaviour?is?non-deterministic?when?used?

on?the?same?interface

鈼 However,?we?can?take?advance?of?Windows?

interface?precedence:?Local?interface?precede?

0.0.0.0?and?makes?the?attack?reliable

? ?

Windows?Socket?Reuse

鈼 Windows?Sockets?introduced?the?

SO_EXCLUSIVEADDRUSE?socket?option?and?

recommends?its?use?on?server?applications

http://http://www.zjjv.com///en-us/library/ms740621(VS.85).aspx

鈼 Enhanced?socket?security?was?added?with?the?

release?of?Windows?Server?2003?and?makes?

sockets?not?in?a?shareable?state?by?default

? ?

Windows?Socket?Reuse

? ?

Apache?Web?Server

鈼 Apache?threads?by?default?run?as:?

鈥 www-data/httpd/apache?on?*nix?systems?(low?priv)

鈥 SYSTEM?on?Microsoft?Windows?systems

鈼 By?default?listens?on?0.0.0.0

鈼 It?is?not?compiled?with?SO_EXCLUSIVEADDRUSE?

? ?

Apache?Web?Server

鈼 httpd-2.2.8/server/listen.c

? ?

PHP?Socket?Library

鈼 Low-level?interface

鈼 Powerful?implementation,?based?on?BSD?

sockets

鈼 Provides?server?and?client?functionality

鈼 Provides?higher?level?functions?(but?we?are?not?

interested?on?those?in?this?talk)

? ?

PHP?Socket?Reuse

鈼 $sock?=?socket_create(AF_INET,?SOCK_STREAM,?SOL_TCP)

鈼 socket_set_option($sock,?SOL_SOCKET,?SO_REUSEADDR,?1)

鈼 socket_bind($sock,?$address,?$port)?

? ?

PHP?Socket?Reuse?(before)

? ?

PHP?Socket?Reuse?(after)

? ?

Vectors?Of?Attack

鈼 Total?control?of?clients

鈼 We?can?send?arbitrary?response

鈥 Denial?of?service

鈥 Defacement

鈥 Bind?to?shell

鈥 Man-in-the-middle

...any?other?ideas?

? ?

PHP?shell?attack

? ?

PHP?Man-in-the-middle?attack

? ?

DEMO

? ?

Conclusions

鈼 PHP?provides?a?powerful?socket?library

鈼 Sockets?can?be?misused?to?perform?neat?

attacks

鈼 However,?this?attack?is?not?that?realistic?as?

administration?rights?and?execution?of?PHP?

code?are?needed

? ?

Thanks

Rodrigo?Marcos

rodrigo.marcos@secforce.co.uk

www.secforce.co.uk

0 0