Re: Hack attempt

From: Cedric Blancher (blancher_at_cartel-securite.fr)
Date: 07/24/04

  • Next message: Douglas Kong: "RE: Hack attempt" 
    To: aderkach@spymac.com
Date: Sat, 24 Jul 2004 08:54:50 +0200

    Le ven 23/07/2004 à 04:04, Alex Derkach a écrit :
    > Not really an exploit IMO. It is a feature in PHP which you should
    > disable if you don't use it. (Edit php.ini OR httpd.conf and add a
    > disable_functions directive).

    IMHO, if the exploit is quite simple, it points out strong issues
    regarding this webserver configuration :

    . Web application is poorly developped
            . technic shows user input direct usage and no validation
              (baaad)
      This is a common web apps vulnerabilites. User input must never be
      trusted and must be validated in any case.

    . PHP is not configured properly :
            . technic shows fopen URL wrapper set to 1 (baaaad)
            . successful command execution shows safe_mode desactivated
      PHP Safe_mode allows one to put restriction on stuff like file
      including from scripts, command execution, uploading, etc.

    . Webserver host is poorly filtered
            . actions shows intruder is able to download stuff from the
              Internet, then probably bind a shell, launch eggdrop and so on
      The host should be restricted to the only connections it is supposed
      to receive and initiate, no more. This can prevent an intruder to
      perform a complete intrusion. In this case, a proper network filtering
      could have prevent the host from including distant URL...

    > You shouldn't be too worried, the 'hacker' can't get access to
    > anything that the web server user doesn't have access to, but don't
    > take any chances either. (a simple rm -rf can wipe you out and leave
    > you wishing you had backups)

    I disagree. Considering the fact there's a lot of kernel local root
    exploits around, there's not much to do to get root
    http://www.linuxsecurity.com/feature_stories/feature_story-117.htmlshell
    if server has strong availability restriction that could have refrain
    admin from upgrading kernel. Not mentionning vulnerable third party
    applications... Intruder actions have to get verified in order to
    validate the fact he couldn't get further priviledges.

    Anyway, to my mind, this webserver should be completely wiped away,
    reinstalled and reconfigured properly from a clean system base
    implementing strong restrictions for web apps and correct network
    connections filtering. Good start for PHP secure installation can be :

            http://www.linuxsecurity.com/feature_stories/feature_story-117.html

    There's a lot of paper on web apps security around. 

    -- 
http://www.netexit.com/~sid/
PGP KeyID: 157E98EE FingerPrint: FA62226DA9E72FA8AECAA240008B480E157E98EE
>> Hi! I'm your friendly neighbourhood signature virus.
>> Copy me to your signature file and help me spread!
  • Next message: Douglas Kong: "RE: Hack attempt"