Tools Overview

When it comes to information security, there is no shortage of tools for the job. It can easily be overwhelming when you are just starting off, and one important thing to try and avoid is decision paralysis. While some tools are certainly more effective than others, it can be a good idea to simply find one for what you are wanting to do and stick with it for long enough to learn how to use it. This way you have ONE solution to a problem, even if it’s not always the best solution. As you gain more experience and learn what each tool is actually doing, you will naturally begin to switch your tools out for ones that work better for you.

Continue reading “Tools Overview”

0-Day: File Upload Vulnerability in MachForm v13 by Appnitro Software

This was originally discovered in version 12, during an incident response where this vulnerability was used to gain the initial foothold. When a file is uploaded, the filename is modified to include the element ID and a random token, however both of these pieces of information are coming from the client as seen in the Burp screenshot below. This allowed for the new filename to be discovered. The file does have to be accessible to the client via the browser in order for them to get code execution, which was the case for this incident. This issue can be mitigated by ensuring the uploaded files are not accessible to the clients, or by using the whitelist configuration instead of the blacklist.

This was reported to the developers on November 27th, 2019. The development team was very responsive, and began working with me to understand the issue and get a fix out as soon as possible.

SUMMARY

The latest version of MachForm, v13, contains a null-byte file upload vulnerability in its upload form element which allows the bypass of file-type restrictions when configured for a blacklist. This allows for PHP files to be uploaded that will be executed by the server when navigated to and has been seen being actively exploited in the wild. This works because Apache parses the filename up to the first null byte (0x00) which is considered the terminating character of the value. MachForm behaves differently by splitting the file name on the dot (.) and examining the last element in the resulting array. This means we can present two different file extensions, one to MachForm to conform to its allowed types, and another to Apache specifying how to execute the file.

PROOF OF CONCEPT

When configured to use file type blacklisting, the default list includes “.php” files. With this rule in place it should be impossible to upload a PHP file and have it get executed. When no attempt is made to bypass this rule, our PHP files are correctly blocked from being uploaded. However, using easily accessible tools like Burp Suite web proxy, we can modify the requests our browser sends before they reach the server. We can test this by attempting to upload and execute the following file:

Setup

Open Burp Suite and configure your browser’s proxy settings to use 127.0.0.1:8080 for all protocols in order to route your web traffic through Burp:

By default, Burp will have intercept turned on so once you set your proxy settings your browser will appear to hang on web requests. In Burp, go to the Proxy tab, then the Intercept tab and click the “Intercept is on” button to turn it off for now:

Exploitation

In your browser, navigate to the form with file upload functionality so that some traffic to your target is in Burps memory. Next, click on the Target tab in Burp, find your target’s URL or IP address in the left hand panel and right click on it. Select “Add to Scope” then “Yes” on the resulting popup stating it will stop capturing traffic for targets not in scope. This will make it easier to focus on only what we need. Now fill out any required fields in your form and attach a file named similar to our test file, YYYY_TEST_PHP_CODE_EXECUTION.php.XJPG where the X is after the second dot (.) and the letters after the X reflect an extension that is allowed to upload to your form.

Submit the form and look in Burps Intercept tab to see the request that you are about to send. It should look similar to the below:

We want to replace the X in our filename with a null byte. To do this, we switch to the Hex tab within the Intercept tab to see the request in hexadecimal format. Scroll down until you see the filename in the right side. What we’re looking to do is find the hexadecimal value that corresponds to the X (0x58) and replace it with a null byte (0x00):

Modifying the request as seen below and the turning intercept off by clicking the “Intercept is on” button at the top, the modified request is sent to the server where the file is successfully uploaded:

We can then navigate to this file in our browser and if it gets executed in the context of PHP we should see the PHP information page describing many details about the underlying system:

Conclusion

The largest threat this presents is in the case where the uploaded file is directly accessible by the malicious party. This allows for code execution in the context of the web servers user by uploading a PHP shell script and requesting the corresponding page. With shell access, this can lead to compromise of the applications database and eventually the entire server if any privilege escalation vulnerabilities exist. In many cases, the files may not be directly accessible but restricting the file type is still desirable.

If you found this content helpful, please consider donating your favorite cryptocurrency below.

  • Bitcoin
  • Ethereum
  • Cardano
  • Xrp
  • Litecoin
  • Stellar
  • Bitcoin cash
  • Dogecoin
  • Usdcoin
  • Aave
  • Uniswap
  • Wrappedbitcoin
  • Eos
  • Cosmos
  • Synthetix
  • Dash
  • Maker
  • Dai
  • Ethereum classic
Scan to Donate Bitcoin to 3ENZABkzJ8V2u3ewaHGFmsWx3i7pdy47Nr

Donate Bitcoin to this address

Scan the QR code or copy the address below into your wallet to send some Bitcoin

Scan to Donate Ethereum to 0x0a7B929203F77353DDBF9419Fc0d50a50932010c

Donate Ethereum to this address

Scan the QR code or copy the address below into your wallet to send some Ethereum

Scan to Donate Cardano to DdzFFzCqrhsuy6avGUazSq2S5VKEBS6rTxo1Cy71DKwozED8nXFwtzAZda4u5GbE3B4oKFwKVNw3fbAfCrkRdpv8pma83rsgokDk1CTy

Donate Cardano to this address

Scan the QR code or copy the address below into your wallet to send some Cardano

Scan to Donate Xrp to rw2ciyaNshpHe7bCHo4bRWq6pqqynnWKQg:::ucl:::2447425404

Donate Xrp to this address

Scan the QR code or copy the address below into your wallet to send some Xrp

Scan to Donate Litecoin to LXQcKbXSemXnF3VNH5Ez7n4SDUFTkh1uJp

Donate Litecoin to this address

Scan the QR code or copy the address below into your wallet to send some Litecoin

Scan to Donate Stellar to GDQP2KPQGKIHYJGXNUIYOMHARUARCA7DJT5FO2FFOOKY3B2WSQHG4W37:::ucl:::639763260

Donate Stellar to this address

Scan the QR code or copy the address below into your wallet to send some Stellar

Scan to Donate Bitcoin cash to 17iu6o47bdYRbGoxV3WeWUCUBcYZsrXYeG

Donate Bitcoin cash to this address

Scan the QR code or copy the address below into your wallet to send some Bitcoin cash

Scan to Donate Dogecoin to DNserpUCc77Q9EvoU2BePPMnB2nJzJcbRW

Donate Dogecoin to this address

Scan the QR code or copy the address below into your wallet to send some Dogecoin

Scan to Donate Usdcoin to 0xC8354d47Df616EbEb9E91b65C64F352Ce2457215

Donate Usdcoin to this address

Scan the QR code or copy the address below into your wallet to send some Usdcoin

Scan to Donate Aave to 0x268a1fc2eF33c37c0f6D593C17886c2105456f7C

Donate Aave to this address

Scan the QR code or copy the address below into your wallet to send some Aave

Scan to Donate Uniswap to 0xf83FA7Ef077fDA536029EC1F6B73CC87d1D33a54

Donate Uniswap to this address

Scan the QR code or copy the address below into your wallet to send some Uniswap

Scan to Donate Wrappedbitcoin to 0xac7C2A4a700a3c6B341658960C7e99BcC7A93387

Donate Wrappedbitcoin to this address

Scan the QR code or copy the address below into your wallet to send some Wrappedbitcoin

Scan to Donate Eos to coinbasebase:::ucl:::2151882130

Donate Eos to this address

Scan the QR code or copy the address below into your wallet to send some Eos

Scan to Donate Cosmos to cosmos1scwcfre6h4c7epkyrdfegpeaz8umqldl50gn8w

Donate Cosmos to this address

Scan the QR code or copy the address below into your wallet to send some Cosmos

Tag/Note:- 102476592
Scan to Donate Synthetix to 0x89Ee88FdD6B30f72a8e6E6BF3F948Ac3B45e16A8

Donate Synthetix to this address

Scan the QR code or copy the address below into your wallet to send some Synthetix

Scan to Donate Dash to XoMHNXYDx37sDq4bij96cTEpcBznLsbaab

Donate Dash to this address

Scan the QR code or copy the address below into your wallet to send some Dash

Scan to Donate Maker to 0xF72Ace0DdCa3b8e2F691700d8a78282b5d628E12

Donate Maker to this address

Scan the QR code or copy the address below into your wallet to send some Maker

Scan to Donate Dai to 0x22675f754c285bCD7fF8D411Eca32348021a4162

Donate Dai to this address

Scan the QR code or copy the address below into your wallet to send some Dai

Scan to Donate Ethereum classic to 0x03DC1DeFBaFD17Ebf77827faEAc5E50AB90e3b52

Donate Ethereum classic to this address

Scan the QR code or copy the address below into your wallet to send some Ethereum classic