Automated vulnerability scanning and exploitation

Dennis Pellikaan Thijs Houtenbos

University of AmsterdamSystem and Network Engineering

October 22, 2013

Dennis Pellikaan, Thijs Houtenbos Automated vulnerability scanning and exploitation 1 / 40

Introduction

Open Source scriptsShared on the internet, can be used by anyoneLots of attention for large projects (Wordpress, Joomla, etc)What about the rest?

Dennis Pellikaan, Thijs Houtenbos Automated vulnerability scanning and exploitation 2 / 40

System overview

Completely automated system which gathers source code as inputand outputs a list of vulnerable servers.

Dennis Pellikaan, Thijs Houtenbos Automated vulnerability scanning and exploitation 3 / 40

Sourceforge

Dennis Pellikaan, Thijs Houtenbos Automated vulnerability scanning and exploitation 4 / 40

Github

Dennis Pellikaan, Thijs Houtenbos Automated vulnerability scanning and exploitation 5 / 40

Github

Dennis Pellikaan, Thijs Houtenbos Automated vulnerability scanning and exploitation 6 / 40

System parts

Collect a large number of projectsAnalyse code for possible vulnerabilitiesExploit the findings in a local environment to confirmSearch installations of the project onlineValidate the found installation matches the project

Dennis Pellikaan, Thijs Houtenbos Automated vulnerability scanning and exploitation 7 / 40

Collect projects

Two sourcesSourceforgeGitHub

Focus on PHP scriptsAutomated download and extraction

Dennis Pellikaan, Thijs Houtenbos Automated vulnerability scanning and exploitation 8 / 40

Collect projects

Collected projects

Dennis Pellikaan, Thijs Houtenbos Automated vulnerability scanning and exploitation 9 / 40

Analyse code

SQL Injectionmysql_query ("SELECT * FROM users WHERE id=’$_GET[id]’");

File Inclusionrequire $_POST["lang_install"].".php";

Command Injectionexec ($_GET[’com’], $result);

Dennis Pellikaan, Thijs Houtenbos Automated vulnerability scanning and exploitation 10 / 40

Regular Expressions

Dennis Pellikaan, Thijs Houtenbos Automated vulnerability scanning and exploitation 11 / 40

Analyse projects

Vulnerable projects

Dennis Pellikaan, Thijs Houtenbos Automated vulnerability scanning and exploitation 12 / 40

Analyse projects

Vulnerable projects

Dennis Pellikaan, Thijs Houtenbos Automated vulnerability scanning and exploitation 13 / 40

Analyse projects

Vulnerability categories

Dennis Pellikaan, Thijs Houtenbos Automated vulnerability scanning and exploitation 14 / 40

Exploit vulnerabilities

SQL Injectionmysql_query ("SELECT * FROM users WHERE id=’$_GET[id]’");

File Inclusionrequire $_POST["lang_install"].".php";

Command Injectionexec ($_GET[’com’], $result);

Dennis Pellikaan, Thijs Houtenbos Automated vulnerability scanning and exploitation 15 / 40

Exploit vulnerabilities

SQL Injectionoverride_function (mysql_query, log_function);

Script sourcesmysql_query ("SELECT * FROM users WHERE id=’$_GET[id]’");

Executedlog_function ("SELECT * FROM users WHERE id=’$_GET[id]’");

Dennis Pellikaan, Thijs Houtenbos Automated vulnerability scanning and exploitation 16 / 40

Exploit vulnerabilities

File Inclusionrequire $_POST["lang_install"].".php";log_function ($_POST["lang_install"].".php");

Command Injectionexec ($_GET[’com’], $result);log_function ($_GET[’com’], $result);

Dennis Pellikaan, Thijs Houtenbos Automated vulnerability scanning and exploitation 17 / 40

Exploit vulnerabilities

Request the pagehttp://localhost/myscript/admin.php?id=hacklu

Log functionWrite the function arguments to a logfile

Logfileadmin.php:137 mysql_querySELECT * FROM users WHERE id =’hacklu’

Dennis Pellikaan, Thijs Houtenbos Automated vulnerability scanning and exploitation 18 / 40

Exploit vulnerabilities

Request the pagehttp://localhost/myscript/admin.php?id=hack’lu

Log functionWrite the function arguments to a logfile

Logfileadmin.php:137 mysql_querySELECT * FROM users WHERE id =’hack’lu’

Dennis Pellikaan, Thijs Houtenbos Automated vulnerability scanning and exploitation 19 / 40

Exploit vulnerabilities

Confirmation of results

Dennis Pellikaan, Thijs Houtenbos Automated vulnerability scanning and exploitation 20 / 40

Search

Dennis Pellikaan, Thijs Houtenbos Automated vulnerability scanning and exploitation 21 / 40

Search

Google Advanced Search Operators

allinurlpage.php: require $_GET[’page_id’];allinurl:"/page.php?page_id="allintitleindex.php: echo "<title>" . $title . "</title>";allintitle:"My special script v0.2a"

Dennis Pellikaan, Thijs Houtenbos Automated vulnerability scanning and exploitation 22 / 40

Search

Dennis Pellikaan, Thijs Houtenbos Automated vulnerability scanning and exploitation 23 / 40

Search

Dennis Pellikaan, Thijs Houtenbos Automated vulnerability scanning and exploitation 24 / 40

Search

Dennis Pellikaan, Thijs Houtenbos Automated vulnerability scanning and exploitation 25 / 40

Search

Rotate between 13 IPv4 addressesPause for 8 seconds between each request

20,000 search queries per day120,000 results with 22,000 queries

Dennis Pellikaan, Thijs Houtenbos Automated vulnerability scanning and exploitation 26 / 40

Validate search results

Find the project’s installation rootIdentify six common file typesCompare locally identified files with the remote hostCalculate a score

Dennis Pellikaan, Thijs Houtenbos Automated vulnerability scanning and exploitation 27 / 40

Validate search results

Installation root: deterministic approach

Google result: http://example.com/user/app/login.php?token=432

Local script Remote script/script/app/admin/login.php /example.com/user/app/admin/login.php/script/app/admin/ /example.com/user/app/admin//script/app/ /example.com/user/app//script/ /example.com/user/

Dennis Pellikaan, Thijs Houtenbos Automated vulnerability scanning and exploitation 28 / 40

Validate search results

Installation root: probabilistic approach

Google result: http://example.com/user/app/guide.html

Local script/script/a/docs/examples/index.php/script/b/index.html/script/index.php/script/

Dennis Pellikaan, Thijs Houtenbos Automated vulnerability scanning and exploitation 29 / 40

Validate search results

Common file types

Dennis Pellikaan, Thijs Houtenbos Automated vulnerability scanning and exploitation 30 / 40

Validate search results

Comparing files

Local file Remote file/script/images/file1.gif /example.com/user/images/file1.gif/script/images/logo.png /example.com/user/images/logo.png/script/app/js/code.js /example.com/user/app/js/code.js/script/contact.html /example.com/user/contact.html

Dennis Pellikaan, Thijs Houtenbos Automated vulnerability scanning and exploitation 31 / 40

Validate search results

Text matching

Dennis Pellikaan, Thijs Houtenbos Automated vulnerability scanning and exploitation 32 / 40

Validate search results

Text matching

Dennis Pellikaan, Thijs Houtenbos Automated vulnerability scanning and exploitation 33 / 40

Validate search results

MD5 Hash Matching

md5(Local File) 6= md5(Remote File)LocalScore = 0RemoteScore = 0

md5(Local File) = md5(Remote File)LocalScore = 100RemoteScore = 100

Dennis Pellikaan, Thijs Houtenbos Automated vulnerability scanning and exploitation 34 / 40

Validate search results

Calculating the final score

Score between 0 and 100Number of identified files is taken into accountLocalScore and the RemoteScore are weighted

Score =∑N

i=1 SiN +

∑Ni=1 Si ∗ 1

6

Si = LocalScorei+RemoteScorei4

N = Total number of selected files

Dennis Pellikaan, Thijs Houtenbos Automated vulnerability scanning and exploitation 35 / 40

Validate search results

Validated website scores

Dennis Pellikaan, Thijs Houtenbos Automated vulnerability scanning and exploitation 36 / 40

Results

Dennis Pellikaan, Thijs Houtenbos Automated vulnerability scanning and exploitation 37 / 40

System overview

Dennis Pellikaan, Thijs Houtenbos Automated vulnerability scanning and exploitation 38 / 40

Questions

Dennis Pellikaan, Thijs Houtenbos Automated vulnerability scanning and exploitation 39 / 40

Contact

Contact:Dennis: dennis.pellikaan@os3.nlThijs: thijs.houtenbos@os3.nl

Paper reference:http://rp.delaat.net/2012-2013/p91/report.pdf

Dennis Pellikaan, Thijs Houtenbos Automated vulnerability scanning and exploitation 40 / 40