slides that hosting @stuchl4n3k has no · that hosting has no rights!:lightning: talk @stuchl4n3k...
Transcript of slides that hosting @stuchl4n3k has no · that hosting has no rights!:lightning: talk @stuchl4n3k...
-
that hosting has no rights!:lightning: talk
@stuchl4n3kslides https://goo.gl/uessMT
`.:+oyhhdmmmmmmmdhhyo+:.` -+shmmmmmmmmmmmmmmmmmmmmmmmmmhs+- ./ymmmmmmmmmmmmmmmmdddmmmmmmmmmmmmmmmmy/. `/hmmmmmmmmmdyo+:-.` `.-:+oydmmmmmmmmmh/` -smmmmmmmmho:. .:ohmmmmmmmms- -ymmmmmmmy+. .+ymmmmmmmy- .smmmmmmdo. .odmmmmmms. +dmmmmmd+` : `+dmmmmmd+ `ymmmmmm+` .: `+mmmmmmy` .hmmmmmh- `. -/:-- -hmmmmmh. -dmmmmmo` `: /. -oyyys:` `ommmmmd- .dmmmmm+ -- +`/: oyyyyyys:----. +mmmmmd. ymmmmm+ `/+++oooooo++++//::--..`` .:/s+y+++syyyyyyyys ` +mmmmmy +mmmmmy -+syyyyyyyyyyyyyyyyyyyssso++++yyyyyyyyyyyyyo- ymmmmm+ `dmmmmm. `-+syyyyyyyyyyyyyyyyyyyssssoyyyyyyyyy/::-` .mmmmmd`/mmmmmo `.:+osyyyyyyys+:...``.-::+yyyyyyyy: ommmmm/ymmmmm- ``..---.` .+syyyyyyoyyyyy+/---.` -mmmmmydmmmmm -oyyyyyyyyy +yy-y/:-.` mmmmmdmmmmmh -oyyyyyyyyyy: oyy--/-.`` hmmmmmmmmmmh .+yyyyyyyyyys- yyy+ .. hmmmmmdmmmmm :yyyyyyyyyys/` `yyyy` mmmmmdymmmmm- `/yyyyyyyyys/` :yyyy- -mmmmmy/mmmmmo `oyyyyyyyys/` :yyyyy+ ommmmm/`dmmmmm. `oyyyyyys+-` -yyyyyys .mmmmmd` +mmmmmy `oyyyyo/-` :yyyyyyy` ymmmmm+ ymmmmm+ `oys+-. -yyyyyyy. +mmmmmy .dmmmmm+ .-. syyyyyy: +mmmmmd. -dmmmmmo` :yyyyyy: `ommmmmd- .hmmmmmh- +yyyyy/ -hmmmmmh. `ymmmmmm+` +yyyy/ `+mmmmmmy` +dmmmmmd+` /yyy: `+dmmmmmd+ .smmmmmmdo. -sy- .odmmmmmms. -ymmmmmmmy+. `: .+ymmmmmmmy- -smmmmmmmmho:. .:ohmmmmmmmms- `/hmmmmmmmmmdyo+:-.` `.-:+oydmmmmmmmmmh/` ./ymmmmmmmmmmmmmmmmdddmmmmmmmmmmmmmmmmy/. -+shmmmmmmmmmmmmmmmmmmmmmmmmmhs+- `.:+oyhhdmmmmmmmdhhyo+:.`
https://goo.gl/uessMT
-
b4ckd00r pr0b13m?HELP!1337 hAx0r
z
everywhere
!
-
b4ckd00r pr0b13m?
-
filenoteven +w?
WHAT???
-
what everybody agrees...
UNIX PERMISSIONS FTW
-
what everybody agrees...
UNIX PERMISSIONS FTW
UNLESS… THE SERVER OWNS THE SCRIPT
-
spooky
-
am I the only one?
Improper Filesystem Permissions (IF) vuln. is on the Periodic table after all...
https://www.owasp.org/index.php/OWASP_Periodic_Table_of_Vulnerabilities
-
tech support be like…
PID WHAT?
-
let’s explain
- Apache server runs with uid 0
- index.php owner is uid 0
- How do I prevent malicious.phpto modify index.php?
-
this is simple, right?
- Make Apache run as www-data
- Set the script owner to user-123
- Add user-123 to www-data group
- $ chmod -R 740 user-123/www/*
-
provider kernel panic
SORRYNONOT AN
OPEN
KEEP WEBSITE UPDATED
IDGAFDO U EVEN CHMOD, BRO?
ISSUE CAN DOBASEDIR
NO, WE DO IT RIGHT
-
let’s automatehostinfo.php- assert that $proc_euid == fileowner(__FILE__)- in 3 more || less reliable ways- source:
github.com/stuchl4n3k/php-hostinfo
https://github.com/stuchl4n3k/php-hostinfo
-
[+] Running PHP 5.6.36-pl0-gentoo (apache2handler) on ...[~] Let's check some functions first:[+] Is 'chmod' available? T[+] Is 'chown' available? T…
[+] Script permissions: 0664[+] Open basedir: '/mnt/data/accounts/n/stuchl4n3k/data/...'[+] Open basedir permissions: 81 0755…
[~] Starting server process owner detection[+] Using POSIX functions to compare file and process owner.
[+] Running as: name=user, uid=81, gid=81, dir=/container/home, shell=/bin/bash[+] Script owner: name=user, uid=81, gid=81, dir=/container/home, shell=/bin/bash
[+] Oh no. This looks bad :( File owner == Process owner
-
shared hostings in 2018
-
except some actually do
(a shared hosting < $4/mo)
+ managed/VPS servers naturally(>> $4/mo)
-
- if you run , , , etc.- use VPS/managed servers- know who runs your scripts
- check (add) test results atgithub.com/stuchl4n3k/php-hostinfo
TL;DR
https://github.com/stuchl4n3k/php-hostinfo
-
thank you good OWASP folks!
enjoy your lunchexit(0);
@stuchl4n3kslides https://goo.gl/uessMT
https://goo.gl/uessMT
-
refs:
- PHP Malware Examination by @TimmehWimmy- Httpd privilege separation
https://blog.manchestergreyhats.co.uk/2018/11/07/php-malware-examination/https://wiki.apache.org/httpd/PrivilegeSeparation