Automated vulnerability scanning and exploitation

Automated vulnerability scanning and exploitationDennis PellikaanThijs HoutenbosUniversity of AmsterdamSystem and Network EngineeringOctober 22, 2013Dennis Pellikaan, Thijs Houtenbos Automated vulnerability scanning and exploitation 1 / 40

IntroductionOpen Source scriptsShared on the internet, can be used by anyoneLots of attention for large projects (Wordpress, Joomla, etc)What about the rest?Dennis Pellikaan, Thijs Houtenbos Automated vulnerability scanning and exploitation 2 / 40

System overviewCompletely automated system which gathers source code as inputand outputs a list of vulnerable servers.Dennis Pellikaan, Thijs Houtenbos Automated vulnerability scanning and exploitation 3 / 40

SourceforgeDennis Pellikaan, Thijs Houtenbos Automated vulnerability scanning and exploitation 4 / 40

GithubDennis Pellikaan, Thijs Houtenbos Automated vulnerability scanning and exploitation 5 / 40

GithubDennis Pellikaan, Thijs Houtenbos Automated vulnerability scanning and exploitation 6 / 40

System partsCollect a large number of projectsAnalyse code for possible vulnerabilitiesExploit the findings in a local environment to confirmSearch installations of the project onlineValidate the found installation matches the projectDennis Pellikaan, Thijs Houtenbos Automated vulnerability scanning and exploitation 7 / 40

Collect projectsTwo sourcesSourceforgeGitHubFocus on PHP scriptsAutomated download and extractionDennis Pellikaan, Thijs Houtenbos Automated vulnerability scanning and exploitation 8 / 40

Collect projectsCollected projectsDennis Pellikaan, Thijs Houtenbos Automated vulnerability scanning and exploitation 9 / 40

Analyse codeSQL Injectionmysql_query ("SELECT * FROM users WHERE id=’$_GET[id]’");File Inclusionrequire $_POST["lang_install"].".php";Command Injectionexec ($_GET[’com’], $result);Dennis Pellikaan, Thijs Houtenbos Automated vulnerability scanning and exploitation 10 / 40

Regular ExpressionsDennis Pellikaan, Thijs Houtenbos Automated vulnerability scanning and exploitation 11 / 40

Analyse projectsVulnerable projectsDennis Pellikaan, Thijs Houtenbos Automated vulnerability scanning and exploitation 12 / 40

Analyse projectsVulnerable projectsDennis Pellikaan, Thijs Houtenbos Automated vulnerability scanning and exploitation 13 / 40

Analyse projectsVulnerability categoriesDennis Pellikaan, Thijs Houtenbos Automated vulnerability scanning and exploitation 14 / 40

Exploit vulnerabilitiesSQL Injectionmysql_query ("SELECT * FROM users WHERE id=’$_GET[id]’");File Inclusionrequire $_POST["lang_install"].".php";Command Injectionexec ($_GET[’com’], $result);Dennis Pellikaan, Thijs Houtenbos Automated vulnerability scanning and exploitation 15 / 40

Exploit vulnerabilitiesSQL Injectionoverride_function (mysql_query, log_function);Script sourcesmysql_query ("SELECT * FROM users WHERE id=’$_GET[id]’");Executedlog_function ("SELECT * FROM users WHERE id=’$_GET[id]’");Dennis Pellikaan, Thijs Houtenbos Automated vulnerability scanning and exploitation 16 / 40

Exploit vulnerabilitiesFile Inclusionrequire $_POST["lang_install"].".php";log_function ($_POST["lang_install"].".php");Command Injectionexec ($_GET[’com’], $result);log_function ($_GET[’com’], $result);Dennis Pellikaan, Thijs Houtenbos Automated vulnerability scanning and exploitation 17 / 40

Exploit vulnerabilitiesRequest the pagehttp://localhost/myscript/admin.php?id=hackluLog functionWrite the function arguments to a logfileLogfileadmin.php:137 mysql_querySELECT * FROM users WHERE id =’hacklu’Dennis Pellikaan, Thijs Houtenbos Automated vulnerability scanning and exploitation 18 / 40

Exploit vulnerabilitiesRequest the pagehttp://localhost/myscript/admin.php?id=hack’luLog functionWrite the function arguments to a logfileLogfileadmin.php:137 mysql_querySELECT * FROM users WHERE id =’hack’lu’Dennis Pellikaan, Thijs Houtenbos Automated vulnerability scanning and exploitation 19 / 40

Exploit vulnerabilitiesConfirmation of resultsDennis Pellikaan, Thijs Houtenbos Automated vulnerability scanning and exploitation 20 / 40

SearchDennis Pellikaan, Thijs Houtenbos Automated vulnerability scanning and exploitation 21 / 40

SearchGoogle Advanced Search Operatorsallinurlpage.php: require $_GET[’page_id’];allinurl:"/page.php?page_id="allintitleindex.php: echo "" . $title . "";allintitle:"My special script v0.2a"Dennis Pellikaan, Thijs Houtenbos Automated vulnerability scanning and exploitation 22 / 40

SearchDennis Pellikaan, Thijs Houtenbos Automated vulnerability scanning and exploitation 23 / 40

SearchDennis Pellikaan, Thijs Houtenbos Automated vulnerability scanning and exploitation 24 / 40

SearchDennis Pellikaan, Thijs Houtenbos Automated vulnerability scanning and exploitation 25 / 40

SearchRotate between 13 IPv4 addressesPause for 8 seconds between each request20,000 search queries per day120,000 results with 22,000 queriesDennis Pellikaan, Thijs Houtenbos Automated vulnerability scanning and exploitation 26 / 40

Validate search resultsFind the project’s installation rootIdentify six common file typesCompare locally identified files with the remote hostCalculate a scoreDennis Pellikaan, Thijs Houtenbos Automated vulnerability scanning and exploitation 27 / 40

Validate search resultsInstallation root: deterministic approachGoogle result: http://example.com/user/app/login.php?token=432Local script/script/app/admin/login.php/script/app/admin//script/app//script/Remote script/example.com/user/app/admin/login.php/example.com/user/app/admin//example.com/user/app//example.com/user/Dennis Pellikaan, Thijs Houtenbos Automated vulnerability scanning and exploitation 28 / 40

Validate search resultsInstallation root: probabilistic approachGoogle result: http://example.com/user/app/guide.htmlLocal script/script/a/docs/examples/index.php/script/b/index.html/script/index.php/script/Dennis Pellikaan, Thijs Houtenbos Automated vulnerability scanning and exploitation 29 / 40

Validate search resultsCommon file typesDennis Pellikaan, Thijs Houtenbos Automated vulnerability scanning and exploitation 30 / 40

Validate search resultsComparing filesLocal file/script/images/file1.gif/script/images/logo.png/script/app/js/code.js/script/contact.htmlRemote file/example.com/user/images/file1.gif/example.com/user/images/logo.png/example.com/user/app/js/code.js/example.com/user/contact.htmlDennis Pellikaan, Thijs Houtenbos Automated vulnerability scanning and exploitation 31 / 40

Validate search resultsText matchingDennis Pellikaan, Thijs Houtenbos Automated vulnerability scanning and exploitation 32 / 40

Validate search resultsText matchingDennis Pellikaan, Thijs Houtenbos Automated vulnerability scanning and exploitation 33 / 40

Validate search resultsMD5 Hash Matchingmd5(Local File) ≠ md5(Remote File)LocalScore = 0RemoteScore = 0md5(Local File) = md5(Remote File)LocalScore = 100RemoteScore = 100Dennis Pellikaan, Thijs Houtenbos Automated vulnerability scanning and exploitation 34 / 40

Validate search resultsCalculating the final scoreScore between 0 and 100Number of identified files is taken into accountLocalScore and the RemoteScore are weightedScore =∑ Ni=1 S iN+ ∑ Ni=1 S i ∗ 1 6LocalScore i +RemoteScore i4S i =N = Total number of selected filesDennis Pellikaan, Thijs Houtenbos Automated vulnerability scanning and exploitation 35 / 40

Validate search resultsValidated website scoresDennis Pellikaan, Thijs Houtenbos Automated vulnerability scanning and exploitation 36 / 40

ResultsDennis Pellikaan, Thijs Houtenbos Automated vulnerability scanning and exploitation 37 / 40

System overviewDennis Pellikaan, Thijs Houtenbos Automated vulnerability scanning and exploitation 38 / 40

QuestionsDennis Pellikaan, Thijs Houtenbos Automated vulnerability scanning and exploitation 39 / 40

ContactContact:Dennis:Thijs:dennis.pellikaan@os3.nlthijs.houtenbos@os3.nlPaper reference:http://rp.delaat.net/2012-2013/p91/report.pdfDennis Pellikaan, Thijs Houtenbos Automated vulnerability scanning and exploitation 40 / 40