(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
Drupal Coder Module Remote Code Execution Vulnerability
Drupal Webform Multiple File Upload Module Remote Code Execution Vulnerability
FreeBSD libc Berkley DB Interface Uninitialized Memory Local Information Disclosure Vulnerability

(credit: John Palmer)

As if people didn't already have cause to distrust the security of Juniper products, the networking gear maker just disclosed a vulnerability that allowed attackers to eavesdrop on sensitive communications traveling through customers' virtual private networks.

In an advisory posted Wednesday, Juniper officials said they just fixed a bug in the company's Junos operating system that allowed adversaries to masquerade as trusted parties. The impersonation could be carried out by presenting a forged cryptographic certificate that was signed by the attacker rather than by a trusted certificate authority that normally vets the identity of the credential holder.

"When a peer device presents a self-signed certificate as its end entity certificate with its issuer name matching one of the valid CA certificates enrolled in Junos, the peer certificate validation is skipped and the peer certificate is treated as valid," Wednesday's advisory stated. "This may allow an attacker to generate a specially crafted self-signed certificate and bypass certificate validation."

Read 6 remaining paragraphs | Comments

Lenovo ThinkPad System Management Mode Local Privilege Escalation Vulnerability
[ERPSCAN-16-021] SAP xMII - Reflected XSS vulnerability
[ERPSCAN-16-020] SAP NetWeaver AS JAVA UDDI component - XXE vulnerability
[ERPSCAN-16-019] SAP NetWeaver Enqueue Server - DoS vulnerability
Cross-Site Scripting vulnerability in Google Forms WordPress Plugin
Cross-Site Scripting vulnerability in WP No External Links WordPress Plugin
Cross-Site Scripting vulnerability in Top 10 - Popular posts plugin for WordPress
Cross-Site Scripting vulnerability in Simple Membership WordPress Plugin

[Warning: this diary contains many pictures and may take some time to load on slow links]

Web shellsare not new in the threats landscape. A web shell is a script (written in PHP, ASL, Perl, ... - depending on the available environment) that can be uploaded to a web server to enable remote administration. If web shells are usually installed for good purposes, many of them are installed on compromisedservers. Once in place, the web shell will allow a complete takeover of the victims server but it can also be used to pivot and attack internal systems.

In a recent investigation, I found on a shared platform a compromised website that was delivering phishing pages. I was able to get access to the archive containing the phishing kit but alsoa web shell.It was also installed on the server and the location was easy to guess. The web shell is presenting itself as RC-SHELL">I found reference to it in 2013) but ithas a very low detection rate in VT (4/55) and was uploaded for the first time a few hours before me. Maybe it has been improved or updated?

Modern web shells are very powerful and offer plenty of features to the attacker. Because some pictures are worth a thousand words, I decided to make a tour of the interface to give you more details about modern web shells and to show their power. This web shell is written in PHP and, as usual, access to the web interface is restricted via hardcoded credentials. The login / password hashes are in the source code. A quick search in rainbow tables returned test" />

On top of the screen, you can see details about the host and basic PHP settings like the safe-mode status, available databases support. Then, the single-line menu to access all the features. Lets review them.

The menu Files" />

The menu Search performs file search operations (think about the find Linux command) but you can also search for specific contain inside files (like grep" />

The Upload menu transfers files on the local file system. Files can be uploaded from the local drive (on the attacker" />

The Cmd menuexecutes shell commands on the target (this is really the core feature of a web shell). Commands are executed (with the web server UID rights) and output is returned in the browser:" />

The Eval menu offers the same features as Cmd but executes native PHP code. This is a PHP Shell" />

The FTP" />

The SQL" />

The Mailers menu, as the name" />

The Calc" />

The Tools" />

Finally, the two last menus are used to manage processes on the box ( la top" />

As you can see a modern web shell is a powerful tool. Keep in mind that a web shell will be executed with the rights and permissions of the web server (ex: www-data on a Linux system). To reduce the risks, apply best practices like:

  • Run the web server in a restricted environment (a VM, a Docker container, a chroot() jail).
  • Do NOT allow access to privileged access via commands like sudo.
  • Do NOT give full DBA access to your database, restrict access to required database/tables and allow required SQL commands only.
  • Implement egress filters and restrict communications with the outside world.
  • Protect your web server directories against write operations

Do not hesitate to share your stories about web shells. Did you find one, how, where?

Xavier Mertens (@xme)
ISC Handler - Freelance Security Consultant

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
Drupal DRUPAL-SA-CORE-2016-002 Privilege Escalation and Access Bypass Vulnerabilities
OpenSSH CVE-2016-0778 Heap Based Buffer Overflow Vulnerability
OpenSSH CVE-2016-0777 Information Disclosure Vulnerability
Internet Storm Center Infocon Status