Information Security News
As if people didn't already have cause to distrust the security of Juniper products, the networking gear maker just disclosed a vulnerability that allowed attackers to eavesdrop on sensitive communications traveling through customers' virtual private networks.
In an advisory posted Wednesday, Juniper officials said they just fixed a bug in the company's Junos operating system that allowed adversaries to masquerade as trusted parties. The impersonation could be carried out by presenting a forged cryptographic certificate that was signed by the attacker rather than by a trusted certificate authority that normally vets the identity of the credential holder.
"When a peer device presents a self-signed certificate as its end entity certificate with its issuer name matching one of the valid CA certificates enrolled in Junos, the peer certificate validation is skipped and the peer certificate is treated as valid," Wednesday's advisory stated. "This may allow an attacker to generate a specially crafted self-signed certificate and bypass certificate validation."
[Warning: this diary contains many pictures and may take some time to load on slow links]
Web shellsare not new in the threats landscape. A web shell is a script (written in PHP, ASL, Perl, ... - depending on the available environment) that can be uploaded to a web server to enable remote administration. If web shells are usually installed for good purposes, many of them are installed on compromisedservers. Once in place, the web shell will allow a complete takeover of the victims server but it can also be used to pivot and attack internal systems.
In a recent investigation, I found on a shared platform a compromised website that was delivering phishing pages. I was able to get access to the archive containing the phishing kit but alsoa web shell.It was also installed on the server and the location was easy to guess. The web shell is presenting itself as RC-SHELL">I found reference to it in 2013) but ithas a very low detection rate in VT (4/55) and was uploaded for the first time a few hours before me. Maybe it has been improved or updated?
Modern web shells are very powerful and offer plenty of features to the attacker. Because some pictures are worth a thousand words, I decided to make a tour of the interface to give you more details about modern web shells and to show their power. This web shell is written in PHP and, as usual, access to the web interface is restricted via hardcoded credentials. The login / password hashes are in the source code. A quick search in rainbow tables returned test" />
On top of the screen, you can see details about the host and basic PHP settings like the safe-mode status, available databases support. Then, the single-line menu to access all the features. Lets review them.
The menu Files" />
The menu Search performs file search operations (think about the find Linux command) but you can also search for specific contain inside files (like grep" />
The Upload menu transfers files on the local file system. Files can be uploaded from the local drive (on the attacker" />
The Cmd menuexecutes shell commands on the target (this is really the core feature of a web shell). Commands are executed (with the web server UID rights) and output is returned in the browser:" />
The Eval menu offers the same features as Cmd but executes native PHP code. This is a PHP Shell" />
The FTP" />
The SQL" />
The Mailers menu, as the name" />
The Calc" />
The Tools" />
Finally, the two last menus are used to manage processes on the box ( la top" />
As you can see a modern web shell is a powerful tool. Keep in mind that a web shell will be executed with the rights and permissions of the web server (ex: www-data on a Linux system). To reduce the risks, apply best practices like:
Do not hesitate to share your stories about web shells. Did you find one, how, where?
Xavier Mertens (@xme)
ISC Handler - Freelance Security Consultant