Archive for April, 2010

Using grep to find 0days

April 26th, 2010

If you think that vulnerability research is only for computer geeks or hackers, you are wrong! Simple but effective “grep dorks” will be just fine to discover dirty pieces of code in, for example, PHP open source software.

Let’s focus on Cacti and use it as our case study as we’ve recently found its latest vulnerabilities using this technique. The next steps were followed to identify and exploit the latest Cacti OS commanding vulnerability found by our research team:

  1. Download Cacti 0.8.7e
  2. Uncompress Cacti
  3. Under Cacti’s directory, find Operating System Function calls, such as “system”, “exec”, “shell_exec” or “popen
  1. $ grep –i –r “shell_exec(” *

Using grep as a security tool to find 0days

  1. The above command should result in some scripts using shell_exec PHP function
  2. Edit one of those, for example, “lib/ping.php” and take a deeper look at it, near the OS call.
  3. The function “ping_icmp” in “Net_Ping” class is using shell_exec function without sanitizing the host parameter. Uhmm… interesting!
  4. Let’s see, where ping_icmp function is being called and let’s find out if we can manipulate hostname parameter in order to do our injection.
  5. Note that in lib/ping.php, line 634, ping_icmp is being used inside the “ping” function.
  6. Let’s search where Net_Ping is being used and where the ping function is being called and have a real look at the host parameter.
  7. $ grep –i –r “net_ping” *
  8. Ok! host.php script is using Net_Ping class, let’s have a deeper look again…
  9. Line 625 in host.php script: note that the hostname is being used as a parameter, again, without sanitizing it.
  1. So, if inside the application, you create a device (or host) with FQDN (without single quotes) ‘NotARealIPAddress;CMD;’, save it, and then, reload any data query, CMD will be executed with Web Server rights. More information on this, can be found in OS Commanding Injection in Cacti.
  1. Eureka! 0day vulnerability found!

This is just an example of how some vulnerabilities might be identified and exploited using simple but effective techniques in real world applications.

You can also find other techniques to identify Web Application vulnerabilities, such as using Google’s code search.  Consider revising this article and this blog post too.

nahuel open source, security