Author: jianxin [80sec] EMail: jianxin#80sec.com Site: http://www.80sec.com Date: 2009-3-28 From: http://www.80sec.com/release/webapp-rootkit.txt
[ Directory ]
0×0 0 why do we have this idea 0×0 1 A web application in the back door of the basic idea 0×0 2 The practical application of some examples
0×0 0 why do we have this idea
Without a doubt, the web is in recent years the hot spots, a variety of services to start the network, sensitive user information also starts not just stored on your own computer, and start storing in the service provider database by the user without the need for these data storage and processing to consumption of local resources, the need to use only one terminal can access and use these data, and these terminals often requires only a browser and some little speed on it. This kind of service very much, such as the very typical example is webmail, user send and receive mail, contact friends or clients, you'll need to open a browser is sufficient. At the same time, for the attacker occurs a what changes? With the development of the web, more and more attacks began to point to the web. Start some of the time, hackers may be through a web application of some of the vulnerabilities and directly control the entire web application, but with the manufacturers Safety awareness and in terms of security of investment, to overcome one of the such as gmail such application providers have been not too realistic, then naturally more and more attacks began in the user to use the terminal, because once you can control a user terminal behavior, in fact, has been able to completely control the user all the information, even though the hacker can not stormingthe web server, but enough already. But this is not enough, because often a single attack can only be made once the effect, there is no possibility in the attack after the success, as long as the user again to login to this web application, or again use this web application you can be our monitor? Is there a similar to back-door way of long-term latent in the application, in a timely manner as we once again get the user's application permissions, or as we have been monitoring the user's behavior? The invasion server is clearly not too realistic, that there is no possible other way to achieve?
0×0 1 web application backdoors basic idea
Traditional back door are lurking to be captured in the system, based on the application of the back door in order to achieve our specified some of the features that also must be latent in an environment, and can under certain conditions be run. Such as some classic windows Classic Trojan horse is a program in the system start when boot up. If we want to control an application, we must also require some code, and at some point be able to run. Then our back door code can be stored where? Now the application is more complex, the user can control things more and more, the user control something that is ultimately stored in the application vendor's database, then each time the user needs when these data was only taken out to show to the user. Then it is easy to think that the storage problem solved, our code can actually be stored in the application vendor's database, and even, under certain conditions, the Cookie is also can be used as code storage, as long as it will go to the desired logic. Then our back door code how you can run? Data is not executed, never have what harm, so the implementation is a web application the back door of a difficulty, but not impossible. For a web application, the data is ultimately to show to the user terminal, where the terminal is the user's browser, if the data at the output when no security process is likely to occur a xssvulnerabilities so that the user browser executes the js code, using the js code actually has control of the browser. Now the web application becomes very complex, in the safe handling of often attention to the outside world to the security of the data processing, and it may be neglected from its own database of the data processing, get a webmail for example, the General idea is often given the security focus on others sent over the electronic mail data from the external, and for the user's own data such as email addresses and other personal settings option, others are unable to control was the lack of security filtering, which would allow our back door to get to perform. Then our back door code can do what? Like said above, we code The locations of the different decisions it can do different things to achieve different purposes. For example, if our code at every login into the application will perform, then we can always can get to the latest user login information to login into the application, this opportunity, although very small, but not without! In addition some applications to provide some special features, such as webmail may offer a mail forwarding function, then we can use this function to achieve the back door, but this is very not hidden, the user will probably be in the mailbox settings when we do the modification, this time if on the same page therexssvulnerability then, we can move This Set from the user's browser in the wipe to get rid of, and the user in the page is submitted the action is monitored, the full realization of a similar to a rootkit function. What we can do, depends entirely on the application's own logic and we exploit the position.
0×0 2 The practical application of some examples
In 0 7 time of the year, we had reported to Yahoo a vulnerability in yahoo webmail the General preferences in the due to the reply-to address of the filter there is a problem, cause here write exploit code, The user login time on the implementation, in order to achieve a back door, each time a user logs into the yahoo webmail when you can trigger. At the time of the exploit code:
In the reply address wrote:
a ",aaa:alert(document. cookie),b:"@80sec.com
This part of the code will be in the landing appears in the page's js code, and because of the malicious character of the filter is not strict, resulting in the execution of js code.
The vulnerability has been fixed. Recently in QQ Mail appears in a vulnerability demonstrated in practice the possibility, in the QQ Mail in the General Settings panel there is axssvulnerabilities, General security personnel for this vulnerability will be ignored, because of the vulnerability must require the user to already logged in, and themselves on their own to achievexssattack. But once the exploit to the back door, will be very personal, because herexssyou can modify the user in the Settings panel, see anything, and the user's submitted do pre-processing, the user may never know behind this is people modify something, and this is modify things are often very important things, such as e-mail forwarding address.
0×0 3 The Book of Revelation
Now web applications are increasingly complex, a variety of client technologies such as json, ajax, flash use, so that even if the client often there is also a wide variety of input and output logic, which also provides more possibilities for hackers to exploit the place. We prefer the web application as a stand-alone system to look at, the data of the calculation are stored on a remote server, similar to traditional hardware resources, but is the data presentation and interaction is on the client, similar to the traditionalOS in theoperating systemexecuting any of the code may give this system to bring serious security issues, so that we in the assessment of a vulnerability of the severity of the time, but also requires a combination of specific application contexts, in different places of the same vulnerability execute the same code, The resulting effect is also different, and in consideration of the application security when the consideration of those from the users look more credible data.
The site contents are original, reproduced please be sure to keep the signature with the link! in the web application rootkits:<http://www.80sec.com/webapp-rootki.html>