5

During my penetration testing, I found a local file inclusion vulnerability. In fact this vulnerability existed in mailwatch <= 1.0.4, and its exploit existed in Exploit-DB.

I tried to exploit the operating system (CentOS 6) via this vulnerability depending on the file /proc/self/environ, but I failed because when it returns blank page when I am trying to see the content of the /proc/self/environ file.

Is there any idea any way to hack the OS?

Polynomial
  • 132,208
  • 43
  • 298
  • 379
user1028
  • 437
  • 4
  • 8
  • 14
  • 1
    I think we're going to need some more details, here. A CVE ID and/or link to the exploit you're trying to run might help. Screenshots and/or a CLI log could be useful as well. – Iszi Sep 10 '12 at 19:24
  • Yep. Also, is this a black-box or white-box test? – Polynomial Sep 10 '12 at 19:35
  • CVE:2008-5991, i am trying to do similar thing to what is explained in this page: http://basichackingskills.wordpress.com/2012/08/10/uploading-a-shell-to-a-website-through-local-file-inclusion-lfi-to-rce/ – user1028 Sep 10 '12 at 19:37
  • it is black-box test, as u know mailwatch is open source, so if i need to see the content of some php pages it is ok. one more thing to add, the server i am trying to hack is mail server and using Horde 3.1, i tried to find the sensitive file in horde but i am still searching for their default locations ... – user1028 Sep 10 '12 at 19:47
  • now I do know how to exploit the operating System via LFI. the idea is to inject php code inside one of logs files, but i am still facing a problem in locating the log files. – user1028 Sep 11 '12 at 12:09
  • logwatch is running on the server, and its log files existed under /var/log/ but how to get the name of log file?? – user1028 Sep 11 '12 at 12:46
  • You would need to upload code, and execute it. You can upload code via page, thru log-files etc, maybe you can find exploit example thru logfiles. You would include the logfile, and inside of it, you would place the PHP code with `` thing which would run exploit. – Andrew Smith Oct 21 '12 at 17:09
  • this is exactly what i did – user1028 Oct 22 '12 at 19:35

2 Answers2

5

It can be exploited by log files injection. it might be possible to inject Apache log files, but these files needs root access to open, so it will not be possible to open them via LFI. to solve this problem, we inject temporary Apache log files, which are existed under this path:

proc/self/fd/12

or

proc/self/fd/14

or

proc/<apachi pid>/fd/12

or

proc/<apache pid>/fd/14

we nject log file with php code enables us to do whatever we want.

user1028
  • 437
  • 4
  • 8
  • 14
0

Just posting my setup:

  • Centos 6 generic installation + Virtualmin latest + SELinux, looks like it's exploitable if it's plain Centos, or Virtualmin with PHP / Suexec.

/var/log/httpd:

-rw-r--r--. root root system_u:object_r:httpd_log_t:s0 access_log
-rw-r--r--. root root system_u:object_r:httpd_log_t:s0 access_log-20120805
-rw-r--r--. root root system_u:object_r:httpd_log_t:s0 error_log
-rw-r--r--. root root system_u:object_r:httpd_log_t:s0 error_log-20120930
-rw-r--r--. root root system_u:object_r:httpd_log_t:s0 error_log-20121007
-rw-r--r--. root root system_u:object_r:httpd_log_t:s0 error_log-20121014
-rw-r--r--. root root system_u:object_r:httpd_log_t:s0 error_log-20121021
-rw-r-----. root root system_u:object_r:httpd_log_t:s0 modsec_audit.log
-rw-r-----. root root system_u:object_r:httpd_log_t:s0 modsec_audit.log-20120930
-rw-r-----. root root system_u:object_r:httpd_log_t:s0 modsec_audit.log-20121007
-rw-r-----. root root system_u:object_r:httpd_log_t:s0 modsec_audit.log-20121014
-rw-r-----. root root system_u:object_r:httpd_log_t:s0 modsec_audit.log-20121021
-rw-r-----. root root system_u:object_r:httpd_log_t:s0 modsec_debug.log
-rw-r--r--. root root system_u:object_r:httpd_log_t:s0 ssl_access_log
-rw-r--r--. root root system_u:object_r:httpd_log_t:s0 ssl_access_log-20120805
-rw-r--r--. root root system_u:object_r:httpd_log_t:s0 ssl_access_log-20120812
-rw-r--r--. root root system_u:object_r:httpd_log_t:s0 ssl_error_log
-rw-r--r--. root root system_u:object_r:httpd_log_t:s0 ssl_error_log-20120930
-rw-r--r--. root root system_u:object_r:httpd_log_t:s0 ssl_error_log-20121007
-rw-r--r--. root root system_u:object_r:httpd_log_t:s0 ssl_error_log-20121014
-rw-r--r--. root root system_u:object_r:httpd_log_t:s0 ssl_error_log-20121021
-rw-r--r--. root root system_u:object_r:httpd_log_t:s0 ssl_request_log
-rw-r--r--. root root system_u:object_r:httpd_log_t:s0 ssl_request_log-20120805
-rw-r--r--. root root system_u:object_r:httpd_log_t:s0 ssl_request_log-20120812
-rw-r--r--. root root system_u:object_r:httpd_log_t:s0 suexec.log
-rw-r--r--. root root system_u:object_r:httpd_log_t:s0 suexec.log-20120930
-rw-r--r--. root root system_u:object_r:httpd_log_t:s0 suexec.log-20121007
-rw-r--r--. root root system_u:object_r:httpd_log_t:s0 suexec.log-20121014
-rw-r--r--. root root system_u:object_r:httpd_log_t:s0 suexec.log-20121021

PHP runs on suexec:

unconfined_u:system_r:httpd_suexec_t:s0 502 17648 0.0  4.7 314004 23624 ?      Sl   Oct21   0:07 /usr/bin/php-cgi

Vhost logfiles:

-rw-rw----.  1 system_u:object_r:var_log_t:s0   502 48  1008958 Oct 24 00:19 blackhatconsulting.co.uk_access_log
-rw-rw----.  1 unconfined_u:object_r:var_log_t:s0 502 48 11592222 Aug  5 03:41 blackhatconsulting.co.uk_access_log-20120805
-rw-rw----.  1 unconfined_u:object_r:var_log_t:s0 502 48  9418101 Aug 12 03:15 blackhatconsulting.co.uk_access_log-20120812
-rw-rw----.  1 system_u:object_r:var_log_t:s0   502 48   207759 Sep 23 03:21 blackhatconsulting.co.uk_access_log-20120923.gz
-rw-rw----.  1 system_u:object_r:var_log_t:s0   502 48   176072 Sep 30 03:36 blackhatconsulting.co.uk_access_log-20120930.gz
-rw-rw----.  1 system_u:object_r:var_log_t:s0   502 48   158753 Oct  7 03:23 blackhatconsulting.co.uk_access_log-20121007.gz
-rw-rw----.  1 system_u:object_r:var_log_t:s0   502 48   170740 Oct 14 03:49 blackhatconsulting.co.uk_access_log-20121014.gz
-rw-rw----.  1 system_u:object_r:var_log_t:s0   502 48   199233 Oct 21 03:43 blackhatconsulting.co.uk_access_log-20121021.gz
-rw-rw----.  1 system_u:object_r:var_log_t:s0   502 48  3972681 Oct 24 00:19 blackhatconsulting.co.uk_error_log
-rw-rw----.  1 unconfined_u:object_r:var_log_t:s0 502 48   715308 Aug  5 03:41 blackhatconsulting.co.uk_error_log-20120805
-rw-rw----.  1 unconfined_u:object_r:var_log_t:s0 502 48 10871995 Aug 12 03:15 blackhatconsulting.co.uk_error_log-20120812
-rw-rw----.  1 system_u:object_r:var_log_t:s0   502 48    21122 Sep 23 03:21 blackhatconsulting.co.uk_error_log-20120923.gz
-rw-rw----.  1 system_u:object_r:var_log_t:s0   502 48    18896 Sep 30 03:36 blackhatconsulting.co.uk_error_log-20120930.gz
-rw-rw----.  1 system_u:object_r:var_log_t:s0   502 48    18423 Oct  7 03:23 blackhatconsulting.co.uk_error_log-20121007.gz
-rw-rw----.  1 system_u:object_r:var_log_t:s0   502 48    18458 Oct 14 03:49 blackhatconsulting.co.uk_error_log-20121014.gz
-rw-rw----.  1 system_u:object_r:var_log_t:s0   502 48    30181 Oct 21 03:43 blackhatconsulting.co.uk_error_log-20121021.gz

And finally, the PHP process:

lrwx------. 1 unconfined_u:system_r:httpd_suexec_t:s0 502 502 64 Oct 24 00:17 0 -> socket:[331211]
l-wx------. 1 unconfined_u:system_r:httpd_suexec_t:s0 502 502 64 Oct 24 00:17 1 -> /var/log/httpd/error_log
lr-x------. 1 unconfined_u:system_r:httpd_suexec_t:s0 502 502 64 Oct 24 00:17 18 -> pipe:[302590]
l-wx------. 1 unconfined_u:system_r:httpd_suexec_t:s0 502 502 64 Oct 24 00:17 2 -> /var/log/httpd/error_log
l-wx------. 1 unconfined_u:system_r:httpd_suexec_t:s0 502 502 64 Oct 24 00:17 21 -> pipe:[302591]
lrwx------. 1 unconfined_u:system_r:httpd_suexec_t:s0 502 502 64 Oct 24 00:17 4 -> socket:[331227]

And the httpd:

r-x------. 1 root root 64 Oct 24 00:26 0 -> /dev/null
l-wx------. 1 root root 64 Oct 24 00:26 1 -> /dev/null
l-wx------. 1 root root 64 Oct 24 00:26 10 -> pipe:[302583]
l-wx------. 1 root root 64 Oct 24 00:26 11 -> /var/log/virtualmin/blackhatconsulting.co.uk_error_log
l-wx------. 1 root root 64 Oct 24 00:26 12 -> /var/log/httpd/ssl_error_log
l-wx------. 1 root root 64 Oct 24 00:26 13 -> /var/log/httpd/access_log
l-wx------. 1 root root 64 Oct 24 00:26 14 -> /var/log/virtualmin/blackhatconsulting.co.uk_access_log
l-wx------. 1 root root 64 Oct 24 00:26 15 -> /var/log/virtualmin/blackhatconsulting.co.uk_access_log
l-wx------. 1 root root 64 Oct 24 00:26 16 -> /var/log/httpd/ssl_access_log
l-wx------. 1 root root 64 Oct 24 00:26 17 -> /var/log/httpd/ssl_request_log
lr-x------. 1 root root 64 Oct 24 00:26 18 -> pipe:[302590]
l-wx------. 1 root root 64 Oct 24 00:26 19 -> pipe:[302590]
l-wx------. 1 root root 64 Oct 24 00:26 2 -> /var/log/httpd/error_log
lr-x------. 1 root root 64 Oct 24 00:26 20 -> pipe:[302591]
l-wx------. 1 root root 64 Oct 24 00:26 21 -> pipe:[302591]
lr-x------. 1 root root 64 Oct 24 00:26 3 -> /dev/urandom
lrwx------. 1 root root 64 Oct 24 00:26 4 -> socket:[271909]
lrwx------. 1 root root 64 Oct 24 00:26 5 -> socket:[271911]
l-wx------. 1 root root 64 Oct 24 00:26 6 -> /var/log/httpd/modsec_debug.log
l-wx------. 1 root root 64 Oct 24 00:26 7 -> /var/log/httpd/modsec_audit.log
lrwx------. 1 root root 64 Oct 24 00:26 8 -> socket:[271913]
lr-x------. 1 root root 64 Oct 24 00:26 9 -> pipe:[302583]

So without SELinux, using Virtualmin on Centos, it is possible to access logfiles from PHP no issues, as they run on the same uid. However with SELinux it is not possible because it prevents reading anything from /var/log using process invoked from the network. Also mod_security doesnt allow to do it either (to pass PHP code).

Andrew Smith
  • 1
  • 1
  • 6
  • 19
  • Just a quick comment - it would have helped me to understand if the last paragraph were at the top - there are about two pages of dumps before I understood what I was looking at. – MCW Oct 24 '12 at 18:48