Placing shells (backdoors) at web sites
Hello participants of Mailing List.
In my article Placing shells (backdoors) at web sites
(http://websecurity.com.ua/4909/), which I published this week, I told about
methods of placing shells (backdoors) at web sites. About differences in
methods of placing of shells and in protection from them.
There are few variants of placing shells (as any other backdoors) at web
sites. First two variants are known and third variant - it's new one, which
I created last year, when found RCE vulnerability in CMS WebManager-Pro
(http://websecurity.com.ua/4696/). Similar vulnerabilities also can be in
other web applications.
Shells can be placed at the site:
- As separate files.
- Included into existent scripts.
- Included into database.
In first case it can be as php and other scripts, which can execute at the
server, as files with other extensions (such as txt and others), the code in
which will execute via different vulnerabilities at the site (in web
applications or in web server).
In second case it can be any existent php and other scripts at web site and
the code of shell is including in their code. I.e. the backdoor is making in
existent code.
In third case it can be records in DB, when web applications execute code
(e.g. PHP code), which is located in this record. As it can be in case of
CMS WebManager-Pro.
First two cases concern files in file system of the server. And third case
concerns records in DBMS. And if for first two cases it's needed to have
rights on writing to file system, then in third case these rights aren't
needed - it's only needed to write data into DB. I.e. with using of third
method of placing shells (where it is applicable), it's possible to bypass
this restriction, and also to place shell more hiddenly ;-).
Best wishes & regards,
MustLive
Administrator of Websecurity web site
http://websecurity.com.ua
Dear Mustlive,
On Feb 10, 2011, at 8:39 PM, MustLive wrote:
There are few variants of placing shells (as any other backdoors) at web
sites. First two variants are known and third variant - it's new one, which
I created last year, when found RCE vulnerability in CMS WebManager-Pro
(http://websecurity.com.ua/4696/). Similar vulnerabilities also can be in
other web applications.
The third one is long known to anyone with knowledge in SAP application
security. Applications written in ABAP, SAP's proprietary programming language,
are stored in the Database. If an attacker gets access to the database of a SAP
system (ABAP), he can change the code.
Cheers,
Sebastian
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Yep. And then open up the ABAP functions for calls outside of SAP via
RPC which is almost always wide-open for exploitation.
Mike Duncan
ISSO, Application Security Specialist
Government Contractor with STG, Inc.
NOAA :: National Climatic Data Center
On 02/11/2011 04:11 AM, Sebastian Schinzel wrote:
Dear Mustlive,
On Feb 10, 2011, at 8:39 PM, MustLive wrote:
There are few variants of placing shells (as any other backdoors) at web
sites. First two variants are known and third variant - it's new one, which
I created last year, when found RCE vulnerability in CMS WebManager-Pro
(http://websecurity.com.ua/4696/). Similar vulnerabilities also can be in
other web applications.
The third one is long known to anyone with knowledge in SAP application
security. Applications written in ABAP, SAP's proprietary programming language,
are stored in the Database. If an attacker gets access to the database of a SAP
system (ABAP), he can change the code.
Cheers,
Sebastian
The Web Security Mailing List
WebSecurity RSS Feed
http://www.webappsec.org/rss/websecurity.rss
Join WASC on LinkedIn http://www.linkedin.com/e/gis/83336/4B20E4374DBA
WASC on Twitter
http://twitter.com/wascupdates
websecurity@lists.webappsec.org
http://lists.webappsec.org/mailman/listinfo/websecurity_lists.webappsec.org
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/
iEYEARECAAYFAk1VdYQACgkQnvIkv6fg9hbIhQCeOfTjTL1vKUl0YhxjyNVooTJ6
S/kAnjME1LI1nYZVLNYU8XfpsBDuqUjl
=vs2M
-----END PGP SIGNATURE-----
Mr Mustlive,
Do you got this Paper in English ? or at least Spanish?
Regards,
2011/2/11 Sebastian Schinzel ssc@seecurity.org
Dear Mustlive,
On Feb 10, 2011, at 8:39 PM, MustLive wrote:
There are few variants of placing shells (as any other backdoors) at web
sites. First two variants are known and third variant - it's new one,
which
I created last year, when found RCE vulnerability in CMS WebManager-Pro
(http://websecurity.com.ua/4696/). Similar vulnerabilities also can be
in
other web applications.
The third one is long known to anyone with knowledge in SAP application
security. Applications written in ABAP, SAP's proprietary programming
language,
are stored in the Database. If an attacker gets access to the database of a
SAP
system (ABAP), he can change the code.
Cheers,
Sebastian
The Web Security Mailing List
WebSecurity RSS Feed
http://www.webappsec.org/rss/websecurity.rss
Join WASC on LinkedIn http://www.linkedin.com/e/gis/83336/4B20E4374DBA
WASC on Twitter
http://twitter.com/wascupdates
websecurity@lists.webappsec.org
http://lists.webappsec.org/mailman/listinfo/websecurity_lists.webappsec.org
--
Alfonso Valdés
Hello Alfonso!
This article, which I wrote to the list, it's a paper itself. I made it in a
form of article.
I've made English translation of my article, except two last paragraphs
(where I told about methods of protection against such types of shells and
backdoors) - it'll be for those who like to translate from Ukrainian with
using of Google Translate ;-). So you need to read the paper on English in
the mailing list
(http://lists.webappsec.org/pipermail/websecurity_lists.webappsec.org/2011-February/007508.html)
or translate it to Spanish (version from my site or version from the list).
If you want I can translate to English last two paragraphs for you.
Best wishes & regards,
MustLive
Administrator of Websecurity web site
http://websecurity.com.ua
----- Original Message -----
From: Alfonso Valdes Carrales
To: Sebastian Schinzel
Cc: MustLive ; websecurity@lists.webappsec.org
Sent: Friday, February 11, 2011 7:54 PM
Subject: Re: [WEB SECURITY] Placing shells (backdoors) at web sites
Mr Mustlive,
Do you got this Paper in English ? or at least Spanish?
Regards,
2011/2/11 Sebastian Schinzel ssc@seecurity.org
Dear Mustlive,
On Feb 10, 2011, at 8:39 PM, MustLive wrote:
There are few variants of placing shells (as any other backdoors) at web
sites. First two variants are known and third variant - it's new one,
which
I created last year, when found RCE vulnerability in CMS WebManager-Pro
(http://websecurity.com.ua/4696/). Similar vulnerabilities also can be in
other web applications.
The third one is long known to anyone with knowledge in SAP application
security. Applications written in ABAP, SAP's proprietary programming
language,
are stored in the Database. If an attacker gets access to the database of a
SAP
system (ABAP), he can change the code.
Cheers,
Sebastian
The Web Security Mailing List
WebSecurity RSS Feed
http://www.webappsec.org/rss/websecurity.rss
Join WASC on LinkedIn http://www.linkedin.com/e/gis/83336/4B20E4374DBA
WASC on Twitter
http://twitter.com/wascupdates
websecurity@lists.webappsec.org
http://lists.webappsec.org/mailman/listinfo/websecurity_lists.webappsec.org
--
Alfonso Valdйs
Hello Sebastian!
Thanks for mentioning about this interesting aspect of SAP (never worked
with their applications). Now I'll be knowing that SAP's ABAP applications
also can be attacked via such vector.
But in my article I told about web applications. How much SAP is used in
Internet (or in Ethernet) web applications and does it have relations to web
application at all? Not too much.
In this case I told about vulnerable web application (widespread in Uanet in
particular) which stores data (which also can be program code due to logic
of the application) in MySQL. And other web applications can be vulnerable
(with similar logic).
The attack is possible due to combining of data and code into one source.
And MySQL is just an example for this case and any DBMS can be used for such
attack vector (in case of other web apps which work with other DBMS).
Yep. And then open up the ABAP functions
Sebastian and Mike, SAP application security is another field, so earlier,
before I found this hole last year, there was no (known) such attack vector
for web applications. And from time when I found this RCE hole in CMS
WebManager-Pro, the landscape of attack vectors for web applications have
increased and from that time there is one more variant of placing shells
(backdoors) at web sites.
Which must be interesting for webappsec community. Especially for those who
haven't worked with SAP ;-).
Best wishes & regards,
MustLive
Administrator of Websecurity web site
http://websecurity.com.ua
----- Original Message -----
From: "Sebastian Schinzel" ssc@seecurity.org
To: "MustLive" mustlive@websecurity.com.ua
Cc: websecurity@lists.webappsec.org
Sent: Friday, February 11, 2011 11:11 AM
Subject: Re: [WEB SECURITY] Placing shells (backdoors) at web sites
Dear Mustlive,
On Feb 10, 2011, at 8:39 PM, MustLive wrote:
There are few variants of placing shells (as any other backdoors) at web
sites. First two variants are known and third variant - it's new one,
which
I created last year, when found RCE vulnerability in CMS WebManager-Pro
(http://websecurity.com.ua/4696/). Similar vulnerabilities also can be in
other web applications.
The third one is long known to anyone with knowledge in SAP application
security. Applications written in ABAP, SAP's proprietary programming
language,
are stored in the Database. If an attacker gets access to the database of a
SAP
system (ABAP), he can change the code.
Cheers,
Sebastian