How your Laravel application can get hacked, and how to prevent that from happening by Antti Rössi

Video Statistics and Information

Video

Captions Word Cloud

Reddit Comments

Any laravel-specific non-obvious gotchas? Or is this video aimed more at beginners (typical coding mistakes etc)?

👍︎︎ 8 👤︎︎ u/stfcfanhazz 📅︎︎ Dec 17 2019 🗫︎ replies

TLDR?

👍︎︎ 8 👤︎︎ u/schattener 📅︎︎ Dec 16 2019 🗫︎ replies

Speaker: ARE YOU READY FOR SOME ACTION 👏 Crowd: 😑

👍︎︎ 2 👤︎︎ u/brendt_gd 📅︎︎ Dec 17 2019 🗫︎ replies

Captions

[Music] welcome back from the break are you energetic hyped up you've had a pot of coffee ready for some action yeah okay okay we're gonna talk about something very very serious next security and not in a very theoretical and boring way we're actually gonna get our hands dirty what I miss on piracy I come from Helsinki Finland I'm a CTO and co-founder in a company called Joe Bella so we help companies hire basically that's what I do for a living so I brought a lot of software with laravel and PHP UJS using kubernetes all kinds of cool technologies but my passion that I focus on on my free time a lot is information security and that's actually one of the main reasons why I'm here today hopefully going to be able to teach you something valuable now I truly believe that the fate of our users is actually in our hands as developers and admins in my hands and in your hands if we know how to keep our user saved and how to write secure software many things are going to go well however if we don't we're gonna be up for a world of hurt because it's it's our responsibility our job to make sure that our users are safe so here's the deal learn to hack yourself first before someone else does if you know the basics of hacking you're not affected by the basics of hacking it's that simple so if you know what's out there what you're facing you know how to protect yourself and your users obviously before we get into the actual first demonstrations however please understand this hacking as a rule of thumb is illegal if you hack anyone else but you're all machine it's illegal so don't do that we're not here to learn techniques to attack your neighbor or your competing company we're here to learn about how to make our customers and our users safe so use this knowledge well I'm not endorsing you to do something broke like something bad or malicious with it so please respect that and behave like an adult which you probably do well one might ask then okay where thank you where can I practice this then if you're gonna teach us some tricks there are potentially dangerous where can I practice this if I can't just randomly attack systems around the web that's a good question I encourage you to download these examples that we're gonna we're gonna go through next you can find them in the top I'll be publishing a link there after very like recently after this talk it's already out in my github if you happen to know how to find me on github with my name for example you can find it you can clone it right now you can look at it as we hack through these examples if that's not enough for you and you actually get interested in hacking and you start to consider that oh maybe this is actually a really good complementary skill as a developer for me I should learn more you can navigate to hack the box they have a nice free tier there's a bunch of intentionally vulnerable services out there for you within a virtual private network that you can practice your skills on it's free and it's illegal so if you want to learn more go they're not out to the web let's start by looking at sequel injection next there's also no sequel injection by the way so no sequel doesn't mean no problems in this context either unfortunately in sequel injection attacker injects malicious sequel queries into some form of an input device in this context it's obviously going to be HTTP requests since we're dealing with larval web application if sequel injection attack works and succeeds you usually get the whole database out from that whole so these particular type of injection vulnerabilities are super super dangers that's what we're looking at them today now here's a very common example that you might have seen or I hope you've seen if you haven't you probably won't ever forget this after today's talk don't pass in unsanitized variables into raw database queries if you do you most certainly are going to open up your application for vulnerability like sequel injection however it's not that straightforward that's not the only way how you can get into trouble certain edge cases are actually really really hard to spot in code reviews so just the fact that you're not using row queries doesn't mean that you're safe from sequel injection no no no it's not that I wish it was that easy but it's not it's not good and bad news at the same time or that it's actually really easy to test for these kind of vulnerabilities if you have the proper tooling available that's the good news now the other side of the coin however is that if you don't know these tools you don't know about these tools and you don't test your own applications regularly someone else one day might do bad things happen let me show you what I mean so we need the example project we have a very simple API endpoint that returns you a list of events nothing fancy there it's it's basic JSON endpoint it takes in a parameter name or sorry parameter sort so you can choose the sort by basically whatever column that that object has very simple stuff if you place a - Tarryn in the beginning of the name it reverses the order in which you're being sorting very common functionality basically let's take the API endpoint URL and pass it to a tool called sequel map so sequel map takes in the URL you want to test we pass that in to make our life a little bit easier we tell it in beforehand that we're testing against my Sikh well since that we don't have to perform all kinds of tests for other database engines and the batch flag basically tells us don't ask any questions just go do what you can do let's see what we can get out of it now sequel map starts to perform a massive amount of experiments and attacks and tests on this end point this video is fast forwarded a lot so that we don't sit here all evening you can see there's actually hundreds of individual queries going out to that end point and seek warm up does the heavy lifting for us in this context and soon it's going to come back to us and it's gonna tell us the parameter sort is vulnerable to three different kinds of vulnerabilities sequel injection vulnerabilities not going to go into those specifically more in detail here but okay see from upset that there's something going on something is wrong there's a vulnerability what does that mean that what do you mean that there's a vulnerability and this is usually where people's knowledge stops you know that there might be something wrong maybe there is something wrong what what can I do with it what can some attacker some malicious person do with it if we play with the flags that sequel map takes in let's switch the batch flag to say current DB and let's see what we get out the same process it starts again we don't have to start from scratch thankfully so we're basically checking the same same queries and using that vulnerability and getting out the current database of the application you should be able to see the purple in the lower left corner of the screen there hopefully can you actually read back there at all anything maybe okay good and the current database is Larrick on Amsterdam that the application is using okay let's dig deeper like I said we should be able to get out the whole database through this what about the tables can greet the tables so we switch in a tables flag start the process again it starts running running running we see the tables or tables in this database you can probably already like guess where we're heading with this oh there's a user's table that's fabulous let's look what's in there so we change in a table flag say from table users dump me the content of the table and it starts going going going but look we don't have to do anything it's actually the tool doing all the heavy lifting for us and one by one goes through the columns it goes through the fields and it dumps us the whole users table in console and in file of course you can get it in multiple different formats but it's pretty bad it's pretty bad don't you think you can get everything out from that one parameter that was not sanitized properly you don't even need to write a single line of code you just brew install cycle map and you run it BAM and you've got it you should see your face right now you're like oh my god okay but that's sequel injection this is a bit of a curveball raise your hand if you've heard about object injection before surprisingly many hands maybe 10% 10% of the crowd we have roughly 800 people here attending so okay actually better than I expected better than I expected so we're gonna go through object injection attack next it's an injection attack as well like sequel injection and we're gonna go from far D serialization to remote code execution before we get there however just to make sure that everyone's on the same page about these terms and and weird constructs that we're gonna be using in here stream wrappers in PHP provide us with a nice abstraction to work with different types of protocols like you can see in there SSH - or FTP so there an inbuilt construct of the language we're going to be particularly interested in the far extreme wrapper in this context now far files also known as PHP archives are basically a single-file bundles to contain a complete PHP application very similar to jar files or job archives that you might have seen in Java for example composer when you download it comes as a far bundle for example so probably everyone sitting in here even if you don't know what far is you've used PHP archives in your life without knowing that it's a handy tool the for stream wrapper lets us read PHP files from a PHP archive the simplest level now the object serialization part then in object serialization we turn an object or any instance of an object into a string the binary format that's easily storable in database or you can encrypt it you can do whatever with it it's actually a very very handy mechanism and even also deserialize see realized objects and turn them back into objects from string formats now here's an example let's take this imaginary class logger that has a couple of attributes and a couple of methods in it we knew it up and we print out the serialized version of the instance that we nude up these what we get so we get a string we had a weird-looking string with quotes and mustaches here and there what on earth is happening the string contains the class name so what is the type of this object that we're looking at right now and it also contains all the attributes of the object the attributes names their length and their contents basically so based on this information you're going to be able to hydrate that instance back back to life basically you might have noticed that there are actually absolutely no methods included in serialized objects which is actually security wise an excellent move so you can't just go and let's say override the objects constructor and do whatever malicious activities you might in there that's that's not cool so that's good that's good it's especially good since when you deserialize an object now you have to understand this wherever you d serialize an object it's injected into that particular scope so it's basically you inject an object in your application scope wherever that d-series ation process happens and that's where the name object injection comes from surprise surprise now here's the catch number one why this is dangerous potentially dangerous there are two magic methods that are called automatically the wakeup method and the destruct method now if you happen to find a piece of code that would look something like this but this is a you could say an overly exaggerated simplified example but if you could find a piece of code like this from your code from some library where you would have something suspicious either happening in the district method or in the wakeup method that would be affected and influenced by the objects attributes something awkward might happen so this is a representation of the same object this is the parameter that goes into the shell except in the object destructor method why don't you change it put something else in there and you end up in a very very hairy situation we have code execution on you can do it whatever you want on the machine and this is actually if you find a class like this this is what we call gadgets in exploit development so these are gadgets let's catch number 2 HP archives can contain metadata in a civilized format they don't have to but they can now any file operation that you perform in the archive will cost that metadata to deserialize and it's deserialized and injected in the application scope where that file operation happened now here's a bunch of PHP file methods some of you have probably seen before I want to highlight a few from here because from developers perspective I never thought personally like I think writing PHP for six years maybe seven years soon and I never thought that there would be anything potentially dangers in calling file-size for example with an unsanitized parameter like what can you do with file size it's not like it's not like an SQL query or anything so if you don't know about this vulnerability most certainly you don't know to look for this you don't know that there's any risk involved the catch number three is that the forest stream wrapper does not care what type of a file you give it which is probably in some contexts handy but in our case what if we do something like this take an image file where a malicious archive in it then we call file size method on that image file with the stream wrapper the far stream wrapper that's gonna cause the object from the archive to be injected in the application scope that's when our gadget kicks in mmm you could do that and we will do that next well be using a tool called PHP GGC here it's an open source tool that you can find from github and it's going to help us generate a suitable payload for this particular example so we'll be using a ghazal remote code execution gadget chain basically it's not an individual gadget it's an actual chain of multiple gadgets and it also has a very cool method that allows us to hide this gadget chain in a jpg okay let's see how that happens I'll be using a picture of my cat Mona here this is why not it looks like a villain anyways so there's money it's a regular J back nothing fancy there we take that image andropause it in the PHP GGC we get out of another image and we're telling PHP GGC that use the ghazal RC e1 payload and in the end of the gadget chain finish with running a PHP function called pass through and pass in an argument Who am I if this proof of concept works and well of course of course it works because I pre-recorded but you will see in a while how it works and we'll get the output of the comment Who am I on the target machine when this exploit runs so now a funny detail Mac can't actually open this image anymore for some reason because it's tampered it's pretty interesting if you open it in chrome however you'll see that yeah well it actually opens just normally it's the exact same image with plain eye you can't see from the surface that it's been tampered with looks completely normal if you go into it however and you look at the string content of this file and you grab the word causal with some context around it you're gonna see man around these bytes there's something else there's actually uncie realized or sorry serialized code in there so that's our gadget chain it's in the image we're gonna do next is that we're gonna post this image to our example application so there's an endpoint that takes in a file nothing fancy there and by the way yes it does validate the file properly but there's there's really no way for you to know if there's a string in that image like that you can't validate for that and that's what makes it super dangers because it's not the problem in the file upload validation now there's another end point well let's run the call and I'll I'll show you then what it actually does but it tells us certain details about this file so you can see there's a file size coming back which would maybe if we go into the code the example code you can see that it we're doing some kind of a file operation there with larval filesystem okay that's interesting that might be vulnerable potentially and if we go deeper into that method we actually see it just cause file size so nothing funky going on in there that's what's actually happening in this end point now let's replace the parameter the file name with the for stream wrapper and see what happens the output looks different before the JSON output comes back from the server you can see the output of the comment that we injected in our gadget chain the comment was Who am I and the answer is dub dub dub data so that's the webservers user that's currently running in this vulnerable application so we have two code execution okay through an image cool okay well what can we do with that code execution what does that mean running Who am I it's not it's not any sort of a hack even though it is it's not it's not cool it wouldn't want anyone doing that on your servers let's open a reverse shell so we're gonna pass in a net cut comment and since this example is running in a sandbox docker container we're gonna go home to dr localhost basically from the container using netcat so netiquette will open a TCP connection for us and it will pipe a bash shell into that TCP connection and that's how a reverse shell in a nutshell works before we can run that however we're gonna have to start a listener which we do do in a little while but let's upload that file first so it's called reverse Jay back this time it's the exact same image nothing funky there we get a success back the image goes through and then we're gonna check the file details which I type out in this video so let's try again so it's actually file name not file details and we see that file was uploaded sucks if it's successful it's there we can see if the exploit works now like I mentioned before we execute the exploit we're gonna have to open a listener on our machine so we'll be using netcat for the listening part as well we're listening on all interfaces 0z zero-zero and port 1337 let me open a new tab in T MUX so that we can work with multiple terminal sessions side by side and we trigger the exploit very same thing that we did earlier so we put in the far string wrapper in the API call and you can see the API call stays hanging because there's nothing coming the net get started and now here's the funny part you don't actually see anything in the listeners side looks empty starts writing comments however you see output it's an actual shell session that we have opened this machine now that's why it's called a reverse shell so you're listening for it it calls back dials back home et calls home you know anyone you have a shell that silence is priceless [Applause] one more thing okay we got the data out we got a shell access what more can there be what more can go south we're already screwed in previous escalation the attacker exploits a bug or a design flaw you can access to resources that they normally would not have very cool way to privilege escalate or to escalate your privileges I guess that's how you say it is to find something that's running a super user on the machine and hijack that try to exploit the process without crashing it if you have something with root privileges you're able to hijack the process without crashing it the privileges remain and you don't ever need to know the admin password but you can have admin shell for example now very few things for this specific creation should ever run as root on the machine on your host machine on your local machine on any machine this is the reason why people tell you don't run it as root and you're always like well what can go wrong I don't know people talk about it but especially I'm the kind of a person that needs to actually know what can happen I just don't believe if you tell me to do something and I don't understand it no artisan scheduler suit definitely not run as root ever please when your machines don't do it I used to do it for years and that's why I'm using this example because I didn't know I just SSH don't the machine and set it up and I was good nothing ever happened though so I don't learned about this later but I was like man I'm glad nothing happened because if you're running our scheduler through this is what might happen so we're starting from the very same reverse shell scenario where we ended our previous demonstration in we'll be wrapping this netcat reverse shell into hyphens PTY to make it actually look like a shell so we can perform some interactive comments down the track don't worry about what's happening right now I have four and a half minutes time I can't explain everything but we're basically configuring the reverse shell connection so that we can actually run interactive comments with it because like you saw it doesn't look like a reverse shell and it's it acts like a shell but it's still a plain TCP connection so we need to get all the zoom options right we need to make sure that our current terminal is in sync with that TCP connection of the net cut there we go you noticed we could run comments like clear now so we're going to go to the console kernel which is the place where you operate your artists and a scheduler from we're gonna go into the console kernel file with vim we're gonna jump straight at it start the modified and the scheduled method that's the place where you specify what comments from your application you want to run periodically basic stuff you've probably heard of it now there's probably something that you haven't heard about and that's the fact that you can actually run something else there as well doesn't have to be your application comments you can actually run shell comments and there's something that maybe looks a little bit familiar similar to the previous exploit okay start a reverse shell from artisan scheduler and now if you're connecting the dots in your head you're okay scheduler is running as root if we start a net cut the net cut is going to start this route okay okay sounds suspicious let's open a listener again to different port this time because we're already in the reverse shell in the other tab same stuff different port we saved the scheduler file wait for scheduler they execute it execute every minute that's how linux crontab runs once again we go back we got Michelle but this time it's a hotel [Applause] okay what next like what what can we do to make sure this never happens to us it's a horrible situation if something like this happens to you in real life it's you know not cool not cool it'll be the end of your business seriously firstly you have to validate everything everything if you validated everything properly none of this would ever happen neither one of the examples one or two would have worked then the second thing is you have to keep your software up-to-date to catch a chain that we use the guzzle gadget chain was patched a couple of months ago it doesn't exist in the latest version but if you're running a semi late version which is not the latest version it's not the same thing it still exists so if you're running update software you reduce the risk of getting hacked big-time also please do not run code in production that you don't understand if you don't understand it how can you evaluate is it secure or not you can't don't do it don't keep people or processes access that they don't actually need why would you run scheduler as road it's not mean process why why would you I did because I was lazy I admit that but now you know it they don't do it and there's things like a hacker like I said if you know what's out there you know how your applications can be exploited these methods don't work anymore once you've seen this talk hopefully you don't have these vulnerabilities anymore that's why I'm here hoping that I get the message true I can help you which once you know about this you're not automatically safe but you can protect yourself you qualify to protect yourself and that's the goal here security is not a one-time effort please understand that security it's an ongoing infinite process it's a habit it's a mindset not the task and you have to focus on it every single day that you had a right code or you run cold everyday you've learned something cool something scary now hopefully something useful use it well please understand that this power comes with the great responsibility and also educate other people the security of our users and ourselves is in our hands it's our job let's take it seriously thank you [Applause] [Music] you

Info

Channel: Laracon EU

Views: 102,902

Rating: 4.9625325 out of 5

Keywords: laracon, laravel, php, laraconeu

Id: kKGGVGiq2y8

Channel Id: undefined

Length: 30min 46sec (1846 seconds)

Published: Thu Dec 05 2019