[SOLVED] prevent uploaded file execution

Ijustdontloveyounomore · 12-22-2012, 11:08 AM

Hi to all,
First time here so,forgive me please if i mistakenly created this question in wrong place.
Also sorry for my Bad English.(Not native) But i'm trying to be more clear as i can maximally.

I have question regarding Apache Web server.

I'm running:

Linux debian 2.6.32-5-686 #1 SMP Sun Sep 23 09:49:36 UTC 2012 i686 GNU/Linux

Code:

root@debian:/var/www/somecustomuser# ls -l
total 536
---------------------SNIP----------------------
-rwxrwx---  1 somecustomuseruser www-data     23 Nov 29 22:27 test1.php
-rw-r--r--  1 www-data    www-data     23 Dec 22 11:48 thisfile.php
--------------------END SNIP---------------

All files and folders recursively chmod'ed to my another user named: somecustomuseruser under /var/www/somecustomuser.
Also theris safe_mode is ON so default uid checking plays here.
But problem in that if someone (hacker/attacker/scriptkiddie) somehow will manage to upload "shell" via HTTP that
uploaded will belong to www-data <-- user not to -->somecustomuseruser.

Notice uploaded file (thisfile.php)

If so ---> *I want to prevent that uploaded file execution*.

Once again to be clear: How i can prevent *uploaded file execution automatically* (something like Cpanel Hulk way?)
Do i need setfacl(ACL) way to solve this?Or may be theris another ways?

Thanks in advance.

unSpawn · 12-22-2012, 06:24 PM

Quote:

Originally Posted by Ijustdontloveyounomore

But problem in that if someone (hacker/attacker/scriptkiddie) somehow will manage to upload "shell" via HTTP that uploaded will belong to www-data <-- user not to -->somecustomuseruser.

No, that is not the first problem: that is denying unauthorized uploading. In short: proper system maintenance, host and service hardening first, and only then think about additional measures.

Quote:

Originally Posted by Ijustdontloveyounomore

*I want to prevent that uploaded file execution*.
Once again to be clear: How i can prevent *uploaded file execution automatically*

Such a file gets executed because the web server can read its contents and match it with the right interpreter to run it with. One way could be to use suPhp or a httpd.conf LocationMatch or .htaccess denying file read or execution but again, if no proper host hardening was performed first this'll be like tilting at windmills. If you would like to know more tell us what application versions you run and what hardening you have performed already.

Quote:

Originally Posted by Ijustdontloveyounomore

something like Cpanel Hulk way?

No, that seems to handle "Brute Force Protection". Obviously only a marketing department will describe something as "much anticipated" what a standard installed feature does already (PAM, that is).

Ijustdontloveyounomore · 12-23-2012, 05:03 AM

Dear unSpawn,
Thank you very much for your reply.

Basically it is not production server.I setup it on my own computer (virtualbox)
I also did port forwarding to serve incoming requests to port 80.So apache is accessible from Internet too.
I'm a bit familiar with penetration testing) So i also tested using "shells" to test my server security.

http://imageshack.us/scaled/landing/822/separate.png

I disabled cgi ,ssi modules especially.Because in such configuration (what i have now) local attacker can
bypass and execute operation system commands.

and

I hardened/separated users by applying open_basedir_restriction too.
A bunch of php functions also disabled(except few).

I disabled also mysql.allow_local_infile=off because theris chance that an attacker can read others configs using this way.

But all this is not enough.In future i'm planning to separate uid/gid's too for every "client".This will harden completely web server.(I think And i hope)(But never done by me)
Also i'm using clamav to find out "shells"/backdoors.

Do i need to harden it a bit?

If i'll use suPhp can i prevent that HTTP uploaded file execution?(I'm sorry for my stupid questions-I never used suPhp.
But RTFM i think can light me to the right direction

)

Thank you very much!
Sorry for my English

Code:

root@debian:/etc/apache2/sites-enabled# ps aux|grep apach*
root      1164  0.1  0.5  34432  7960 ?        Ss   05:10   0:00 /usr/sbin/apache2 -k start
www-data  1186  0.0  0.2  34432  4132 ?        S    05:10   0:00 /usr/sbin/apache2 -k start
www-data  1187  0.0  0.2  34432  4128 ?        S    05:10   0:00 /usr/sbin/apache2 -k start
www-data  1189  0.0  0.2  34432  4128 ?        S    05:10   0:00 /usr/sbin/apache2 -k start
www-data  1190  0.0  0.2  34432  4128 ?        S    05:10   0:00 /usr/sbin/apache2 -k start
www-data  1191  0.0  0.2  34432  4128 ?        S    05:10   0:00 /usr/sbin/apache2 -k start
root      2166  0.0  0.0   3308   784 pts/0    S+   05:18   0:00 grep apach*



root@debian:/usr/sbin# apache2ctl -V
Server version: Apache/2.2.16 (Debian)
Server built:   Nov 30 2012 08:33:45
Server's Module Magic Number: 20051115:24
Server loaded:  APR 1.4.2, APR-Util 1.3.9
Compiled using: APR 1.4.2, APR-Util 1.3.9
Architecture:   32-bit
Server MPM:     Prefork
  threaded:     no
    forked:     yes (variable process count)
Server compiled with....
 -D APACHE_MPM_DIR="server/mpm/prefork"
 -D APR_HAS_SENDFILE
 -D APR_HAS_MMAP
 -D APR_HAVE_IPV6 (IPv4-mapped addresses enabled)
 -D APR_USE_SYSVSEM_SERIALIZE
 -D APR_USE_PTHREAD_SERIALIZE
 -D APR_HAS_OTHER_CHILD
 -D AP_HAVE_RELIABLE_PIPED_LOGS
 -D DYNAMIC_MODULE_LIMIT=128
 -D HTTPD_ROOT="/etc/apache2"
 -D SUEXEC_BIN="/usr/lib/apache2/suexec"
 -D DEFAULT_PIDLOG="/var/run/apache2.pid"
 -D DEFAULT_SCOREBOARD="logs/apache_runtime_status"
 -D DEFAULT_LOCKFILE="/var/run/apache2/accept.lock"
 -D DEFAULT_ERRORLOG="logs/error_log"
 -D AP_TYPES_CONFIG_FILE="mime.types"
 -D SERVER_CONFIG_FILE="apache2.conf"



root@debian:/usr/sbin# apache2ctl -M
Loaded Modules:
 core_module (static)
 log_config_module (static)
 logio_module (static)
 mpm_prefork_module (static)
 http_module (static)
 so_module (static)
 alias_module (shared)
 auth_basic_module (shared)
 authn_file_module (shared)
 authz_default_module (shared)
 authz_groupfile_module (shared)
 authz_host_module (shared)
 authz_user_module (shared)
 autoindex_module (shared)
 deflate_module (shared)
 dir_module (shared)
 env_module (shared)
 mime_module (shared)
 security2_module (shared)
 negotiation_module (shared)
 php5_module (shared)
 reqtimeout_module (shared)
 setenvif_module (shared)
 status_module (shared)
 unique_id_module (shared)
Syntax OK


root@debian:/etc/apache2# ls -l
total 92
-rw-r--r-- 1 root root  7994 Sep  9 17:17 apache2.conf
drwxr-xr-x 2 root root  4096 Nov 30 16:08 conf.d
-rw-r--r-- 1 root root  1169 Nov 19 09:13 envvars
-rw-r--r-- 1 root root  1169 Nov 19 09:07 envvars_bak
-rw-r--r-- 1 root root    75 Nov 29 17:11 httpd.conf
lrwxrwxrwx 1 root root    17 Nov 19 18:03 logs -> /var/log/apache2/
-rw-r--r-- 1 root root 31063 Sep  9 17:17 magic
drwxr-xr-x 2 root root 12288 Dec 12 22:00 mods-available
drw------- 3 root root  4096 Dec 12 22:53 mod-security
drwxr-xr-x 2 root root  4096 Dec 12 22:00 mods-enabled
---------- 1 root root    50 Nov 13 13:07 oxu.txt
-rw-r--r-- 1 root root   750 Sep  9 17:17 ports.conf
drwxr-xr-x 2 root root  4096 Dec  1 10:14 sites-available
drwxr-xr-x 2 root root  4096 Nov 29 16:32 sites-enabled
root@debian:/etc/apache2# cat httpd.conf
ServerSignature Off
ServerTokens Prod


Options -Indexes
Options -ExecCgi

root@debian:/etc/apache2/sites-enabled# cat -n hacker1.own
     1  Include /etc/apache2/conf.d/security
     2  <VirtualHost *:80>
     3          ServerAdmin webmaster@hacker1.own
     4          ServerName www.hacker1.own
     5          ServerAlias hacker1.own
     6          ServerSignature Off
     7
     8          DocumentRoot /var/www/hacker1/
     9          <Directory />
    10  Options -Indexes -FollowSymLinks -MultiViews -Execcgi -Includes
    11  #http://httpd.apache.org/docs/2.2/mod/core.html#options#
    12  #AllowOverride none
    13  Options -Includes -ExecCGI -Indexes -MultiViews
    14  #Options None
    15  AllowOverride AuthConfig Limit Fileinfo
    16
    17          </Directory>
    18
    19          <Directory /var/www/hacker1/>
    20  Options -Includes -ExecCGI -Indexes -MultiViews
    21  AllowOverride AuthConfig Limit Fileinfo
    22
    23                  Order allow,deny
    24                  Allow from all
    25          </Directory>
    26
    27  <Directory "/var/www/hacker1/">
    28   php_admin_value open_basedir "/var/www/hacker1/:/tmp/:.:/usr/share/php:.:/usr/share/pear"
    29  </Directory>
    30
    31          #ScriptAlias /cgi-bin/ /usr/lib/cgi-bin/
    32          <Directory "/usr/lib/cgi-bin">
    33                  AllowOverride None
    34                  Options -ExecCGI -MultiViews -SymLinksIfOwnerMatch
    35                  # Options None
    36                  Order allow,deny
    37                  Deny from all
    38          </Directory>
    39
    40          ErrorLog ${APACHE_LOG_DIR}/error.log
    41
    42          # Possible values include: debug, info, notice, warn, error, crit,
    43          # alert, emerg.
    44          LogLevel warn
    45
    46          CustomLog ${APACHE_LOG_DIR}/access.log combined
    47  </VirtualHost>


root@debian:/etc/apache2/sites-enabled# cat -n 000-default
     1  Include /etc/apache2/conf.d/security
     2  <VirtualHost *:80>
     3          ServerAdmin webmaster@my.hack
     4          ServerName www.my.hack
     5          ServerAlias my.hack
     6         #ServerSignature Off
     7
     8          DocumentRoot /var/www/hack/
     9          <Directory />
    10                  Options -FollowSymLinks
    11                  AllowOverride none
    12          </Directory>
    13
    14          <Directory /var/www/hack/>
    15                  Options -Indexes -FollowSymLinks -MultiViews -Execcgi
    16                  AllowOverride all
    17                  Order allow,deny
    18                  Allow from all
    19          </Directory>
    20
    21  <Directory "/var/www/hack/">
    22   php_admin_value open_basedir "/var/www/hack/:/tmp/:.:/usr/share/php:.:/usr/share/pear"
    23  </Directory>
    24
    25
    26          ScriptAlias /cgi-bin/ /usr/lib/cgi-bin/
    27          <Directory "/usr/lib/cgi-bin">
    28                  AllowOverride None
    29                  Options -ExecCGI -MultiViews -SymLinksIfOwnerMatch
    30                  Order allow,deny
    31                  Deny from all
    32          </Directory>
    33
    34          ErrorLog ${APACHE_LOG_DIR}/error.log
    35
    36          # Possible values include: debug, info, notice, warn, error, crit,
    37          # alert, emerg.
    38          LogLevel warn
    39
    40          CustomLog ${APACHE_LOG_DIR}/access.log combined
    41  </VirtualHost>


root@debian:/var/www# cat /etc/hosts
127.0.0.1       localhost
127.0.1.1       debian.localdomain      debian
127.0.0.1       my.hack
127.0.0.1       hacker1.own

root@debian:/var/www# ifconfig
eth0      Link encap:Ethernet  HWaddr 08:00:27:33:bb:e7
          inet addr:192.168.0.15  Bcast:192.168.0.255  Mask:255.255.255.0
          inet6 addr: fe80::a00:27ff:fe33:bbe7/64 Scope:Link
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:1618 errors:0 dropped:0 overruns:0 frame:0
          TX packets:1340 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000
          RX bytes:145458 (142.0 KiB)  TX bytes:314045 (306.6 KiB)
          Interrupt:10 Base address:0xd020

eth2      Link encap:Ethernet  HWaddr 08:00:27:07:7f:c6
          inet addr:10.0.3.15  Bcast:10.0.3.255  Mask:255.255.255.0
          inet6 addr: fe80::a00:27ff:fe07:7fc6/64 Scope:Link
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:415 errors:0 dropped:0 overruns:0 frame:0
          TX packets:452 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000
          RX bytes:333774 (325.9 KiB)  TX bytes:37398 (36.5 KiB)

lo        Link encap:Local Loopback
          inet addr:127.0.0.1  Mask:255.0.0.0
          inet6 addr: ::1/128 Scope:Host
          UP LOOPBACK RUNNING  MTU:16436  Metric:1
          RX packets:52 errors:0 dropped:0 overruns:0 frame:0
          TX packets:52 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:0
          RX bytes:4778 (4.6 KiB)  TX bytes:4778 (4.6 KiB)





root@debian:/usr/sbin# php -v
PHP 5.3.3-7+squeeze14 with Suhosin-Patch (cli) (built: Aug  6 2012 20:08:59)
Copyright (c) 1997-2009 The PHP Group
Zend Engine v2.3.0, Copyright (c) 1998-2010 Zend Technologies
    with Suhosin v0.9.32.1, Copyright (c) 2007-2010, by SektionEins GmbH
root@debian:/usr/sbin#

root@debian:/etc/php5/apache2# cat php.ini |grep safe_mode
safe_mode = On
; then turn on safe_mode_gid.
safe_mode_gid = Off
; When safe_mode is on, UID/GID checks are bypassed when
safe_mode_include_dir =
; When safe_mode is on, only executables located in the safe_mode_exec_dir
safe_mode_exec_dir =
safe_mode_allowed_env_vars = PHP_
; protected even if safe_mode_allowed_env_vars is set to allow to change them.
safe_mode_protected_env_vars = LD_LIBRARY_PATH
disable_functions=exec,passthru,fsockopen,system,proc_open,popen,curl_exec,curl_multi_exec,parse_ini_file,show_source,apache_child_terminate, apache_setenv, define_syslog_variables, escapeshellarg, escapeshellcmd,exec,fp,fput,highlight_file, ini_alter, ini_get_all, ini_restore, inject_code, mysql_pconnect, openlog, passthru, php_uname, phpAds_remoteInfo, phpAds_XmlRpc, phpAds_xmlrpcDecode, phpAds_xmlrpcEncode, popen, posix_getpwuid, po,six_kill, posix_mkfifo, posix_setpgid, posix_setsid, posix_setuid, posix_setuid, posix_uname, proc_close, proc_get_status, proc_nice, proc_open, proc_terminate,syslog,system, xmlrpc_entity_decode,apache_note,apache_setenv,proc_get_status,exec,passthru,proc_nice,proc_open,proc_terminate,shell_exec,system,ini_restore,define_syslog_variables,symlink,link,error_log,leak,dbmopen,closelog,stream_socket_server,execl,escapeshellcmd,proc_close,ini_alter,dl,show_ource,posix_getpwuid,posix_geteuid,posix_getegid,posix_getgrgid,open_basedir,safe_mode_include_dir,pcntl_exec,pcntl_fork,putenv,pclose,virtual,openlog,popen,escapeshellarg,dl
sql.safe_mode = Off

root@debian:/etc/php5/apache2# cat php.ini |grep "infile"
; http://php.net/mysql.allow_local_infile
mysql.allow_local_infile = Off
; http://php.net/mysqli.allow_local_infile
;mysqli.allow_local_infile = On

unSpawn · 12-23-2012, 07:00 AM

Quote:

Originally Posted by Ijustdontloveyounomore

(..) I disabled cgi ,ssi modules (..) I hardened/separated users by applying open_basedir_restriction too. A bunch of php functions also disabled(except few). (..) I disabled also mysql.allow_local_infile=off (..) i'm planning to separate uid/gid's too for every "client". (..) Also i'm using clamav to find out "shells"/backdoors.

Well you did do more than a lot of users would so, good!

Quote:

Originally Posted by Ijustdontloveyounomore

(..) i also tested using "shells" to test my server security.

Testing is good. Since you're into pentesting you know what your toolkit contains and you know never to rely on one tool or one method.

Quote:

Originally Posted by Ijustdontloveyounomore

If i'll use suPhp can i prevent that HTTP uploaded file execution?(I'm sorry for my stupid questions-I never used suPhp. But RTFM i think can light me to the right direction

Simply start with the existing documentation?

Quote:

Originally Posted by Ijustdontloveyounomore

This will harden completely web server.(I think And i hope)

Since you're into pentesting you know security is a continuous process of auditing and adjusting and remaining vigilant always.

Ijustdontloveyounomore · 12-23-2012, 07:31 AM

Once again thank you unSpawn)

I installed suPHP.Everything seems pretty enough secure now.I can't read anothers (files,configs etc)
Thank you again for your advises.