This report shows an hands-on penetration testing using Apache server with cgi access, it identifies some vulnerabilities and performs exploits with this vulnerability and It further patches it by mitigating this known threats.
INTRODUCTION
APACHE
APACHE
Apache can also be referred to as Apache HTTP Server. It is a standard that is established for allocating services for website online which has developed the World Wide Web. It is a free platform of web server which is been used by most of the website. The server is been used by most of the operating systems e.g. Unix, Linux, Window, Microsoft Windows, Mac OS etc but was originally designed for Unix.
Apache can be referred to as a Patchy server which is the patches that is attached to NCSA HTTPD 1.3 codebase. The Open source community (Apache software Foundation) developed the apache web servers, who are regularly adding important features to the web server in order to make the server secured and to be in the recent standard of HTTP.
The Apache server is created with lots of modules which allow the server to run script and other content. The module makes apache to be capable of doing so many thing e.g. Common Gateway Interface (CGI) which is a protocol used to create a communication between external application software and the web server and SSL (Server Side Includes) which is a server-side script language. Examples of another apache module are CGI scripts execution URL redirection, user home directories, and content negotiation.
COMMON GATEWAY INTERFACE (CGI)
CGI can be defined as a rule that allows scripts and program to run on the web server. It gives details of information that was communicated between the web server and web browser and how it was transmitted. CGI is been used by web server to carry out external programs referred to as CGI Scripts. It is a way for CGI script to run on the server and result results from the program to the server.
The root folder of every web server includes cgi-bin directory, scripts that are placed in the cgi-bin directory compile with CGI rule. CGI is supported by most web server e.g. windows server & apache. CGI script can be written in various programming language e.g. Java, C++ & Perl. In CGI, the user inputs are always submitted via HTML.
STEPS IN INSTALLING APACHE SERVER:
1. First is to install the Apache package; the command below will install the httpd package along with the dependencies.
[root@localhost ~] yum install httpd
Installing HTTP |
2. Next is to open the “/etc/httpd/conf/httpd.conf” configuration file and edit the server name so as to point the Internet Protocol (IP) address to the httpd server, the following command was inputted.
[root@localhost ~] vim /etc/httpd/conf/httpd.conf
Modifying Config file |
3. Next is to start the httpd service, the following command was inputted.
[root@localhost ~] service httpd start
In other for httpd service to start on booting the system the following command was inputted
[root@localhost ~] chkconfig –- levels 235 httpd on
4. To test the apache web server running we input the IP address 192.168.26.144 on the web browser to test the configurations previously implemented.
Starting Apache Server |
The version of apache installed is seen below
Apache Version Info |
CONFIGURATION OF CGI-SCRIPT & PERL INSTALLATION
1. The following command was inputted to install Perl.
[root@localhost ~] yum –y install mod_perl perl perl-CGI
Perl installation |
2. Next is to configure the cgi-bin directory so as to allow the apache server recognize that directory in other for easy execution of commands from within that directory. The following commands were inputted.
[root@localhost ~]mkdir /usr/lib/cgi-bin
[root@localhost ~] chmod755 /usr/lib/cgi-bin
[root@localhost ~]chown root.root /usr/lib/cgi-bin
[root@localhost ~]vim /etc/httpd/conf/httpd.conf
Configuring cgi-bin directory via editing httpd.conf file |
3. Next was to configure a new file with perl script under the var/www/cgi-bin directory
[root@localhost ~]cd /var/www/cgi-bin
[root@localhost ~]vim test.pl
[root@localhost ~]vim test.pl
Writing our first perl file |
4. Next was to test the cgi-script on the web browser to indicate that the cgi script is working with the apache server.
5. Next is to install all other dependencies for perl script, the following commands where inputted.
[root@localhost ~] yum -y install perl-ExtUtils-MakeMakerperl-Digest-SHA perl-Net-DNS perl-NetAddr-IP perl-Archive-Tar perl-IO-Zlibperl-Digest-SHA perl-Mail-SPF perl-IP-Country perl-Razor2 perl-Net-Ident perl-IO-Socket-INET6 perl-IO-Socket-SSL perl-Mail-DKIM perl-DBI perl-Encode-Detect perl-HTML-Parser perl-HTML-Tagsetperl-Time-HiResperl-libwww-perl
6. Next is to put the cgi script to test by running an html code, which would ping remote host and also the cgi-script written in perl language, the “var/www/html” directory was edited and configured. The following commands was used
[root@localhost ~]cd /var/www/html
[root@localhost ~html] vim index.html
7. Next was to configure the Perl script in other to receive the form passed from the html code to configure the cgi access the following commands.
[root@localhost ~html]cd /root
[root@localhost~] cd /var/www/cgi-bin
[root@localhost ~cgi-bin]vim ping.pl
8. To test the cgi-script running on the apache server, which we would be attacking, we test that the script is working well.
PENETRATION TESTING
First Test: Foot printing
By default ServersToken is set to Full
vim/etc/httpd/conf/httpd.conf
By default ServerSignature is turned On
From Attacker:
[root@bt ~] nc 192.168.26.234 80
This give the attacker the Operating System running and also the kind of web service with the version number running on it allowing possible attack with the information displayed.
Prevention of Foot Printing:
ServerTokens was changed to ProductOnly
Server Signature was changed to Off
The Operating System and Apache version were not displayed after editing the httpd configuration file.
Second Test: Denial of Service of a CGI-Script running on Perl. The cgi script is used to ping remote host as seen below.
To test the vulnerability on the Apache server Slowloris post script https denial service is used on Backtrack 5 to stop running services by opening too many connections and holds them which disallows users from accessing this service once the connection ends it opens new connection to keep the services still running.
This attack will be lunched on the
http://192.168.26.234/index.html
The following procedures and commands were used on Backtrack.
The perl postscript slowloris.pl was downloaded on desktop
The following commands were inputted to launch the attack.
[root@bt ~]cd Desktop#
[root@bt~]/Desktop#
root@bt~/Desktop# perl slowloris.pl –dnshttp://192.168.26.234/index.html
RESULT
The result below shows that the service was denied due to the excess packet sent by the slowloris attack initiating multiple connections thereby flooding the apache server.
Prevention of Slowloris:
In other to prevent this attack on apache we reduce the number of connections on the Apache server by implementing firewalls using iptables.
This will in turn allow normal traffic and mitigate the full effect of the slowloris denial of service attack on the perl script.
[root@localhost~] vim /etc/rc.local
[root@localhost~]chmod u=rwx,g=rwx,o=x /etc/rc.local
Third Test: Command Injection on CGI Script
Command injection allows an attacker to inject and execute arbitrary code on the remote web server via remote cgi script.
Command injection technique was used to dump the user database file on the web server. The following injection vector was used :
192.168.26.234 ; cat/etc/passwd
Here, the ';' character is used to execute the cat /etc/passwd command which is interpreted as a separate command and is executed by the ping.pl CGI script.
The vulnerability indicates that the cgi script allows attackers to perform command techniques such as accessing /etc/password which holds essential information about usernames and password 1 of accounts created running on the apache server.
Prevention of Command Injection:
The cgi script is sanitize by allowing only valid IP address by using the following regular expression :
(([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])\.){3}([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])$
The updated script looks like the following:
[root@localhost~]vim /var/www/cgi-bin/ping.pl
The output below shows that command injection on the cgi script was not successful after regular expression based filtering to the CGI parameter called $IP was address implemented.
CONCLUSION
This report shows an exploit on cgi script running on Apache server exploiting its vulnerabilities using command injection and also using a well known exploit also known as slowloris denial of service and further identifying ways an attacker can use foot printing on Apache server through its banner then preventing the same.
Testing our script |
5. Next is to install all other dependencies for perl script, the following commands where inputted.
[root@localhost ~] yum -y install perl-ExtUtils-MakeMakerperl-Digest-SHA perl-Net-DNS perl-NetAddr-IP perl-Archive-Tar perl-IO-Zlibperl-Digest-SHA perl-Mail-SPF perl-IP-Country perl-Razor2 perl-Net-Ident perl-IO-Socket-INET6 perl-IO-Socket-SSL perl-Mail-DKIM perl-DBI perl-Encode-Detect perl-HTML-Parser perl-HTML-Tagsetperl-Time-HiResperl-libwww-perl
Perl installation |
6. Next is to put the cgi script to test by running an html code, which would ping remote host and also the cgi-script written in perl language, the “var/www/html” directory was edited and configured. The following commands was used
[root@localhost ~]cd /var/www/html
[root@localhost ~html] vim index.html
7. Next was to configure the Perl script in other to receive the form passed from the html code to configure the cgi access the following commands.
[root@localhost ~html]cd /root
[root@localhost~] cd /var/www/cgi-bin
[root@localhost ~cgi-bin]vim ping.pl
8. To test the cgi-script running on the apache server, which we would be attacking, we test that the script is working well.
PENETRATION TESTING
First Test: Foot printing
By default ServersToken is set to Full
vim/etc/httpd/conf/httpd.conf
By default ServerSignature is turned On
From Attacker:
[root@bt ~] nc 192.168.26.234 80
This give the attacker the Operating System running and also the kind of web service with the version number running on it allowing possible attack with the information displayed.
Prevention of Foot Printing:
ServerTokens was changed to ProductOnly
Server Signature was changed to Off
The Operating System and Apache version were not displayed after editing the httpd configuration file.
Second Test: Denial of Service of a CGI-Script running on Perl. The cgi script is used to ping remote host as seen below.
To test the vulnerability on the Apache server Slowloris post script https denial service is used on Backtrack 5 to stop running services by opening too many connections and holds them which disallows users from accessing this service once the connection ends it opens new connection to keep the services still running.
This attack will be lunched on the
http://192.168.26.234/index.html
The following procedures and commands were used on Backtrack.
The perl postscript slowloris.pl was downloaded on desktop
The following commands were inputted to launch the attack.
[root@bt ~]cd Desktop#
[root@bt~]/Desktop#
root@bt~/Desktop# perl slowloris.pl –dnshttp://192.168.26.234/index.html
RESULT
The result below shows that the service was denied due to the excess packet sent by the slowloris attack initiating multiple connections thereby flooding the apache server.
Prevention of Slowloris:
In other to prevent this attack on apache we reduce the number of connections on the Apache server by implementing firewalls using iptables.
This will in turn allow normal traffic and mitigate the full effect of the slowloris denial of service attack on the perl script.
[root@localhost~] vim /etc/rc.local
[root@localhost~]chmod u=rwx,g=rwx,o=x /etc/rc.local
Third Test: Command Injection on CGI Script
Command injection allows an attacker to inject and execute arbitrary code on the remote web server via remote cgi script.
Command injection technique was used to dump the user database file on the web server. The following injection vector was used :
192.168.26.234 ; cat/etc/passwd
Here, the ';' character is used to execute the cat /etc/passwd command which is interpreted as a separate command and is executed by the ping.pl CGI script.
The vulnerability indicates that the cgi script allows attackers to perform command techniques such as accessing /etc/password which holds essential information about usernames and password 1 of accounts created running on the apache server.
Prevention of Command Injection:
The cgi script is sanitize by allowing only valid IP address by using the following regular expression :
(([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])\.){3}([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])$
The updated script looks like the following:
[root@localhost~]vim /var/www/cgi-bin/ping.pl
The output below shows that command injection on the cgi script was not successful after regular expression based filtering to the CGI parameter called $IP was address implemented.
CONCLUSION
This report shows an exploit on cgi script running on Apache server exploiting its vulnerabilities using command injection and also using a well known exploit also known as slowloris denial of service and further identifying ways an attacker can use foot printing on Apache server through its banner then preventing the same.