RFI/ LFI attacks are a favorite choice for hackers. Why? A successful attack allows the execution of arbitrary code on the attacked platform in the context of the web application. With the same level of authorization – it can practically take over the server.
Surprisingly, however, RFI/ LFI are still considered the underdogs of vulnerabilities. Attractive RFI/ LFI attack targets are commonly PHP applications With more than 77% of today's websites running PHP, RFI should be on every security practitioner's radar—but isn't. Some notorious RFI/ LFI examples include: Anonymous using RFI bots to attack their targets and Timthumb- a WordPress add-on vulnerable to LFI which paved the way to 1.2 million infected websites.
It's time to seriously examine RFI/ LFI attacks. In this talk we quantify the prevalence of this attack based on our findings of this attack in the wild. We present proof of concepts which demonstrate how these attacks evade detection. We will also present new approaches in defeating this type of attack. In particular, we:
- Introduce the RFI\LFI concepts and evaluate its potential effectiveness in the wild
- Demonstrate RFI attacks – starting with the basics and moving to recently witnessed advanced schemes which exploit PHP streams.
- Present a proof of concept of how to hide an LFI attack within benign-looking documents such as pictures and pdf documents
- Reveal a new RFI/LFI attack vector which evades anti-malware by splitting the attack vector across different picture textual fields.
- Provide mitigation steps to defeat against RFI/ LFI attacks, including a novel approach which uses shell hosting feed.
Žádné komentáře:
Okomentovat