Solutions for handling symlink attacks

[JeffP.]

This is an interesting suggestion. Can you better explain what negative impact this could have? Wouldn't it prevent all users from using symlinks?

It would only prevent all non-root users from using the /bin/ln utility, which would not stop anyone from creating symlinks.

symlink functionality comes from the kernel. The "ln" utility simply provides 1 way amongst many to utilize this functionality. Links between files can also be created by using the "link" command (for hard links), or by using any of the readily available interpreters on the server such as perl, php, python, ruby, or by uploading your own application (or a version of "ln" that is either statically linked, or compiled on a system with that contains the same set of libraries), etc.

Changing the permissions of a file provided by the operating system won't prevent the use of functionality that inherently comes from the kernel, and can end up doing more harm than good.

 

[lbeachmike]

It would only prevent all non-root users from using the /bin/ln utility, which would not stop anyone from creating symlinks.

symlink functionality comes from the kernel. The "ln" utility simply provides 1 way amongst many to utilize this functionality. Links between files can also be created by using the "link" command (for hard links), or by using any of the readily available interpreters on the server such as perl, php, python, ruby, or by uploading your own application (or a version of "ln" that is either statically linked, or compiled on a system with that contains the same set of libraries), etc.

Changing the permissions of a file provided by the operating system won't prevent the use of functionality that inherently comes from the kernel, and can end up doing more harm than good.

Okay - so it sounds like you are recommending against this course of action.

Moreover, the ways these site hacks are occurring is that the hacker uploads an entire directory of content with all files already in place. So, the symlink is part of the package that is being uploaded. Thus, wouldn't this measure fail to prevent that scenario?

Thanks.

mrk

 

[JeffP.]

Okay - so it sounds like you are recommending against this course of action.

Moreover, the ways these site hacks are occurring is that the hacker uploads an entire directory of content with all files already in place. So, the symlink is part of the package that is being uploaded. Thus, wouldn't this measure fail to prevent that scenario?

Thanks.

mrk

You are correct; that's another way as well. Good point!

 

[activa]

this behavior has been tested and is confirmed !!!!!!

when attacker upload a custom sylink to the root folder , he can view and browse all the server files !!!

i have changed the permission of the ln to 760 , with no result , the same .

i have added a custom directive in httpd config with the fallowing

<Directory "/home/*/public_html">
    Options -ExecCGI
    AllowOverride AuthConfig Indexes Limit FileInfo options=IncludesNOEXEC,Indexes,Includes,MultiViews,SymLinksIfOwnerMatch,FollowSymLinks
</Directory>

he can view the files . any other solution for this case ?

 

[hackboys]

Solution for this case.

/usr/local/apache/conf/httpd.conf

<Directory "/">
    Options -ExecCGI -FollowSymLinks Includes IncludesNOEXEC Indexes -MultiViews SymLinksIfOwnerMatch
    AllowOverride All
</Directory>

<Directory "/usr/local/apache/htdocs">
    Options IncludesNOEXEC Indexes -FollowSymLinks +SymLinksIfOwnerMatch -ExecCGI
    AllowOverride None
    Order allow,deny
    Allow from all

</Directory>


<Directory "/home">
    Options All -ExecCGI -FollowSymLinks -Includes -IncludesNOEXEC -MultiViews +SymLinksIfOwnerMatch
    AllowOverride AuthConfig Indexes Limit Fileinfo
</Directory>

<Directory "/home2">
    Options All -ExecCGI -FollowSymLinks -Includes -IncludesNOEXEC -MultiViews +SymLinksIfOwnerMatch
    AllowOverride AuthConfig Indexes Limit Fileinfo
</Directory>

 

[expssh]

Let me show you which method "Hacker..." uses to get source of the config files of you'r web-site for example wp-config.php and I will show you how to prevent this.

1) He login to cPanel as a normal user http://ip-address/cpanel then type login and password to Login
2) Then he open File manager (show hidden files "dotfiles") and then creates new .htaccess file with following source:
#.htaccess file source
Options Indexes FollowSymLinks
DirectoryIndex doesnt-metter.htm
AddType txt .php
AddHandler txt .php
#End of .htaccess file
3) Then he creates symbalic link (soft link) with perl scripts or just uses CRON job to create symbalic link of top level directory "/" typing: "ln -s / topdir"
4) After that, he open browser and typing http://server-ip/~his-home-dir/topdir/home/some-user/public_html/wp-config.php and then just looking source of the page, all data present as a TXT(text) data. That's all. User has been hacked.
-------------------------------------------------------------------------------------------------------
Solution:
1) Open you'r php.conf with you'r favorite editor: nano /usr/local/apache/conf/php.conf
2) Commit: #AddType application/x-httpd-php5 .php5 .php4 .php .php3 .php2 .phtml
3) Add these lines:
<FilesMatch "\.ph(p[2-6]?|tml)$"> # this equal to: .php, .php2, .php3, .php4, .php5, .php6 .phtml
SetHandler application/x-httpd-php5
</FilesMatch>
4) Save you'r changes and close php.conf
5) Restart httpd server typing: /etc/init.d/httpd restart
6) Done

 

[thevali]

The only working workaround is the one of hackboys...and this is bringing a lot of overhead to fix the issues for joomla sites and any other site using +FollowSymLinks

the solution given by expssh is not complete. One could create(or upload) a symbolic link like:
"ln -s /home/someuser/public_html/wp-config.php a.txt" and he will open a browser to a.txt which will show him the wp-config.php content

 

[nevohosting]

Can I customize cPanel so that all new files created with rights 640? When unpacking archives, too.
In this case, the scripts will work, but will not be available for reading.

 

[garconcn]

Can cPanel support provide a solution for this case or validate the solutions in this post? Thanks.

In WHM Apache Global Configuration, which options should I use or not use to prevent this symbolic hacking?

Directory “/” Options [?]

ExecCGI default
FollowSymLinks default
Includes
IncludesNOEXEC default
Indexes default
MultiViews
SymLinksIfOwnerMatch default

 

[JeffP.]

Can cPanel support provide a solution for this case or validate the solutions in this post? Thanks.

In WHM Apache Global Configuration, which options should I use or not use to prevent this symbolic hacking?

Directory “/” Options [?]

ExecCGI default
FollowSymLinks default
Includes
IncludesNOEXEC default
Indexes default
MultiViews
SymLinksIfOwnerMatch default

As noted earlier in this thread by cpanelkenneth in his post here, there is no complete solution for this in Apache's software. You can disable (uncheck) the "FollowSymLinks" option if you'd like, as well as "SymLinksIfOwnerMatch". You must then also disallow users from using Overrides, since they could simply use .htaccess to reenable those things. If you disallow Overrides, customers who rely on .htaccess files may not be very happy. Even then, per cpanelkenneth's post, ths is not a complete security measure, as the Apache webserver still does not attempt to prevent race condition attacks with symlinks.

So, if you're looking for a solution, your best bet would be to contact the vendor of the software that contains the issue. Their website is here.

 

[SoftDux]

Let me show you which method "Hacker..." uses to get source of the config files of you'r web-site for example wp-config.php and I will show you how to prevent this.

1) He login to cPanel as a normal user http://ip-address/cpanel then type login and password to Login
2) Then he open File manager (show hidden files "dotfiles") and then creates new .htaccess file with following source:
#.htaccess file source
Options Indexes FollowSymLinks
DirectoryIndex doesnt-metter.htm
AddType txt .php
AddHandler txt .php
#End of .htaccess file
3) Then he creates symbalic link (soft link) with perl scripts or just uses CRON job to create symbalic link of top level directory "/" typing: "ln -s / topdir"
4) After that, he open browser and typing http://server-ip/~his-home-dir/topdir/home/some-user/public_html/wp-config.php and then just looking source of the page, all data present as a TXT(text) data. That's all. User has been hacked.

wow, this is a super 1337 hack!


No offence though but you're not really showing any hacking skills with this.

1. Since the user logged into cPane l he already had access to the wp-config.php file, without having to create an symlink to it.
2) The user created a symlink to a file which he owned - he's supposed todo that, he has the permissions todo it.


It's your own (or your client's) fault for using insecure cPanel passwords.

Use MORE secure passwords for EVERYTHING. And don't EVER use the same password for everything.
Enable suPHP and install + configure mod_security
Use something like cPanel's Brute Force Protection, CSF, any other firewall to block users who try and brute-force attack any account.
Configure your server to enforce secure passwords, at least at level70 or so.

 

[LDHosting]

This isn't anything to do with insecure cPanel passwords, rather the way that Apache deals with symlinks (FollowSymLinks doesn't do any owner checks). In the example that expssh provided, the symlink was created to point to / (the drive root) rather than his own home directory. From there he uses the symlink to navigate into *someone elses* home directory to read their wp-config.php

 

[cwalke32477]

What about Mod_Security?
Could there be any rules written to prevent this from happening?

 

[ModServ]

What about using this:

chmod 711 /home

That will prevent any access to this particular folder through SymLink.

 

[tquang]

What about using this:

chmod 711 /home

That will prevent any access to this particular folder through SymLink.

Does crond backup can execute?

 

[ModServ]

I don't get you, Can you please clarify ?

To be clear, Any folder has 711 permission can't be bypassed by SymLinks.

 

[brianoz]

I don't get you, Can you please clarify ?

To be clear, Any folder has 711 permission can't be bypassed by SymLinks.

Unfortunatey mode 711 *actually does allow* symlink access. You're thinking of mode 710 or 700, which would prevent access.

 

[kevinlevin]

What about making a cron that checks for "bad" symlinks in the /home directory.
"Bad" will be defined as a symlink that not belongs to the regular cpanel symlinks and/or some other criteria .

I know this is a workaround but .. what do you think?

 

[brianoz]

What about making a cron that checks for "bad" symlinks in the /home directory.
"Bad" will be defined as a symlink that not belongs to the regular cpanel symlinks and/or some other criteria .

Too late - they will already have used the symlink to view the files they wanted, and probably deleted it, by the time you do your check.

The real fix for this is probably to change the file permissions on your .php file to be 600 - so only the owner can read them - that prevents this hack nicely, although I'd also use the SymLinksIfOwnerMatch and -FollowSymlinks options to make it just that little bit harder.

Also - don't chmod 760 any executable - apart from it being pointless, it's a permission that provides group write access. You probably mean 700, as there's no point in setting the read bit. 760 is actually rwxrw---- and 700 is rwx------.

 

[kevinlevin]

You cannot make all of your files to be 600 as that can break many web applications on the server.
Also you can't control that users will not change the permissions of the files by themselves.