14 Jul, 2020

Shellcode Injection Exploiting an elFinder Vulnerability

Even when patches are available to fix shellcode injection vulnerabilities, not all sites get fixed. In fact, a vulnerable version of elFinder is still widely used.
Shellcode injection vulnerabilities on a Web server are especially nasty. An attacker who successfully exploits one can run arbitrary code on the server. It opens the way to stealing personal user data, altering website content, launching attacks on other systems, harnessing processing power for crypto-mining, and much more. The hacking possibilities are limited only by the criminal imagination.

Even when patches are available to fix these vulnerabilities, not all sites get fixed. Sometimes an update conflicts with other software. Sometimes it just gets overlooked. A typical website uses software from many sources, and it's hard to keep them all updated on a regular schedule. More than one layer of defense is necessary to keep website security strong. Quttera ThreatSign complements good website management, giving you defense in depth.
The elFinder Vulnerability
The media browser elFinder is a convenient way to manage image files. It's available with popular software such as the Symfony framework. The elFinder software consists of JavaScript code that runs on the browser and backend components written in PHP. The latter includes server-side connectors for expanding its capabilities.

A serious vulnerability in elFinder was discovered in 2019. It was quickly fixed, but we still find a lot of attempts to exploit it. The vulnerable version is still widely used. According to the report on GitHub: "The PHP connector component allows unauthenticated users to upload files and perform file modification operations, such as resizing and rotation of an image. The file name of uploaded files is not validated, allowing shell metacharacters."

In brief, a browser request could invoke the executable file connector.minimal.php on the server without any authorization. It was just necessary to specify the file path in a POST request along with the appropriate parameters.

The initial concern after discovering the vulnerability was that it would let visitors vandalize a website. They could perform unauthorized operations on files or upload new ones. An image could be turned upside-down. It could be shrunk to invisibility or blown up to obscure a whole page.

However, it quickly became clear that this was the least of the problems. If a site let users upload arbitrary files, they could do serious damage. The trick was to create a shell script code in a file and give it a .JPG extension. The attacker could then make the connector run the script.

Attackers have used this to deposit a small downloader on the server. It serves as a backdoor for downloading malware files. Many websites are still affected. Patching the software won't remove any backdoors that have already been installed.
The malicious POST request uploads a file called, for example, SecSignal.jpg but its content isn't JPEG data. It's a shellcode script. Its content is like this:
echo 3c3f70...[long hexadecimal string]...3f3e | xxd -r -p > SecSignal.php; echo SecSignal.jpg
The Linux xxd command converts between binary and hexadecimal data. The parameters used here tell it to convert from plain hex dump data to binary data. The binary is a PHP backdoor downloader. It's in a Web-accessible directory, so the attacker can run it at leisure with a URL that gives the path to the file. If the site isn't scanned for malware, the backdoor can stay there for a long time.
Contributing Factors to the Shellcode Injection Vulnerability
The worst-case scenario relies on the ability to upload files to the site. Letting unauthorized parties upload files is a risky practice. Getting a file onto a Web server makes hacking the site much easier. Unless public uploading is truly necessary, it's better to let only registered and verified users upload files. If it's a necessity (for instance, to allow the uploading of personal profile photos), the files should be rigorously checked before being accepted.

Configuring a site conservatively reduces its risks. The connector isn't enabled by default, and many sites don't need its capabilities. If a site's configuration allows only the features that it needs, many vulnerabilities won't have any impact. You can always enable a feature later if you discover you need it.

Sites that keep their software up to date have smaller windows of vulnerability. A site that always kept elFinder up to date could still have been infected before the patch was available, but the odds are that no one would have attacked their site in time. If you currently have elFinder 2.1.49 or newer, you don't have the vulnerability. If you previously had a vulnerable version, though, your site could be infected.

Sometimes, delays in the supply chain slow down patching. If a site installed elFinder as part of a framework, it probably wouldn't get an update until the framework added the update and issued a release. In the worst case, criminals discover and exploit a vulnerability before there's a patch available. This is known as a zero-day vulnerability.

To guard against attacks that happen before a patch can be installed, a website should have a Web Application Firewall (WAF) to recognize and block malicious requests. An examination of the POST request shown above makes it obvious that it's trying to write directly to a file. No legitimate request would do that. A good WAF will recognize the request as dangerous, even without knowing about the vulnerability, and will block it.
How Quttera ThreatSign Protects You
Keeping all your website software updated is difficult. Sometimes you'll have vulnerable code that you don't know about. For a full website protection , you need ongoing request filtering and malware monitoring. Quttera ThreatSign offers you that and more. It guards against not only the threats that are active today but those that will emerge in the future. With ThreatSign you get:

  • A WAF to block malicious requests
  • Server-side scanning to find and remove malware on your website
  • Cleanup service with a dedicated cybersecurity professional
  • Blacklist removal
  • Support for all hosting providers
  • A dashboard user interface to manage all aspects of website protection

We offer multiple service plans, letting you choose the one that best suits your budget and security requirements. With ThreatSign, you can be confident that your site always has protection against online threats.