Windows Apache and Junction Hack

[gameman733]

New fun hack i thought of, I dunno if its been done before, but heres my take on it.

Background Information

Apache is a webserver (I'm sure most of you know at least most of this, but I want to bring everyone up to speed before i start on the hack itself). Its open source and is typically run on linux, although there is a windows build. The windows build can be run as a service, under the System account by default.

Junction is a small program made by Mark Russinovich, of Sysinternals. NTFS has this small little feature called junctions, and they basically work like a link in linux. You can make a directory link to another directory on the file system.

The hack

So what can we do with all this? well, if you can get physical access to the machine (a desktop at least and a way to upload files), and have write access to any directory apache reads from, you can gain full control over the computer. Heres how,

1. find the directories apache is reading from. Apache can read from your home directories (if its set, which it was in the case at my school) so make sure you try that ( http://localhost/~username/ ). If you can find one you can write to, your set, otherwise, you cant do much of anything.The easiest place to check is the conf (assuming default permissions)

2. get junction from Sysinternal's website. Its a command prompt program, so you will either need cmd or you can make a small VB app to run it (if its a server, im guessing there are going to be some restrictions on it.). if you can use cmd, go to your directory where junction is, and type in

junction.exe C:pathtowritabledirectorynewdir C:

. What that will do is make it so that when you go to C:pathtowritabledirectorynewdir, it shows whats in your C: drive.

3. Thats pretty much the basics, you have full read/write access to C:. If php is installed, you can grab a small php script from somewhere (i dont know of any right off hand) and use it as a file browser, or make your own httpd.conf changes (using php again), or custom web pages or whatever.

WARNING: I take NO responsibility for this hack. YOU AT YOUR OWN RISK!!!

[Freakish]

WARNING: I take NO responsibility for this hack. YOU AT YOUR OWN RISK!!!

Yah well... the thing about that is you can be an accessory to a crime if anyone is caught for doing this.

Also I'm pretty sure that posting information on how to commit a crime is illegal.

[Sparda]

Nah, if it where then securityfocus.com would have been shut down years ago. Now actualy commiting the crime is illegal.

[cooper]

So long as this google search returns results like that I doubt publishing stuff like this will get you in trouble.

[Freakish]

Then why the hell do hacking sites get shut down every other day?

[Dr Zaius]

Hmmm thats very interesting, I don't know many places that run Apache on a Windows Server though. But it did get me thinking what other processes running with SYSTEM level privileges that would be susceptible to this attack. I haven't had a chance to try this out yet, but I would have though you would need admin privileges to make the junction? I guess that MS just assumed you would try to access the junction with your own low privilege account.

[Darren Kitchen]

This sounds similar to subst

[gameman733]

Regarding legalities: i dont see this attack much different than the gaining system privs through renaming service .exe's, the only difference is that your targetting apache (and you still have to be able to be on the computer in the first place)

regarding admin privs for junction: no, i ran junction as a user, you just need write permissions for the folder you choose to use.

subst? ill have to look that one up

btw, if mods feel that this is a bit on the black side, feel free to delete it. I personally dont see a problem with it (security focus has been mentioned before).

edit: hmm, nice catch darren. Unfortunately i know enough dos to get me by so i never knew anything about that command :P. Junction is similar, as far as i can tell, just a filesystem tool (as compared to subst probebly being part of the OS)

[cooper]

This sounds similar to subst

But subst only puts a filesystem location behind a drive letter of choice. Those junctions allow you to put a filesystem location in a filesystem location.

I also believe that subst only lasts for the duration of your session. Could be wrong on that one though, and I'm in no position to check.

[Dr Zaius]

regarding admin privs for junction: no, i ran junction as a user, you just need write permissions for the folder you choose to use.

This seems rather insane to me, any computer with an NTFS file system provided you have to write access to any folder will then be able to give you complete read/write access to the whole file system and therefore complete privileges on that system.

For example say you have a limited user account on an XP computer, you could make a junction to the Administrators "Documents & Settings" folder from anywhere you have write access (My Documents, Desktop etc) and from there you could steal all his cookies, cached passwords, bookmarks, personal documents, dodgy photos etc etc. Or you could just make a junction from the Windows or System32 folder and overwrite any number of Service executables, no more hoping you the Print Spooler executable is writable.

I will have to do some tests when I get home, there must be some sort of restrictions or else junctions in NTFS file systems make any OS running on them vulnerable to quick and easy System/Administrator level privileges for any user.

[gameman733]

Dr Zaius: apache is what gives you the full admin access, not junction. Apache is setup to run as local system by default, but is secure enough to only be able to get files from the doc root. Junction is used to make a link outside of the doc root. Junction only makes the link in the file system. If you were to just use explorer to go through a junction, you would still have your same privs.

[Dr Zaius]

Dr Zaius: apache is what gives you the full admin access, not junction. Apache is setup to run as local system by default, but is secure enough to only be able to get files from the doc root. Junction is used to make a link outside of the doc root. Junction only makes the link in the file system. If you were to just use explorer to go through a junction, you would still have your same privs.

Yeah I wasn't thinking when I posted that, I knew there was some reason why I wouldn't work because I didn't post about it in my earlier post.