IMCAFS

 Home

research, implementation and defense of forward and back door for web port reuse

Posted by lipsius at 2020-03-07
all

*Author of this article: Ren Zixing, this article belongs to freebuf original award program, reprint is prohibited without permission

0 * 01 background

Because of the limitation of the current mainstream firewall rules, many remote control / backdoor basically adopt the communication form of TCP / UDP bounce back connection. However, in a higher security environment, they are especially responsible for the environment of web related businesses, because of the security equipment (firewall, IDS, Due to the strict restrictions of IPS rules, TCP / UDP (HTTP / HTTPS / DNS) and even ICMP and other tunnels can not easily access the Internet from the intranet and only accept external requests. In this scenario, when the attacker gets the webshell, he needs to consider how to bypass the restrictions of the firewall and other security devices when he considers embedding the back door other than webshell.

In fact, there are many researchers about the old back door technology of port reuse, and some effective methods and tools have been put forward. Many of the solutions are achieved by hijacking the memory space of related processes / services of web server, system API or even hijacking the network driver. The methods are quite exquisite, but because of the large action, it will be triggered inadvertently Active defense. Starting from the native mechanism provided by Microsoft after IIS 6.0, this paper discusses a more natural technology of port multiplexing: net.tcp port sharing, which is translated as "port sharing".

This paper will analyze the mechanism of net.tcp port sharing, and finally realize a forward and back door based on port reuse, in order to share some research results of attack and defense technology, please do not use it for illegal purposes.

0 × 02 net.tcp port sharing mechanism

In previous web applications, a web application is bound to a port. If there are other applications, you need to bind to other ports to listen to Xi'an. As shown in the figure below, after web application 1 binds port 80, there will be an error when web application 2 binds port 80 again.

Now we use the net.tcp port sharing service provided by Microsoft. As long as we follow the relevant development interface rules, different applications can share the same web server port. As shown in the figure below, web Application1 and web application2 are bound to port 80 at the same time.

Net.tcp port sharing service is a new system component in WCF (Windows communication foundation). This service will enable net.tcp port sharing function to realize port sharing among different processes of users. This mechanism is finally implemented in http.sys. At present, the http.sys model that multiplexes the traffic of many different HTTP applications to a single TCP port has become the standard configuration on Windows platform. This provides a common point of control for firewall administrators, while allowing application developers to minimize the deployment cost of building new applications that can take advantage of the network. The ability to share ports across multiple HTTP applications has always been a feature of Internet information services (IIS). In fact, http.sys allows any user process to share a TCP port dedicated to HTTP traffic.

Http.sys was first introduced in Windows Server 2003. This driver listens for HTTP traffic, and then distributes it according to URL registration, so that multiple processes can listen for HTTP traffic on the same port. Microsoft has disclosed HTTP server API libraries, such as httpcfg and netsh.exe, which are based on it. The following diagram.

The whole process is described as follows:

(1) When IIS or other applications use the HTTP server API to listen for the request path, they need to register URL prefix on http.sys. For rules about registering URL, please refer to MSDN: https://msdn.microsoft.com/en-us/library/windows/desktop/aa364698 (v = vs.85). ASPX. This is the registration process.

(2) When a request arrives and is obtained by http.sys, it needs to distribute the request to the application corresponding to the registered current URL, which is the process of routing.

Research on the implementation of 0 × 03 back door

Microsoft provides HTTP server API library for building web server on windows, which supports web application development based on net.tcp port sharing. At present, there are two versions of HTTP server API, and HTTP server API 2.0 is recommended. Microsoft provides a demo of HTTP server API 1.0 at: https://msdn.microsoft.com/en-us/library/windows/desktop/aa364640 (v = vs.85). ASPX.

This is a simple web server example based on HTTP server API 1.0, which can realize the function of remote command execution through modification.

The developed application only needs to register the URL that does not conflict with the current system (the binding address is the same, but the URL path is different), so it can realize URL registration. The browser (or customized client network program) accesses the corresponding URL, and the server network program will parse and execute the client command according to its registered URL. Based on this, it is possible to register some special URLs by the server and access these URLs by the client to achieve a forward and back door access mode of HTTP question and answer.

0 × 04 function demonstration

Environment: Windows 2008 R2 x64

IIS 7.0 (default)

Firewall status is on by default

Permission requirements: the function requires the integrity level of the adminstrator user. Even if administrator is not enabled, you can run the program by increasing the program integrity level through UAC.

Purpose: bind the same port with the web server, the program does not listen to the port, and wait for the system service to distribute traffic by registering callback function. The server parses the request (get / post or other methods) load sent by the client, parses the execution command, and then returns it to the client in the form of HTTP response.  

(1) On the server where IIS is deployed, the backdoor registers a URL

At present, what we are writing is just a demo. If we want to be a user mode rootkit, we need to do our own hidden functions. Please let readers play freely. In this process, we need to pay attention to the control of permissions.

(2) Use the URL of the controller to connect to the target machine

As a demo, the current controller implements an interactive CMD shell, which will be open source after code optimization.

Study on 0 × 05 mitigation measures and Countermeasures

(1) Firewall / IDS / IPS is used together with web server. In its rules, white list mechanism is used to determine whether it belongs to the ACL URL currently allowed by web server.

(2) Please put forward more suggestions.

0 × 06 references

https://www.codeproject.com/Articles/437733/Demystify-http-sys-with-HttpSysManager

https://msdn.microsoft.com/en-us/library/windows/desktop/aa364510(v=vs.85).aspx

*Author of this article: Ren Zixing, this article belongs to freebuf original award program, reprint is prohibited without permission

© 2023