Aquaboutic | Focus Security Research | Vulnerability Exploit | POC


lay disorder and stop at river defense

Posted by melchionda at 2020-03-23

Preface: Nightmare prologue

In the information age, the most serious threat to the information security of enterprises is hacker intrusion. The harm brought by hacker's invasion to the enterprise is Baidu by us, which will not be described here.

Because of its business characteristics, the business of Internet enterprises will be open to all Internet users. As long as the people who access the Internet can access the business, covering all Internet users at the same time is to expose the attack to the hackers. Once the security loopholes appear in the business, the hackers will quickly invade and bring catastrophic damage to the enterprise.

Even if traditional enterprises have information business, it is also online, with limited coverage of users (it is difficult for hackers on the Internet to access), and relatively safe. But traditional enterprises are also becoming Internet-based, and there may be another round of bloodbath here.

Tencent security center began to pay attention to the construction of intrusion prevention system as early as its establishment in 2005. After nearly ten years of system construction and operation, Tencent security center also has some bloody education and experience. I don't think it's simple. I'm willing to throw a brick and introduce jade. We will discuss the invasion and defense strategies of enterprises together and participate in the grand event.

Apocalypse: twists and turns stop at River defense

Bucket theory is a classic theory of information security, that is to say, defense should be all-around. If you miss a point, it may lead to total collapse - so-called "thousands of miles of bank destroyed in ant nest" is also. This also causes the imbalance between the attacking and defending sides: the attacking side only needs to find a flaw in the defending side, and then it can defeat the defending side. It's a bit like guerrilla tactics: fight if you win, or run if you don't win. This scene is very similar to the Nien in the late Qing Dynasty.

The Nian Army was an anti-government armed force in the late Qing Dynasty. The main mode of fighting was guerrilla, and the main force was the horse team. If the regular army won, it would fight. If it didn't win, it would run. The horse team would run fast. The infantry and the foreign gun team of the Qing army couldn't catch up at all. It was a headache for the Qing government. Even the Hunan army, which had just defeated the invincible army of the Taiping Heavenly Kingdom (Hunan people fought too hard, so-called "no Hunan, no army"), had no way to win the Nien.

Later, referring to the method of sun chuanting, the general of the late Ming Dynasty, the Hunan army took the Yellow River as the boundary, set up defense step by step at an important position, gradually pushed forward, drove the Nian Army into a enclosure, and then concentrated its superior forces to force it to fight and annihilate. Finally, the Nian Army was eliminated by the river defense strategy.

From the case of the Nien, we can see that in this case of unequal attack and defense, if the defense side wants to win, it depends on one word: "control" - control the opponent in a controllable range, and then defeat him with rich resources. This idea is similar to the "dimension reduction attack" mentioned by xti9er in "how to establish an effective security policy".

Back to the enterprise intrusion prevention, the idea of "control" is to step by step set up defenses to let hackers move in our controllable position even if they invade.

Generally speaking, the interface between the internal network and the external network of an enterprise is the external network access of the internal staff and the Internet business of the production environment. The former is available to almost all enterprises (unless your enterprise does not allow employees to access the Internet - cough, it is inhumane), and the latter is available to companies with internet business.

Internal and external network access is a great security risk, these non professional employees often do not have a high sense of security. Many enterprises are occupied by hackers who use 0 day or even n day vulnerabilities to hang up their web pages or fish emails. However, the Internet business in the production environment is fast and needs rapid iteration of agile development. In this process, security vulnerabilities are often easy to appear and easy to be found by the outside. After hackers invade a server, they can gallop in the intranet of the production environment.

As long as our heavy troops are deployed in these two positions, the overall situation can be determined.

The general diagram is as follows:


The location and security strategy of our defense are as follows (we will only talk about the main ones, but not the others):


Taking the external entry of the production network as an example, Tencent implemented strict port control many years ago (the non service port of the server is not allowed to be opened to the external network), so the security vulnerabilities and intrusion events in these years are basically controlled in the web layer. In this way, we can invest a lot of energy in the web layer for intrusion detection and defense.

[growing up in confrontation: V's story]

The story of super hacker V is described by Daoge in the legend of Chinese hackers - the wizard walking in the dark. Yes, today's protagonist is v.

According to some clues and people close to V who don't want to be named, the author speculates that V's ID on the dark cloud is called pig man. Looking at the loopholes submitted by pig man in dark cloud, we can see that this is a top expert. Continue to disclose, he also has a name called ring04h, which has been active in the Internet security circle for a long time (unfamiliar students can baidu this keyword), ring04h submitted loopholes to us many years ago.

Of course, the above inference is only based on Sherlock Holmes' deduction, and the author does not guarantee the correctness of this inference.

The first open source system weak password murder

In the early morning of September 2013, our traffic monitoring system (analyzing the full HTTP traffic and finding abnormal HTTP requests) issued an alarm. A website had webshell communication. The first response to seeing the request URL was the exploitation of nginx's parsing vulnerability (see nginx file type error parsing vulnerability for the vulnerability principle).

The emergency response team immediately checked and found that there was a PHP webshell with GIF suffix in the website directory, which was executed by using nginx parsing vulnerability. Because of the GIF suffix, it will not be executed in general, so the host security agent does not detect this "picture" file, fortunately, it has a defense in depth - it is detected in the network traffic characteristics. At the same time, the safemod of PHP on the server is on, and the intruder has no permission to execute system commands.

Under review, this incident is mainly caused by the unauthorized use of WordPress by a business without security reinforcement (the background management page of WordPress is open to the Internet and has a weak password, and the hacker uploaded the webshell file with the background permission of WordPress). Although the defense line has been broken through, there is a heavy guard (the host security agent system detects the suspicious behavior of the host layer; the traffic monitoring system detects the suspicious traffic of the network layer), so that the penetration process is found and blocked in time.

Then we start to clean up various web management pages, weak passwords and nginx security configuration detection. In the process, we found a few undocumented WordPress, and quickly drove the reinforcement. The details are as follows.

From the perspective of intruders, this incident can be seen in a failed roaming of Tencent's intranet.

The advantage of traffic monitoring system is to analyze all HTTP requests. As long as the rules are proper, hackers will trigger an alert when they exploit the vulnerability. Many web vulnerabilities are found and fixed by our traffic monitoring system. For example, some online XSS attack platforms will introduce JS under their domain name, which is a strong keyword; and some HTTP communication models of webshell. This topic will be written later.

The attack of the second backup file

One day in November 2013, the host security agent system gave an alarm and found that a webshell file appeared on a server. Our emergency response team was horrified at the security incident sheet. This is not a typical PHP webshell

Host security agent system is a program running on the server, which is mainly responsible for collecting basic information (background analysis of basic information to discover security risks) and intrusion behavior discovery. Because webshell is used for web layer intrusion, we take webshell detection as the first line of defense. Once the system fails to find out for some reasons, the process / port data is the second line of defense. For example, the main user of Apache executes commands, which is a typical webshell execution command feature.

The words are divided into two parts. After receiving the alarm, the emergency response team quickly boarded the plane, shut down the external network of the server, and then began the intrusion detection.

Because it was changed in config ﹣ ucenter.php, the first thought is that discuz's background access to webshell vulnerability (it seems to be a 0day vulnerability). As expected, it was later known that the business backed up a config uchenter.php.bak file to config uchenter.php.bak, which resulted in UC key leakage in the configuration file. With uc_key, you can add administrator to the forum, and then through the 0day vulnerability, you can directly invade the server.

The whole process is described by the intruder: another failed roaming process of Tencent intranet. Although it's a little shameless, even the experienced pig man said that "Tencent's protection strength in the PHP security field is the first in China", which is very gratifying.

Review time. This incident is mainly due to the fact that the web management page of discuz is open to the Internet (or the river defense is not good), and of course, there is also the problem of improper file backup. Next, we will continue to clean up the missing web management pages, focusing on the comprehensive reinforcement of the servers deployed with discuz.

Improper configuration of {third field} leads to safety risks

One day in December 2013, kobin97 reported that a PHP file source code of one of our discuz forums could be downloaded to, resulting in the leakage of uc_key (see the vulnerability report). The discoz Forum revealed that uc_key will be taken to webshell, so the emergency team should deal with it quickly.

After the last discuz accident, we started a large-scale investigation and reinforcement. In the process of reinforcement, some businesses mistakenly configured the directory / uc_server / data / to not parse PHP, resulting in the PHP file under the directory being downloaded and uc_key leaking.

Fortunately, after verification, this vulnerability can't get webshell for the time being. Because in the last reinforcement, we have required all the login pages of discuz / admin.php to prohibit Internet access. Even if uc_key is leaked, it is difficult for intruders to penetrate further. The following figure is a screenshot of the denial of access to the management background from the non management IP.

Pig man also found this problem, and carefully designed an XSS attack to try to use authorized person's browser to automatically obtain webshell. However, after kobin97 reported the loophole, we quickly modified uc_key, and pig man's plan failed. Please refer to pig man's self account of another failed roaming on Tencent's intranet. Do you see any flaws?

Review time. This event is mainly due to the lack of audit on whether the configuration is correct in the process of implementing the security reinforcement strategy; at the same time, if the traffic monitoring system finds that PHP, JSP, such parsing scripts have been downloaded, it should give an alarm.

Problems caused by failure of {fourth field} security strategy

After the second session, our discuz forum has been secured, especially the access IP limit on the management page, which was supposed to be safe, but it is not.

One day, maybe because of the policy rollback, the access IP limit of some discuz forum management page failed, and the administrator had another weak password, which gave pig man a chance.

The failure of this access control strategy was detected by our web vulnerability scanning system, but it was scanned and utilized by pig man in the process of repair - you can imagine how many people in your business are staring at it 24 hours, a little negligence will cause problems.


Then it uses the 0day vulnerability of discuz management background to generate webshell. With previous experience, this time, pig man is more cautious, and has not carried out such major actions as power lifting, port scanning, vulnerability scanning, etc., so it has not been found. See pig man's successful roaming of Tencent's intranet.

It's time to review again. This event is caused by the invalid access IP restriction policy and the weak password of the administrator. Then the pig man's series of actions are relatively light, without triggering various security system alarms.

This time, the key node still takes a little longer to handle the failure of page restriction measures. For high-risk vulnerabilities, we must deal with them immediately without delay; to combat high-level penetration, in addition to the blacklist model of known intrusion mode, we need to further use the white list model, and build a time / behavior / action model based on usual network access and operation and maintenance behavior. Once there is any inconformity, it will be judged as an abnormal event - we have started to do so in the core area Now.


Because we have blocked all non service ports of the server's external network, the four intrusions are from the web application. Although the hackers still get some permissions in different degrees, but the scope of hacker's activities is controlled in a limited area (all are ordinary business areas), which at least shows that the big strategy of river defense is correct.

As we can see, hackers have done a lot of research on this open-source program vulnerability (such as discuz, WordPress, phpwind, etc.), which can be avoided by enterprises.

For more and more Internet web services, we must do a good job of security reinforcement, simple formula: "directory is not writable by default, writable directory is not parsed, web server is not root, and management page is not external". For enterprises, most of this work is a system engineering problem rather than a security technology problem.

[postscript: to be continued]

After the river defense plan is determined, we should consider the precise attack on the enemy - that is, defense in depth in a controllable area.

Defense in depth is to link multiple layers of security system layers, so that even if any point is broken, it can also find and block intrusion at other levels. For example, we are trying the security defense scheme and multi-dimensional intrusion detection in the PHP environment.

We need to always remember that security is a whole.