Compromised websites are an integral part of the cybercrime ecosystem. They are used by cybercriminals to host a wide range of malicious content, including phishing sites, exploit kits, redirects to other malicious sites, and other tools needed to carry out attacks. Why? One reason is because there is an abundance of insecure websites around the world that can be easily compromised. Another reason is because legitimate sites that have only been recently compromised are less likely to be blacklisted by internet browsers and other security measures.One of the primary ways cybercriminals compromise legitimate sites is by exploiting functionality that allows users to upload files of some sort. This functionality is available on a plethora of websites, including social media sites, blogs, file sharing sites, e-commerce sites, etc. Whether it be a post to the comments section of a blog or complaint form on an e-commerce site, allowing people to upload content is vital to the everyday activity and productivity of many websites. It is these legitimate functions that attackers look to exploit.
For more insight into the techniques being used in cyberattacks that exploit human vulnerability, check out the 2016 Phishing Trends & Intelligence Report: Hacking the Human.
Security measures are typically put in place which deny certain types of files from being uploaded to a server. One way hackers have found to circumvent these security measures by exploiting vulnerable web applications that fail to utilize adequate validation on uploaded files.
The GIF89a exploit is a good example of this. It allows an attacker to disguise any file as an image/gif file and upload it to a webserver. The exploit works by taking advantage of weak file type validation. The header of the file to be uploaded is changed to include GIF89a in order to bypass a security measure put in place barring the uploading of non-image files (see Figure 1).
Figure 1 - Screenshot of GIF89a header manipulation
When the file is uploaded, the system checks the MIME type for a match. When the match is confirmed, the system uploads what it identified as an acceptable GIF file to the server. Once on the server, the system then runs any code hidden in the file, often by default. Attackers often use this exploit to trick the server into executing a PHP webshell that can be remotely accessed. This allows the attacker to then upload files to the compromised server or execute commands based on the type of access granted by the server permissions. This gives the attacker the ability to upload phish kits, malware, or any other content that they wish. Depending on the file permissions granted by the server, they may be able take over the server entirely.
The GIF89a exploit is neither new or sophisticated, but it continues to be used successfully for a variety of reasons. Server administrators are failing to apply updates and patches promptly, choosing to blacklist file types instead of creating whitelists, enabling functions which aren’t required, and not setting file permissions appropriately. Simply put, basic operational security is not being implemented or maintained.Numerous steps should be taken by website administrators to help prevent this kind of exploit:
- Routinely update and patch vulnerabilities.
- Instead of blacklisting file types, administrators should whitelist approved files, thereby prohibiting all file types not included in the whitelist.
- File permissions should be restricted to allow the lowest level of access necessary for the continued functionality of the site.
- Processes and users should be restricted from accessing resources that they do not need to access.
- Avoid manipulating default file permissions without understanding the underlying security implications this will have on the system or users.
- Minimize the attack surface by disabling services or tools which are not required.
- Avoid using outdated or unverified site add-ons.