Celebrities after the Hafnium quake: What are these webshells?

Celebrities after the Hafnium quake: What are these webshells?

In the past few days, the hacker group Hafnium and an attack series on Microsoft Exchange Server have made headlines.The Zero-Day weak spots used by Hafnium enabled attackers, among other things

Access to the Exchange server without specifying a password

Righting expansion up to the maximum rights as a system

The possibility to write files to any places on the Exchange server

Prominenz nach dem Hafnium-Beben: Was sind eigentlich diese Webshells?

The zero-day gaps have been patched up, but the threat situation remains great-which is among other things due to the much-quoted webshells.Exactly that web -based interface plays a crucial role for many cyber attacks to perform files and commands that have been introduced into compromised systems. Die Platzierung der Webshells gestaltete sich für Hafnium & Co.Particularly easy in the current case, since numerous Exchange systems were accessible due to the security gap without a password.

Of course, many hackers use such vulnerabilities in a very “traditional” manner by loading malware into the more compressed systems that, at a later date, by the user or zip or z.B.is started by a reboot.While traditional malware only has a limited extent of functions, there is a more flexible alternative for the attack on a network.And here the Shells come into play - first without the "web" before.

By default, scripting languages, the programming languages for smaller programs, a so-called "Shell", often use as a "READ-EVALUATE-Print-Loop" use.Instead of executing an existing program directly, a replenic typically creates an input request and only starts when the user gives the corresponding command.This process is automatically repeated with potentially new commands that relate to the previous results.Among other things, programmers, or hackers, can do interactively, process the results directly, execute new programs in memory or create files.With a replacement or a shell, programming work can be designed in the current process and the users are not dependent on a rigid program that was created in advance.If hackers are now able to implement such a shell on a remote computer and to feed them with individual command lines, a very simple remote shell is available, which guarantees a lot of programming freedom, since it is not restricted by predefined program functions.Such a tool is the sky on earth for hackers, since they can now act flexibly in the compromised system and are not dependent on special malware.

Access via scripting systems is attractive, as many web servers use such a little helper to generate and operate content.The frequently used programs include PHP, Perl and Python on Linux or Unix systems as well as PHP, VBScript, JavaScript and C# on Windows systems.If users are now a file called “Index.html ”or“ image.JPG “Search and exist, the server reads the file in the memory and provides it to the user.Here, too, there is already a lot of potential for hackers with Z.B.Fake news, but fake HTML files are unable to compromise the server yourself.But of course there are also means here and paths that open Windows IIS web servers through Active Server Pages (ASP).The ending.ASP In a URL, the Windows IIS server automatically indicates not just reading and sending a file back, but first of all to go through the Windows ASP scripting service.While regular HTML content is used unmodified, certain areas of the ASP file are now executed as script on the server.The result of this process is inserted back into the HTML file to a suction.to generate dynamic website in which there is no evidence of the script on the server in the browser.

So if hackers place such an ASP extension in the right place on a Windows Web Sever, you can activate the files at any later time by contacting the URL that is connected to the infiltrated file.The server therefore acts as a "command console" for the hacker attack.In addition, ASP-capable script programs, such as VBScript, can not only be activated from a distance, but additional parameters can also be inserted at the end of a URL.As a result, the script can be changed by the browser every time the browser is called - the webshell, which is not only limited specific commands, can be done, but can also be individually expanded.This means that Hackern is available to a small but common expansion on a web server that executes commands directly and without the need for a log-in.

This means that the attacker can interactively carry out the target server commands or programs through the browser alone, analyze the expenditure and carry out further actions based on this - as if the attackers are sitting on the system console.By the possibility of expanding their rights as a system, the attackers in the Hafnium case can not only switch and act on the affected system, but partly in the entire network as they wanted.

Tip: If you want to find out more about the topic of webshells, you can do this in a detailed contribution from the “Serious Security” series with the colleagues of Naked Security: https: // Nakedsecurity.Sophos.COM/2021/09/Serious Security-Webshells-Explained-in-the-ATHE-ATHETMATH-HABERIUM-TACKS/