File Inclusion and Arbitrary Code Execution: Earlier this month, an airplane ticket website built on WordPress was hacked leaving the personal data of hundreds of thousands of visitors exposed. In an earlier post on why do hackers hack, we discussed all the reasons why hackers hack including stealing data, sending spam emails, they could be even using black hat SEO techniques to rank their own products (recommended read – pharma hack), etc.
When we talk about common hack attacks, you are very likely to think about brute force attacks. But did you know that file inclusion and arbitrary code execution is also one of the most common hack attacks made on the WordPress websites. In this post, we’ll go a little deeper into these attacks with the view of understanding them in detail.
To understand how these attacks work, the first thing that you must know is that it involves PHP files. You must be wondering why? Its because both File Inclusion and Arbitrary Code Execution attacks involve using PHP files.
But what is a PHP file? Think of a kitchen cabinet. Inside the cabinet, there are a number of items like sugar, salt, spices, utensils, etc. Each of these items has a purpose to serve in the kitchen. A PHP file is a cabinet and the codes inside the files are the items that enable execution of certain functions desired by the hacker. This is the reason why hackers prefer uploading a PHP file over any other files like say JPEG or PDF file. JPEG and PDF files are not executable, i.e. hackers can’t use these files to execute any function. One can only read (i.e. view) them. They can’t be used to make any changes to a hacked site.
A hacker who has uploaded a PHP file on your website server can use it to do anything on your website. And this is why PHP files are used to run File Inclusion and Arbitrary Code Execution attacks.
What is a File Inclusion Attack?
The best way to understand a complex website attack like this is to exemplify a real scenario. Let’s say you run a website for your institution and the site is called college.com. You allow a few students to access the site so that they can post pictures taken during a recent college event. Someone misuses the access you gave and uploads a malicious PHP file (named hack.php) into the website. The goal is to gain control of the college websites. When the student uploads the malicious PHP file, by default it is stored in the Upload folder. Anyone who knows the basic structure of WordPress knows where an uploaded file goes.
The file acts like a door enabling the hacker to interact with the file remotely. Note the hacker still does not have control over the site, they just have a window for communication. To make it easier to understand imagine person A wants to go to a country where he isn’t allowed. So he sends an agent, person B. Person A is the hacker, the country stands for the college website and person B is the hack.php file.
PHP files uploaded into the college website —-> The file is stored in the website server
Person B is only trained in a few things and can only do so much. So the person A needs to instruct him on what to do next. In the same vein, the PHP file creates a communication window and then awaits more commands from the hacker.
Let’s assume that the hack.php is created in a way that enables the uploading of more files into the website. The hacker creates a file (named control.php) that he’ll upload using hack.php that is already present in the website server. The new file – control.php will enable the hacker to have full access to the website. He uses the window provided by the hack.php file to upload the control.php file into the site. This process of uploading the control.php file using a file (hack.php) that is already present on the website server is called Local File Inclusion.
One great example of Local File Execution is the vulnerability observed on the Easy Forms for MailChimp WordPress plugin (v 22.214.171.124). Using the MailChimp plugin, website owners can add different types of forms to their WordPress site. A vulnerability allowed hackers to upload a PHP file into a website server using the MailChimp form. Once the file is stored on the website server, hackers were able to communicate with them and execute codes that’ll enable them to control the server or damage the site in numerous ways.
Here’s a scenario: The college website has a firewall installed and therefore the hacker cannot upload the control.php. While he can’t upload another separate file he can ‘include’ a file. It means he can insert a file within the hack.php file which is already present on the college website server. If the hacker was able to upload the control.php file, the website server would read the file and execute the code inside that’ll enable the hacker to do anything he wants. But because he can’t upload the file, he’ll have to find other ways to make the server read the control.php file. A path created by a hacker is available online and the server of the college website should be able to read it. Therefore the hacker creates a path and makes them available online so that the college website server is able to read it. The server then starts executing the code acquired from the path and since the code is written in a way that’ll allow the hacker full control of the site, the hack now controls the college website. This process of making the server read a remote file is called Remote File Inclusion.
The TimThumb vulnerability case is a popular example of Remote File Inclusion. TimThumb was a WordPress plugin that allowed easy editing of images on a WordPress site. It enabled anyone to use images procured from image sharing websites like imgur.com and flickr.com. TimThumb recognizes imgur as a valid site (or whitelisted). Hackers taking advantage of this criteria creates files with URLs mentioning a valid site like http://www.imgur.com.badsite.com. When they upload a malicious file with a URL like the one we mentioned above the plugin is fooled into believing the file comes from a valid website. And it allows uploading a malicious file to the website’s server. This whole process of including a malicious file from outside the website server by taking advantage of a vulnerability in a plugin is Remote File Inclusion. After the malicious PHP file is stored in the website server, the hackers can communicate with it to execute their desired actions.
What is an Arbitrary Code Execution Attack?
Now that we know what remote and Local File Inclusion is, let’s move on and try and understand what Arbitrary Code Execution is. File Inclusion and arbitrary code inclusion are interrelated to each other. In any case of File Inclusion, the hackers aim is to execute an arbitrary code on the website. Let’s go back to the example of Local File Inclusion where the hacker has uploaded a hack.php in the college website and then uploaded control.php with the help of hack.php. The phrase Arbitrary Code Execution is a description of a hacker’s ability to execute any command of his choice on a hacked website. Once the PHP files (hack.php and control.php) are up on the website server, the hacker can execute any code that he wishes. This process of executing any code from the files he uploaded is called Arbitrary Code Execution.