Local File Inclusion (LFI) and Remote File Inclusion (RFI)

In 2014, Sony Pictures Entertainment was affected by a significant cyber attack. While the attack involved multiple vectors, one of the vulnerabilities exploited was Local File Inclusion (LFI). The hack was so impactfull that the company had to cancel the release of the movie "The Interview". In this article we will see how Local File Inclusion works and how to prevent it.

Local File Inclusion (LFI)

Local File Inclusion (LFI) is a type of vulnerability most commonly found in web applications. It occurs when an application includes a file based on user input without properly sanitizing or validating that input. This can allow an attacker to manipulate the input to include files from the server's local file system, potentially exposing sensitive information or enabling further attacks.

The Most Popular Hack: Viewing /etc/passwd

One of the most well-known exploits of LFI vulnerabilities is the ability to view the contents of the /etc/passwd file on Unix-based systems. This file contains information about the system's users and can provide valuable information to an attacker.

Example Scenario

Consider a web application that includes a file based on a URL parameter:

http://example.com/index.php?file=user.txt

If the application does not properly validate the file parameter, an attacker could manipulate it to include the /etc/passwd file:

http://example.com/index.php?file=/etc/passwd

This would result in the application including the /etc/passwd file, potentially exposing sensitive information about the system's users.

Preventing LFI in Python Flask

To avoid Local File Inclusion (LFI) vulnerabilities in a Python Flask application, it is crucial to properly validate and sanitize user inputs. Below is an example of how to securely handle file inclusion in Flask:

1from flask import Flask, request, abort
2
3app = Flask(__name__)
4
5@app.route('/')
6def index():    
7    file = request.args.get('file')
8    if file and file.endswith('.txt'):
9        try:
10            with open(file, 'r') as f:
11                content = f.read()
12            return content
13        except FileNotFoundError:
14            abort(404)
15    abort(400)
16
17if __name__ == '__main__':
18    app.run(debug=True)

1const express = require('express');
2const path = require('path');
3const app = express();
4
5app.get('/', (req, res) => {
6    const file = req.query.file;
7    if (file && file.endsWith('.txt')) {                
8        try {
9            const content = fs.readFileSync(file, 'utf8');
10            res.send(content);
11        } catch (error) {
12            res.status(404).send('File not found');
13        }
14    } else {
15        res.status(400).send('Invalid file');
16    }
17});
18
19app.listen(3000, () => {
20    console.log('Server is running on port 3000');
21});

This code properly validates the file parameter to ensure that it is a valid file and not a malicious path.

Tools to Detect LFI

Detecting Local File Inclusion (LFI) vulnerabilities is crucial for maintaining the security of web applications. Here are some tools that can be used to detect LFI:

1. Burp Suite: A comprehensive web vulnerability scanner that can detect various vulnerabilities, including LFI. Here is how you can use Burp Suite to detect LFI:

   • Spider the Application: Use Burp Suite's spidering feature to crawl the web application and map out all the endpoints.
   • Intruder: Use the Intruder tool to fuzz parameters that might be vulnerable to LFI. Set the payload positions on the parameters you want to test and use payload lists that include common file paths (e.g., /etc/passwd, ../../../../etc/passwd).
   • Scanner: Use the automated scanner to passively and actively scan for LFI vulnerabilities. The scanner will look for common LFI patterns and report any findings.
   • Manual Testing: Manually test for LFI by intercepting requests with Burp Suite's Proxy and modifying parameters to include file paths. Observe the responses to see if any file contents are included in the response.

2. OWASP ZAP (Zed Attack Proxy): An open-source web application security scanner that can be used to find LFI vulnerabilities. To use OWASP ZAP for detecting LFI, follow these steps:

   • Automated Scan: Run an automated scan on your web application. OWASP ZAP will crawl the application and test for common LFI patterns.
   • Fuzzing: Use the Fuzzer tool to test parameters for LFI. Set the payload positions on the parameters you want to test and use payload lists that include common file paths (e.g., /etc/passwd, ../../../../etc/passwd).
   • Manual Testing: Intercept requests using the ZAP Proxy and manually modify parameters to include file paths. Check the responses to see if any file contents are included.
   • Active Scan: Perform an active scan to probe for LFI vulnerabilities. OWASP ZAP will actively inject payloads into parameters to detect LFI issues.
   • Alert Analysis: Review the alerts generated by OWASP ZAP to identify any potential LFI vulnerabilities and take appropriate action to mitigate them.

3. Nikto: An open-source web server scanner that performs comprehensive tests against web servers for multiple vulnerabilities, including LFI.

4. Acunetix: A commercial web vulnerability scanner that can detect LFI among other vulnerabilities. It provides detailed reports and remediation advice.

5. Wfuzz: A tool designed for brute-forcing web applications, which can be used to detect LFI by fuzzing file paths and parameters.

6. SQLMap: Primarily designed for SQL injection, SQLMap can be adapted to identify LFI vulnerabilities by probing for file inclusion patterns. Here are the steps to use SQLMap for detecting LFI:

   • Step 1: Install SQLMap if you haven't already. You can download it from the official website or use a package manager like pip.
   • Step 2: Identify the target URL that you want to test for LFI vulnerabilities.
   • Step 3: Run SQLMap with the --file-read option followed by the file path you want to test. For example:

     sqlmap -u "http://example.com/vulnerable_page.php?file=1" --file-read="/etc/passwd"
     

   • Step 4: Analyze the output to see if the contents of the specified file are included in the response. If SQLMap successfully retrieves the file contents, the target is vulnerable to LFI.
   • Step 5: Repeat the process with different file paths to identify other potential LFI vectors.

   By following these steps, you can effectively use SQLMap to detect LFI vulnerabilities in web applications.

7. Nmap with NSE (Nmap Scripting Engine): Nmap can be extended with custom scripts to detect LFI vulnerabilities. The NSE allows for the creation of scripts that can automate the detection of various vulnerabilities.

8. Metasploit: A penetration testing framework that includes modules for detecting and exploiting LFI vulnerabilities. Here are the steps to use Metasploit to detect LFI:

   • Step 1: Install Metasploit if you haven't already. You can download it from the official website or use a package manager like apt.
   • Step 2: Open Metasploit by running the msfconsole command in your terminal.
   • Step 3: Identify the target URL that you want to test for LFI vulnerabilities.
   • Step 4: Search for LFI modules in Metasploit by using the command:

     search lfi
     

   • Step 5: Select an appropriate LFI module from the search results. For example, you can use:

     use auxiliary/scanner/http/lfi
     

   • Step 6: Set the target URL and other required options for the selected module. For example:

     set RHOSTS http://example.com
     set TARGETURI /vulnerable_page.php?file=
     

   • Step 7: Run the module to start the LFI detection process:

     run
     

   • Step 8: Analyze the output to see if any file contents are included in the response. If Metasploit successfully retrieves the file contents, the target is vulnerable to LFI.
   • Step 9: Repeat the process with different file paths to identify other potential LFI vectors.

Using these tools, security professionals can identify and mitigate LFI vulnerabilities to protect web applications from potential attacks.

More about the sonypictures hack

In 2014, Sony Pictures Entertainment was affected by a significant cyber attack. While the attack involved multiple vectors, one of the vulnerabilities exploited was Local File Inclusion (LFI). The attackers were able to gain access to sensitive files and data, leading to a massive data breach that exposed confidential information, emails, and unreleased films.

The consequences of this hack were severe and far-reaching:

1. Data Exposure: Confidential employee information, including Social Security numbers, salaries, and personal emails, was leaked.

2. Financial Loss: The company faced significant costs for cybersecurity improvements, legal fees, and settlements. The estimated financial impact exceeded $100 million.

3. Reputation Damage: Sony's public image suffered, affecting relationships with employees, partners, and customers.

4. Operational Disruption: Sony's computer systems were offline for weeks, severely impacting business operations.

5. Film Release Issues: The hack led to the temporary cancellation of "The Interview" movie release, causing further financial and reputational damage.

6. Geopolitical Tensions: The incident escalated diplomatic tensions between the United States and North Korea, as the latter was accused of being behind the attack.

This incident underscores the critical importance of robust cybersecurity measures, including protection against vulnerabilities like LFI.