Advertisement:

Author Topic: SMF 1.1.6 Remote Code Execution Exploit  (Read 32662 times)

Offline osjak

  • Semi-Newbie
  • *
  • Posts: 23
SMF 1.1.6 Remote Code Execution Exploit
« on: November 05, 2008, 07:53:47 AM »
To the SMF team: deleting my post at this forum about this exploit only confirms that there is a vulnerability in SMF and you are trying to hide it. This is very irresponsible on your part. If this is in fact a working exploit, your users deserve to know their websites are in danger. Bad guy know that already for sure.

http://forum.joomla.org/viewtopic.php?f=267&t=340826 [nofollow]

Offline N3RVE

  • SMF Friend
  • SMF Hero
  • *
  • Posts: 8,906
  • Gender: Male
    • N3RVE.COM
Re: SMF 1.1.6 Remote Code Execution Exploit
« Reply #1 on: November 05, 2008, 08:12:50 AM »
Hello osjak,
Thanks for airing your concerns.
I moved the topic and sent you a PM.

Quote from:
Hey! Osjak,
Thanks for the report, we're indeed aware of this and are yet to proove it won't work as the developers are yet to confirm. For the time being, I've moved the topic to the Staff boards.

Please, use the security report form next time ;)
http://www.simplemachines.org/about/security.php

-[n3rve]

Security vulnerabilities shouldn't be reported on the Support boards.

Thank you,
-[n3rve]
Ralph "[n3rve]" Otowo
Former Marketing Co-ordinator, Simple Machines.
ralph [at] simplemachines [dot] org                       
Quote
“Somewhere, something incredible is waiting to be known.” - Carl Sagan

Offline BryanD

  • SMF Friend
  • SMF Super Hero
  • *
  • Posts: 22,019
  • Gender: Male
    • BryanRunicDeakin on Facebook
    • @bryandeakin on Twitter
    • Bryan Deakin dot Com
Re: SMF 1.1.6 Remote Code Execution Exploit
« Reply #2 on: November 05, 2008, 08:25:53 AM »
osjak, we do thank you for pointing this out, however constantly posting this on the forum aswell as on other sites does not make it easier for us to confirm the report, we have regulations for situations like this and that is to post a security report, the dev team aswell as team members will use there knowledge to recreate the issues and if it is felt needed a patch will be released, can I please ask you hold on and understand that we are working on it and constant posting is not helping anyone.

Offline osjak

  • Semi-Newbie
  • *
  • Posts: 23
Re: SMF 1.1.6 Remote Code Execution Exploit
« Reply #3 on: November 05, 2008, 08:36:05 AM »
[n3rve], Runic Warrior,
Thank you for taking note of this topic and publicly responding.
Security form makes sense when I am the original person who found a vulnerability. In that case submitting my discovery privately keeps it from getting in wrong hands. What we have here is the opposite - information is already in wrong hands and is available to every person with Internet access who wishes to get it. In this case SMF users should be informed that this is what's going on out there. I understand that it takes time and manpower to figure out if an exploit is real and how it can be patched. I am not here to demand solutions right away. But I believe that SMF users are the very people that will suffer if this information is not on this forum. As a forum admin I can now make an informed decision - to cross my fingers and run my site the way it is, or temporarily disable attachments wait for your information release.

Offline BryanD

  • SMF Friend
  • SMF Super Hero
  • *
  • Posts: 22,019
  • Gender: Male
    • BryanRunicDeakin on Facebook
    • @bryandeakin on Twitter
    • Bryan Deakin dot Com
Re: SMF 1.1.6 Remote Code Execution Exploit
« Reply #4 on: November 05, 2008, 08:43:25 AM »
osjak, we are also forum owners, when posting it publically you are creating a potential fear amongst users, this will in turn can make the situation worse than it is, we understand exploits are important however posting publically specially a link can make it worse by allowing more potential hackers (illegal ones) to use and try it, thus making it more mess.

Now I have not checked the topic regarding this exploit yet today however I do know by looking at the posts it is being discussed alot and if it is felt a patch ios needed then one will be released.

Offline osjak

  • Semi-Newbie
  • *
  • Posts: 23
Re: SMF 1.1.6 Remote Code Execution Exploit
« Reply #5 on: November 05, 2008, 09:03:08 AM »
osjak, we are also forum owners, when posting it publically you are creating a potential fear amongst users, this will in turn can make the situation worse than it is,
You look at users as fragile creatures that need an informational greenhouse to survive. I doubt that this is what an average forum admin is, otherwise he/she would not be an admin for long. You call it "potential fear", I call it concern. A concerned but prepared admin is in better position than an admin with a cracked site that has no concerns. It is okay for an admin to be concerned of his forum security. I am concerned all the time, that's why I am subscribed to sites like milw0rm - to be aware of dangerous developments early enough before they hit my sites.

we understand exploits are important however posting publically specially a link can make it worse by allowing more potential hackers (illegal ones) to use and try it, thus making it more mess.
I seriously doubt that illegal hackers discover new exploits reading this forum. They already know about it from other places they socialize at, regardless of my post here. My post here informs the SMF users that do not read hackers' websites, that's all.

This is great that SMF team is working on it and I will be waiting patiently for the outcome. Thank you!

Offline N3RVE

  • SMF Friend
  • SMF Hero
  • *
  • Posts: 8,906
  • Gender: Male
    • N3RVE.COM
Re: SMF 1.1.6 Remote Code Execution Exploit
« Reply #6 on: November 05, 2008, 09:21:20 AM »
I seriously doubt that illegal hackers discover new exploits reading this forum. They already know about it from other places they socialize at, regardless of my post here. My post here informs the SMF users that do not read hackers' websites, that's all.

This is true but they have been cases were malicious users (not necessarily hackers) take advantage of such exploits and try to harm other users, I understand your concerns but I really didn't see it necessary to post this after I had sent the PM.
Regardless,
As a temporary measure, you should rename your attachments directory to something else (preferably random alpha characters) and also ensure that the Admin CP has the correct directory name in 'Attachments and Avatars'.

Should you wish to go one step further then you could temporarily comment out the packages line from within action array inside the index.php file in your SMF dir.

Change lines :
Code: (Find) [Select]
'packageget' => array('PackageGet.php', 'PackageGet'),
'packages' => array('Packages.php', 'Packages'),

Code: (Replace) [Select]
// 'packageget' => array('PackageGet.php', 'PackageGet'),
// 'packages' => array('Packages.php', 'Packages'),

-[n3rve]
Ralph "[n3rve]" Otowo
Former Marketing Co-ordinator, Simple Machines.
ralph [at] simplemachines [dot] org                       
Quote
“Somewhere, something incredible is waiting to be known.” - Carl Sagan

Offline osjak

  • Semi-Newbie
  • *
  • Posts: 23
Re: SMF 1.1.6 Remote Code Execution Exploit
« Reply #7 on: November 05, 2008, 03:45:47 PM »
[n3rve], excellent suggestions! Thank you!

Offline osjak

  • Semi-Newbie
  • *
  • Posts: 23
Re: SMF 1.1.6 Remote Code Execution Exploit
« Reply #8 on: November 06, 2008, 02:00:34 AM »
There is another SMF 1.1.6 exploit posted on milw0rm. I'm not going to post a link here, since you guys don't like it. But can we have some time line from you on when you will have a permanent solution?

By the way, for the second exploit NOT to work you need to turn magic_quotes ON. That seemed to stop it on my forum.

Offline 青山 素子

  • Server Team
  • SMF Super Hero
  • *
  • Posts: 17,020
  • 戦場ヶ原、蕩れ!
    • srvrguy on GitHub
    • @motokochan on Twitter
    • Nekomusume Moe
Re: SMF 1.1.6 Remote Code Execution Exploit
« Reply #9 on: November 06, 2008, 02:13:38 AM »
The developers know about it, and it is being worked on. They need to find the source of the issue first, so a real solution is made instead of something that just hides the problem.
Motoko-chan
Director, Simple Machines

Just because it's pouring down doesn't mean we're gonna drown. There's a time when all you can say is let it rain - Mat Kearney (Let It Rain)

Note: Unless otherwise stated, my posts are not representative of any official position or opinion of Simple Machines.


Offline Jorin

  • SMF Hero
  • ******
  • Posts: 2,021
  • Gender: Male
    • ElkArte-Hilfe.de
Re: SMF 1.1.6 Remote Code Execution Exploit
« Reply #10 on: November 06, 2008, 02:32:42 AM »
What we have here is the opposite - information is already in wrong hands and is available to every person with Internet access who wishes to get it. In this case SMF users should be informed that this is what's going on out there. I understand that it takes time and manpower to figure out if an exploit is real and how it can be patched. I am not here to demand solutions right away. But I believe that SMF users are the very people that will suffer if this information is not on this forum. As a forum admin I can now make an informed decision - to cross my fingers and run my site the way it is, or temporarily disable attachments wait for your information release.

I too would love to get informed by simplemachines itself about such security issues. So I can inform the group of not so experienced users and admins, which will never get these kind of informations, if not posted from you or me.

Offline xact

  • Semi-Newbie
  • *
  • Posts: 20
    • photography
Re: SMF 1.1.6 Remote Code Execution Exploit
« Reply #11 on: November 06, 2008, 04:23:08 AM »
There is another SMF 1.1.6 exploit posted on milw0rm. I'm not going to post a link here, since you guys don't like it. But can we have some time line from you on when you will have a permanent solution?

By the way, for the second exploit NOT to work you need to turn magic_quotes ON. That seemed to stop it on my forum.

I've seen that; any idea if disabling the theme changing and avatars uploading/attachments will do the job?
photography [nofollow]

Offline Tony Reid

  • SMF Friend
  • SMF Hero
  • *
  • Posts: 4,149
  • Gender: Male
    • @AbsoluteBreeze on Twitter
    • www.fertilityfriends.co.uk
Re: SMF 1.1.6 Remote Code Execution Exploit
« Reply #12 on: November 06, 2008, 04:30:25 AM »
From what I have seen in addition to the above suggestion, it would also be an idea to comment out the themes and jsoption lines from the action array in the same way packages and packageget was done.


Tony Reid


My Big Board
www.FertilityFriends.co.uk/forum - An SMF powered forum with over 5 million posts

Offline Kermit

  • SMF Friend
  • SMF Hero
  • *
  • Posts: 4,365
  • Gender: Male
Re: SMF 1.1.6 Remote Code Execution Exploit
« Reply #13 on: November 06, 2008, 06:26:55 AM »
AdminCP
Attachments and Avatars
Encrypt stored filenames

should be activated too,it will also encrypt the name of the attachments and what has to mean,that we can not execute file,when we just type


Code: [Select]
http://[website]/SMF/index.php?action=packages;sa=install2;package=[filename]

that would not work,if we activate the option from above
« Last Edit: November 06, 2008, 06:28:36 AM by Duncan85 »
My Mods
Please don't PM/mail me for support,unless i invite you
Formerly known as Duncan85
Quote
"Two things are infinite: the universe and human stupidity; and I'm not sure about the the universe."

A. Einstein

Offline dangerboy

  • Semi-Newbie
  • *
  • Posts: 40
Re: SMF 1.1.6 Remote Code Execution Exploit
« Reply #14 on: November 06, 2008, 11:19:45 AM »
so how can we secure our forum?

Offline N3RVE

  • SMF Friend
  • SMF Hero
  • *
  • Posts: 8,906
  • Gender: Male
    • N3RVE.COM
Re: SMF 1.1.6 Remote Code Execution Exploit
« Reply #15 on: November 06, 2008, 12:24:58 PM »
so how can we secure our forum?
We're getting ready for 1.1.7, temporarily, you can do as stated in this post
http://www.simplemachines.org/community/index.php?topic=272393.msg1783614#msg1783614

-[n3rve]
Ralph "[n3rve]" Otowo
Former Marketing Co-ordinator, Simple Machines.
ralph [at] simplemachines [dot] org                       
Quote
“Somewhere, something incredible is waiting to be known.” - Carl Sagan

Offline yaax

  • Semi-Newbie
  • *
  • Posts: 28
    • ForumSide.com free SMF forums with TinyPortal
Re: SMF 1.1.6 Remote Code Execution Exploit
« Reply #16 on: November 06, 2008, 12:45:20 PM »
Note that there also exists second exploit:
Quote

The "theme_dir" setting of users is not properly verified before being used, which can be exploited to include arbitrary files from local resources.

Successful exploitation in combination with malicious uploads (e.g. avatars) allows to execute arbitrary PHP code, but requires a valid user account.


It requires fix in Sources/QueryString.php  & Sources/Themes.php w/ magic_quotes == Off
 
I dont wish to give a link, but all security sites are full of links to this problem. And it is more critical then problem with packages.
« Last Edit: November 06, 2008, 12:47:23 PM by yaax »
Free SMF hosting:
http://www.ForumSide.com/

Free OpenCart shop hosting -
http://www.GetFreeShop.com/

Offline osjak

  • Semi-Newbie
  • *
  • Posts: 23
Re: SMF 1.1.6 Remote Code Execution Exploit
« Reply #17 on: November 06, 2008, 02:18:10 PM »
Note that there also exists second exploit:
Quote

The "theme_dir" setting of users is not properly verified before being used, which can be exploited to include arbitrary files from local resources.

Successful exploitation in combination with malicious uploads (e.g. avatars) allows to execute arbitrary PHP code, but requires a valid user account.


It requires fix in Sources/QueryString.php  & Sources/Themes.php w/ magic_quotes == Off
 
I dont wish to give a link, but all security sites are full of links to this problem. And it is more critical then problem with packages.
yaax, yes I was also trying to point that out:

There is another SMF 1.1.6 exploit posted on milw0rm. I'm not going to post a link here, since you guys don't like it. But can we have some time line from you on when you will have a permanent solution?

By the way, for the second exploit NOT to work you need to turn magic_quotes ON. That seemed to stop it on my forum.
Unfortunately we have to keep talking in code here, even though as you already mentioned all other sites are full of links to actual exploits and any bad-intended person can easily fin them. Anyway, let's just hope that 1.1.7 will address both issues.

Can we also ask that there will be instructions on how to update code manually? My sites are modified too heavily to be updated  conventional way.

Offline yaax

  • Semi-Newbie
  • *
  • Posts: 28
    • ForumSide.com free SMF forums with TinyPortal
Re: SMF 1.1.6 Remote Code Execution Exploit
« Reply #18 on: November 06, 2008, 02:31:53 PM »
There is another SMF 1.1.6 exploit posted on milw0rm. I'm not going to post a link here, since you guys don't like it. But can we have some time line from you on when you will have a permanent solution?

By the way, for the second exploit NOT to work you need to turn magic_quotes ON. That seemed to stop it on my forum.

In php you have three kinds of magic_quotes - which one need to be ON?
You have:
magic_quotes_gpc
magic_quotes_runtime
magic_quotes_sybase

I have magic_quotes_gpc as ON, but not sure regarding all others.
Free SMF hosting:
http://www.ForumSide.com/

Free OpenCart shop hosting -
http://www.GetFreeShop.com/

Offline metallica48423

  • SMF Friend
  • SMF Super Hero
  • *
  • Posts: 19,842
  • Gender: Male
  • Professional Multislacker!
    • Zentendo
Re: SMF 1.1.6 Remote Code Execution Exploit
« Reply #19 on: November 06, 2008, 02:56:31 PM »
All, we are aware of both exploits and we will be pushing out a security patch as soon as it can be implemented and tested to ensure that the patches actually work for both issues. 

Our goal is currently to have that patch release out by the end of the weekend, hopefully at the latest.  Normally these issues are patched within 48-72 hours after discovery, however due to the one-two punch and moderate to severe nature of these two it will be a bit longer to ensure that we can properly secure those who depend on our software.

A couple of team members have pointed out in this topic a small number of interim fixes to guard against these.  I would reccommend implementing these on a temporary basis to ensure that you are secured.

Thanks for your patience and understanding!

metallica48423
Lead Support Specialist
Justin O'Leary
Ex-Project Manager
Ex-Lead Support Specialist

Quote
Microsoft wants us to "Imagine life without walls"...
I say, "If there are no walls, who needs Windows?"

Useful Links:
Online Manual!
How to Help us Help you   
Search
Settings Repair Tool