Simple Machines Community Forum

Simple Machines => News and Updates => Topic started by: Kindred on June 05, 2014, 07:43:06 PM

Title: Avast Forum Hack - Results of Analysis
Post by: Kindred on June 05, 2014, 07:43:06 PM
As everyone has no doubt heard by now, over the weekend of May 24/25, the Avast forum site was hacked.

There was much supposition, a fair amount of guessing and several accusations that the forum software which Avast was running (Simple Machines Forum) was the vector of the attack.
We took a look at what was publicly available and came to our own conclusions, which did not match with what some representatives from Avast were claiming or what had been passed on to the media. In response to this, we made a post on 28-May, which indicated our position on the matter. Yes, that post was not the most politely phrased response, but we were responding to attacks on the integrity of our coding, our security and our documentation of changes.

In return, Avast DID contact us and provided us the code from the hacked site as well as the server logs for the time around that weekend in May. They seemed interested in working with us and we had some of our best experts put some serious effort and time into analyzing the code and the server data. We had planned to work WITH the folks at Avast to work on a statement.
Unfortunately, this was also the last we heard from the Avast representatives. Since our findings were presented to them, they have refused to respond to any of our attempts to contact them again. Given this refusal to communicate and given the fact that some people are still trying to lay the blame on SMF, I feel that we must make the analysis public and thus address any concerns over the security of Simple Machines Forum.

Summary - We can find no evidence that the hacker exploited any (alleged) vulnerability in the Simple Machines Forum software.

More specifically and in greater detail:
1- From the server logs, there is no evidence of any security vulnerability in the SMF code
2- From our analysis, it is our conclusion that the "hack" was the result of a compromised admin account (although, to be clear, without any specific evidence, this conclusion is still supposition, even if it is the best guess). Specifically, similar to the attack here at simplemachines.org late last year, an admin reused account information across multiple sites, one other of which was compromised. Once the hacker had the admin account information, he would be able to promote his other dummy account to Admin or even just act as the logged in account.
3- From the dates on the file edits, it would appear that the system was actually compromised several months ago, but was not noticed until the hacker did something obvious, here in May.
Of course, the server logs from that time are not available from Avast, so we can not confirm this by any method other than the date-stamp on the infected file.
4- Avast told us that they did not "lock down" the permissions of their files. This is important, because even a compromised admin account would still need FTP passwords (if FTP is even available) to make file changes if the file permissions were locked.

Now - Lest people think we are trying to throw all the blame somewhere else - We will acknowledge that, once the hacker had admin access, the features of SMF essentially gave him full access to the system.  Two Admin features which make Simple Machines Forum so simple for people to use are the Package Manager and the Theme Editor. These features allow an admin to upload a pre-packaged set of code-instructions which modifies the system. When correctly used, this allows for quick and simple customization of a forum site, adding new features and enhancing others. These powerful features, however, could also allow anyone with admin access to upload and run a mod package with malicious intention if the file permissions allow the upload. We recognize this and work our best to prevent any unauthorized access to the admin area and the package manager or theme editor. However, when the hack comes in through a human/social hack, as seems to be the case here, there is very little that we can do.

The take-away from this is: do not re-use your admin password elsewhere and maintain secure file permissions - because if file and folder permissions are properly maintained, the admin features can do no real damage because they can't write to any files without the file permissions being changed by someone with FTP, Control Panel or other server access.

Additionally, SMF v1.1.x and 2.0.x use a hashed SHA1 encryption for the password. That means that, once the hacker has the database, there is a possibility that he can discover the passwords. Although SHA1 is still considered secure, it is breakable through brute force, especially given the power of machines these days; it would take some time, but can be done. (Once again, this requires that a hacker has already gained access to your database.)  For the upcoming 2.1 release, we have changed the password storage, encryption and handling -- but note that this change was already underway well before Avast.

Two things that YOU can do to protect yourselves:
a) Never use the same username/password combination on sites.
b) If you run a forum, lock your file permissions down. Do not leave them at chmod 666/777 (which is what some hosts require in order to install mods) If you must use those settings to install a mod or a theme, then change the permissions back to a more restrictive set (644/755 at the very least, but even that is not actually secure). This takes a little more work (granting and removing permissions every time you want to install a mod), but makes your site more secure.
Title: Re: Avast Forum Hack - Results of Analysis
Post by: SaltedWeb on June 05, 2014, 07:48:45 PM
Good information, thank you
Title: Re: Avast Forum Hack - Results of Analysis
Post by: Looking on June 05, 2014, 08:25:44 PM
Quotean admin reused account information across multiple sites, one other of which was compromised.
If that is what happened then it amazes me that people still do this. Good that SMF was cleared.
Title: Re: Avast Forum Hack - Results of Analysis
Post by: Roph on June 05, 2014, 09:16:00 PM
I think you guys handled all this quite well :)
Title: Re: Avast Forum Hack - Results of Analysis
Post by: Looking on June 05, 2014, 09:23:52 PM
I meant to ask, is Avast going to issue a statement retracting what they said earlier? Did Avast acknowledge your findings?
Title: Re: Avast Forum Hack - Results of Analysis
Post by: Arantor on June 05, 2014, 09:36:53 PM
Quote from: Kindred on June 05, 2014, 07:43:06 PM
We had planned to work WITH the folks at Avast to work on a statement.
Unfortunately, this was also the last we heard from the Avast representatives. Since our findings were presented to them, they have refused to respond to any of our attempts to contact them again. Given this refusal to communicate...

Survey says no.
Title: Re: Avast Forum Hack - Results of Analysis
Post by: AllanD on June 06, 2014, 07:35:23 AM
Thank you for the update, and sad to hear that they claimed right here on the forum to work with you and then don't.
Title: Re: Avast Forum Hack - Results of Analysis
Post by: butchs on June 06, 2014, 03:05:25 PM
Humm...  This is the time of year people go on vacation here in the states.
Title: Re: Avast Forum Hack - Results of Analysis
Post by: Arantor on June 06, 2014, 03:10:53 PM
AVAST Software a.s. (formerly known as ALWIL Software a.s.) is headquartered in Prague, Czech Republic, though there are offices in Linz, Austria; Friedrichshafen, Germany; and Redwood City, California -- so says Wikipedia.

In any case, I'm not being funny but if it were my company involved, where my reputation and integrity were under question, I don't think I'd be relaxing on holiday...
Title: Re: Avast Forum Hack - Results of Analysis
Post by: Adrek on June 06, 2014, 03:23:21 PM
Thanks for update, good to know that SMF is secure :)


btw, I'm wondering how and if ESET is working with IP. Board developers. ESET forum was also hacked and they are running IPB forum.
Title: Re: Avast Forum Hack - Results of Analysis
Post by: Arantor on June 06, 2014, 03:25:07 PM
You'd have to ask them. I'd hope so, it's in everyone's best interests that vendors work with affected clients to get to the heart of a problem.
Title: Re: Avast Forum Hack - Results of Analysis
Post by: butchs on June 06, 2014, 08:51:40 PM
Quote from: Arantor on June 06, 2014, 03:10:53 PM
In any case, I'm not being funny but if it were my company involved, where my reputation and integrity were under question, I don't think I'd be relaxing on holiday...

Good point.  Though we do not always agree...  I am not trying to be funny either.  Here is another possibility...  Companies can be cautious.  Maybe they are looking at every angle before replying.
Title: Re: Avast Forum Hack - Results of Analysis
Post by: Arantor on June 06, 2014, 08:55:10 PM
A more detailed version - including *all* the specifics of what was found - was made available to them days ago and *no* further contact was made, not even a 'we're reviewing what you found, let us get back to you' type comment, not a sausage. Under the circumstances, I don't see what else could have been done.
Title: Re: Avast Forum Hack - Results of Analysis
Post by: butchs on June 06, 2014, 09:10:04 PM
All I can think of is to give them at least 10 working days or request a reply in a certain amount of time?
Title: Re: Avast Forum Hack - Results of Analysis
Post by: Arantor on June 06, 2014, 09:16:02 PM
A note was posted days before, asking for some kind of feedback... no reply whatsoever.
Title: Re: Avast Forum Hack - Results of Analysis
Post by: Kindred on June 06, 2014, 09:21:36 PM
Believe me, they were given the analysis (and we waited) and then given notice of this post well before it was made.
In good conscience, I could wait no longer given the suggestion of security issues.
Title: Re: Avast Forum Hack - Results of Analysis
Post by: Ninja ZX-10RR on June 07, 2014, 03:40:47 AM
I run AVAST but now I understand why those idiots replied me a month later since I sent them a ticket telling them that the stupid program was detecting ALL .gif files as viruses -_- they said to me no dude it's you using a restricted heuristic analysis system and crap while i wasn't even scanning. It was happening everytime I was opening my gif forum images to edit them, make them look better or even change them. Screw it I got angry but *WHO KNOWS WHY!!!* a week or so after that reply AVAST got patched and didn't happen again! I felt like "AYFKM" and red in my face for that. >:(
Title: Re: Avast Forum Hack - Results of Analysis
Post by: Ben_S on June 07, 2014, 06:01:48 AM
I don't understand why they have no logs available, if you care about security you don't rotate logs at the apace defaults, you archive them off for a significant period. I thought avast was a security company? It appears they haven't a clue.
Title: Re: Avast Forum Hack - Results of Analysis
Post by: redone on June 07, 2014, 01:03:26 PM
I think the post was timely given the nature of how things begun. Clearly after detailed review of the information provided it gave you guys enough to make such a public post. They surely must understand protecting the integrity of a products image is extremely important.

Congrats on a well put together and detailed public explanation of the facts at hand. ;)
Title: Re: Avast Forum Hack - Results of Analysis
Post by: karlbenson on June 07, 2014, 02:34:06 PM
Makes for interesting reading.
Title: Re: Avast Forum Hack - Results of Analysis
Post by: Scripty on June 07, 2014, 04:21:09 PM
This was actually interesting and well explained.
Title: Re: Avast Forum Hack - Results of Analysis
Post by: Arantor on June 07, 2014, 04:26:07 PM
Yup, Kindred did a good job of nailing the important details.
Title: Re: Avast Forum Hack - Results of Analysis
Post by: firemun on June 08, 2014, 11:49:07 PM
Good statement issued, Kindred! I'm Team SMF all the way!
Title: Re: Avast Forum Hack - Results of Analysis
Post by: AtzeX on June 10, 2014, 05:12:19 AM
QuoteIf you run a forum, lock your file permissions down.
Good point.
Is there a tutorial anywhere for doing this?
Would appreciate it.
Title: Re: Avast Forum Hack - Results of Analysis
Post by: kat on June 10, 2014, 05:42:10 AM
Quote from: firemun on June 08, 2014, 11:49:07 PM
I'm Team SMF all the way!

Really, Shawn?

Golly. ;)
Title: Re: Avast Forum Hack - Results of Analysis
Post by: firemun on June 11, 2014, 01:33:50 AM
Quote from: K@ on June 10, 2014, 05:42:10 AM
Quote from: firemun on June 08, 2014, 11:49:07 PM
I'm Team SMF all the way!

Really, Shawn?

Golly. ;)

Yeah, really :) Avast was just looking for a scape goat from what I can tell. It would be embarrassing for a security company to admit to having horrible security practices. So they turned it on SMF without really considering their own fault in it all. I am with y'all on this one :)
Title: Re: Avast Forum Hack - Results of Analysis
Post by: Ninja ZX-10RR on June 11, 2014, 02:15:39 AM
Quote from: firemun on June 11, 2014, 01:33:50 AM
Quote from: K@ on June 10, 2014, 05:42:10 AM
Quote from: firemun on June 08, 2014, 11:49:07 PM
I'm Team SMF all the way!

Really, Shawn?

Golly. ;)

Yeah, really :) Avast was just looking for a scape goat from what I can tell. It would be embarrassing for a security company to admit to having horrible security practices. So they turned it on SMF without really considering their own fault in it all. I am with y'all on this one :)
I believe everyone here thinks the same ;) probably they made a pretty good anti-virus (even if it detects way too many false-positives) but they proved they suck hard with their own security...
Title: Re: Avast Forum Hack - Results of Analysis
Post by: Antechinus on June 11, 2014, 03:24:07 AM
Yeah well no point rubbing it in. Everyone gets hacked sooner or later.
Title: Re: Avast Forum Hack - Results of Analysis
Post by: Ninja ZX-10RR on June 11, 2014, 03:32:49 AM
Quote from: Antechinus on June 11, 2014, 03:24:07 AM
Yeah well no point rubbing it in. Everyone gets hacked sooner or later.
Well if you build up a system with no security flaws you can't get hacked through the system itself :) the only way that such a thing can happen could be that another site gets hacked and an admin using the same password on multiple websites, exactly the same thing that happened here but that was human fault not system's ;)
Title: Re: Avast Forum Hack - Results of Analysis
Post by: 青山 素子 on June 11, 2014, 01:12:44 PM
Quote from: Flavio93Zena on June 11, 2014, 03:32:49 AM
Well if you build up a system with no security flaws you can't get hacked through the system itself :)

There is no such thing as a system with no security flaws. The best you're going to get is software that can be mathematically proven to match your requirements, but that only holds up if the assumptions underlying the proof are correct. It's also really expensive and doesn't scale well with complexity.

Securing a system is a practice in balancing accessibility and ease of use with prevention of malicious use. The most secure system is one encased in concrete and dumped in a trench in the ocean, but it's not usable.

It's sad that Avast disengaged in the investigation process after the SM investigators found some problems that didn't point to SMF itself.
Title: Re: Avast Forum Hack - Results of Analysis
Post by: kat on June 11, 2014, 01:50:34 PM
We have about as much chance of them fessing-up as the British government have of fessing-up that they're idiots. ;)

If I was the boss, at Avast, I'd've fessed-up, particularly if it'd been the "fault" that it seems to be.

"See? No matter how good your security is, human-error is something that even we can't secure against. Watch yourself". :)
Title: Re: Avast Forum Hack - Results of Analysis
Post by: Ninja ZX-10RR on June 11, 2014, 05:08:58 PM
Quote from: 青山 素子 on June 11, 2014, 01:12:44 PM
Quote from: Flavio93Zena on June 11, 2014, 03:32:49 AM
Well if you build up a system with no security flaws you can't get hacked through the system itself :)

There is no such thing as a system with no security flaws.
Well I was saying that because SMF 2.0.7 has no (known) security issues ;)
Title: Re: Avast Forum Hack - Results of Analysis
Post by: Arantor on June 14, 2014, 09:31:21 AM
Remember they said they were going to go to a new forum software, one that's more secure than SMF?

Their forum is again open - https://forum.avast.com/ - oh look... ;D
Title: Re: Avast Forum Hack - Results of Analysis
Post by: Dragooon on June 14, 2014, 09:35:19 AM
I swear I've seen that forum software before.
Title: Re: Avast Forum Hack - Results of Analysis
Post by: Lou69 on June 14, 2014, 09:48:08 AM
 ;)  Well, it does look familiar. Something about the blue and orange colors?

Anyway, glad they are back online and using SMF. So far the mods/admins/CSR are being helpful to their membership and not trashing SMF. A couple of members did express a bit of angst about SMF but that will always be the case. Every software have those that do not like it for one reason or the other.

https://forum.avast.com/index.php?topic=150636.0
Title: Re: Avast Forum Hack - Results of Analysis
Post by: Arantor on June 14, 2014, 10:13:09 AM
Oh there are several people in that thread trashing SMF and I wouldn't entirely disagree - the methods used to get in were certainly not helped by what could be done once inside, but all of the salient points stand: it's not ultimately SMF's fault.
Title: Re: Avast Forum Hack - Results of Analysis
Post by: SaltedWeb on June 14, 2014, 11:25:13 AM

I have a dozen smf forums, and one xenforo, the xenforo gets more spam and security issues.
Ive been using the internet since before BBS were used. I was a security adviser for a well known
email program. Now this was oldschool But what I can say is that 9 out 10 times or more when there was
a security issue ( and this has not changed) it was because a user did something not the software. Its like people that download torrents and then ****** they get hacked.   Not bashing Xenforo, but I find it to allow allot of spam through. I get none on my SMF forums. I have no doubt that SMF is not a security risk, I find it suspect perhaps this story was planted, infiltrated or plain made up and there may be a more hidden agenda.  Its not like some one would not make this up to and whom else to go after then the best bar-none free forum on the web. Most paid version never come close.
Thats because SMF is built with passion, not dollar signs. And it reflects it users whom most are the same way makings money is great, but also enjoying it why you do is the base for SMF and her community.

Title: Re: Avast Forum Hack - Results of Analysis
Post by: Arantor on June 14, 2014, 12:49:21 PM
QuoteI have a dozen smf forums, and one xenforo, the xenforo gets more spam and security issues.

Spam is not a security issue, nor has XenForo ever had any known security issues.

/me is a licence holder btw

QuoteMost paid version never come close.

On the contrary, I consider XenForo a superior platform in a number of respects, even as much as I like SMF.
Title: Re: Avast Forum Hack - Results of Analysis
Post by: 青山 素子 on June 14, 2014, 11:55:21 PM
SMF is an awesome product, and we're (everyone involved in some way) rightly proud of our security record. That's why we were so hurt when the rumors started about there being an issue. We're still very open to anyone who wants to approach us because of a security issue they found.

Quote from: ‽ on June 14, 2014, 12:49:21 PM
On the contrary, I consider XenForo a superior platform in a number of respects, even as much as I like SMF.

That's not a bad thing, either. XF is maintained by a dedicated paid team, which means it gets solid focus with smaller resources. Open source projects only work that way when you have a large team working on spare time, or a lot of people who are extremely dedicated and active.

Also, competition is good. It's what keeps things getting better. For some time, SMF was perhaps the strongest forum solution free or paid (outside niche cases). That led to some serious lack of effort to improve. Combine that with developer burn-out for various reasons causing slow development, and SMF now has some very strong competition that the team let get ahead. It can be hoped that now the team will be hungry for success and to re-live the moments of being the best. I can only hope that the team can come together to plan an even better future and deliver on it. I know I'll be doing my small part to support them.
Title: Re: Avast Forum Hack - Results of Analysis
Post by: a10 on June 15, 2014, 10:16:49 AM
QuoteSMF is an awesome product, and we're (everyone involved in some way) rightly proud of our security record -/-

^^^ good post.
Title: Re: Avast Forum Hack - Results of Analysis
Post by: Omega X on June 16, 2014, 04:51:29 PM
I'm glad that this was handled swiftly and professionally.

Hopefully their anti-virus team isn't as non-nonchalant as the web team.
Title: Re: Avast Forum Hack - Results of Analysis
Post by: Itchigotim on June 18, 2014, 09:58:55 PM
What I took away from this (aside from it being handled expertly) is:

Nothing is totally secure, if someone wants in, there is probably a way, even if it's unknown at the time no matter what the software.

Protect your passwords and don't reuse them.

If you understand these 2 things, 99.5% of the time you'll be ok. :)

I didn't know anything about any forum software before I settled on SMF. I chose it because of what I read about it. I read nothing but good things and I didn't see that kind of sentiment across the board on any other software.
Title: Re: Avast Forum Hack - Results of Analysis
Post by: Ninja ZX-10RR on June 18, 2014, 10:09:36 PM
Quote from: Itchigotim on June 18, 2014, 09:58:55 PM
I read nothing but good things
Actually if you search well you can find bad feedback but this is not the place to talk about this ;)
Title: Re: Avast Forum Hack - Results of Analysis
Post by: ranseyer on June 19, 2014, 10:44:36 AM
Maybe it would be a good idea to sign the "packages" (= SMF patches) like Debian does with a PGP Key. So the Package Manager can only install (per default) Packages which are build by the SMF Team.


Yes its work, but i could help.
Title: Re: Avast Forum Hack - Results of Analysis
Post by: Kindred on June 19, 2014, 10:45:53 AM
no it would not.... The package manager is used to install MODS as well, which allows you to customize your smf installation.
Title: Re: Avast Forum Hack - Results of Analysis
Post by: Deaks on June 19, 2014, 11:00:48 AM
not sure why anyone would want to restrict the customization ability of SMF considering the issue that caused the hack was done not only on this site aswell as  avast but also other sites that dont run SMF.
Title: Re: Avast Forum Hack - Results of Analysis
Post by: Ninja ZX-10RR on June 19, 2014, 11:16:50 AM
Quote from: ranseyer on June 19, 2014, 10:44:36 AM
Maybe it would be a good idea to sign the "packages" (= SMF patches) like Debian does with a PGP Key. So the Package Manager can only install (per default) Packages which are build by the SMF Team.


Yes its work, but i could help.
Also it would restrict any unofficial mod and it's not a good idea. How could modders try their mods if they aren't authorized? Lol
Title: Re: Avast Forum Hack - Results of Analysis
Post by: Antes on June 19, 2014, 11:23:33 AM
Quote from: Flavio93Zena on June 19, 2014, 11:16:50 AM
Quote from: ranseyer on June 19, 2014, 10:44:36 AM
Maybe it would be a good idea to sign the "packages" (= SMF patches) like Debian does with a PGP Key. So the Package Manager can only install (per default) Packages which are build by the SMF Team.


Yes its work, but i could help.
Also it would restrict any unofficial mod and it's not a good idea. How could modders try their mods if they aren't authorized? Lol

A Generic key, like MS do for KMS installs, you can't activate (pre-activate) KMS on systems - MS gives generic keys for installs. We do the same for mods, give a generic key(ID) to mod authors to enter (to test), or even we can put a setting to allow unauthorized mods install (Android does that).
Title: Re: Avast Forum Hack - Results of Analysis
Post by: Kindred on June 19, 2014, 11:28:49 AM
useless.

We're open source.

That means we would need to issue a key to anyone who makes a mod...   and then the hacker can get the key as easily as a real modder...
Title: Re: Avast Forum Hack - Results of Analysis
Post by: Deaks on June 19, 2014, 11:31:03 AM
add to kindred, idea is to encourage more creations adding a key would restrict the contributions etc
Title: Re: Avast Forum Hack - Results of Analysis
Post by: SaltedWeb on June 19, 2014, 11:58:01 AM
Quote from: ‽ on June 14, 2014, 12:49:21 PM
QuoteI have a dozen smf forums, and one xenforo, the xenforo gets more spam and security issues.

Spam is not a security issue, nor has XenForo ever had any known security issues.

/me is a licence holder btw

QuoteMost paid version never come close.

On the contrary, I consider XenForo a superior platform in a number of respects, even as much as I like SMF.

I beg to differ, XF has security issue particular the last was a Tapatalk issues.
Now true its a plugin but it manipulated XF security limits this was not and issue with SMF.
A person could access Admin areas pretty easily.
Also XF maybe superior in someways, but in others it falls short of SMF. They have a very small staff
and are very slow to address security issues and support is dismal. You can do your own research  and google and see
that working with the forums and staff are all but pleasant experiences. Of course that is your opinion and this was mine.
We are all just having a friendly discussion is my intent. Not trying to challenge your good name here, but I do stand by my own experiences .

Point was not to bash XF, it was to show that even paid software can have issues and there have been several since XF started very
recently in the forum game. So not sure why you would say there are not when even XF recognizes past issues.
And I have not had these issues at anytime over the years with SMF.

SMF is far superior to most forums out there, its not about fluff and add ons like XF has, its about reliability and stability.
If one leaves SMF alone and does not mod the heck out of it. Its about as stable as it gets. SMF has a decade of proven grounds.
XF is the new kid on the block and has hardly proven its self. Comparing the two is like apples and oranges.




Title: Re: Avast Forum Hack - Results of Analysis
Post by: Arantor on June 19, 2014, 12:20:45 PM
QuoteI beg to differ, XF has security issue particular the last was a Tapatalk issues.
Now true its a plugin but it manipulated XF security limits this was not and issue with SMF.
A person could access Admin areas pretty easily.

Tapatalk breaking any security protocol is a Tapatalk problem. At one time the Tapatalk plugin could break into the admin area in SMF too.

QuoteThey have a very small staff
and are very slow to address security issues and support is dismal. You can do your own research  and google and see

Two full time developers built XF in a year from scratch. A horde of part time people has yet to even push out a partial update to 2.0 in the form of 2.1 in 3 years.

Given that I have actually reviewed XF's code, and all the updates... the only concern I have ever encountered was with swfupload which wasn't actually XenForo's own component and a large number of other systems had trouble with it too (and I never enabled it anyway)

I have done my own research and lurked around XF's forums for some time. The support response seems more efficient than it does here, even from people who are volunteers themselves.

QuoteSMF is far superior to most forums out there, its not about fluff and add ons like XF has, its about reliability and stability.

That's why 2.0 shipped with hundreds of known defects, a small number of which were fixed in 2.0.7 alongside the PHP 5.5 compatibility stuff, and a large number of which are still present in 2.1. I've even seen the dev team adding code recently without even testing it. Most of the interesting/complex code in SMF was written years ago by people who don't even remember it, nor remember why it was added, and I can be fairly sure in asserting that I could point things out in the source that people would not understand why it was done.

As a trivial example I give you https://github.com/SimpleMachines/SMF2.1/blob/release-2.1/index.php#L39 - doing the same unset operation twice in a row. I know exactly why that's like that, I also know it can now be changed to be sane again but I doubt the bulk of the dev team would understand it without an unnecessarily long explanation of why.

That's why a bug that allowed users to "fake" usernames was left unpatched for over 2 years (I know, I'm the one who fixed it in 2.0.6)

And honestly if you dig deeper there are security issues at play. What happened with Avast could not physically have happened if they were using XenForo, IPB or other systems. Physically impossible - bear in mind I've seen the code itself, I know *precisely* what was done once admin access was obtained. It only worked because the theme editor allows for anyone with admin access to directly edit PHP files as well as the package manager allows raw PHP to be uploaded and executed from the ACP. All the big systems long since moved to a template engine that utterly negates the theme editor and almost all of them require FTP/SFTP uploads manually specifically so that a miscreant who breaks into an admin account can't make things worse. But none of this will change because 'it's so flexible and convenient' to have this. I've known about the fragility of this stuff for years and been campaigning for years to get it changed but it's always been discouraged.

It would be possible for someone with more limited permissions to escalate their permissions upwards. It's possible for a non-admin under limited circumstances to steal an admin's account (they only need manage-boards or manage-permissions). And it's been a vulnerability for years, every time a new release comes out, it never gets fixed because "it would break backwards compatibility". And this has been *known* for years. I've known about it for 4 years for example. A similar vulnerability existed in censored words but that was 'fixed' by making it an admin only area back in 2010.

SMF has more than a decade, yes. XenForo has 4 years, and that's before you factor in the years of experience its developers had being the main developers of vBulletin before that. (Kier Darby was the former lead developer of vBulletin in 3.x days.)


EDIT: I just found another vulnerability. It's not the easiest to exploit in the world but it's entirely possible by way of social engineering.
Title: Re: Avast Forum Hack - Results of Analysis
Post by: samborabora on August 04, 2014, 02:42:28 PM
Quote from: ‽ on June 19, 2014, 12:20:45 PM
As a trivial example I give you https://github.com/SimpleMachines/SMF2.1/blob/release-2.1/index.php#L39 - doing the same unset operation twice in a row. I know exactly why that's like that, I also know it can now be changed to be sane again but I doubt the bulk of the dev team would understand it without an unnecessarily long explanation of why.

I'm intrigued, why IS it unset twice in a row?
Title: Re: Avast Forum Hack - Results of Analysis
Post by: Arantor on August 04, 2014, 02:47:59 PM
Because it's a vulnerability in PHP itself that was fixed in PHP 5.1.4.

Quick bit of theory: in PHP there are really two kinds of arrays, numeric and hashmap. The latter is where it doesn't use the actual 'key' you give it but instead creates a hash out of it and uses that. Under some circumstances prior to 5.1.4, unsetting a key in an array would clean out one key but a second variation of the key would produce the same hash. It's known as the Zend_Hash_Del_Key_Or_Index vulnerability inside the Zend engine that powers PHP itself.

Unsetting it twice in a row is required to neuter the vulnerabilty. SMF 2.0 still supports below PHP 5.1.4 so it had to be patched like that. 2.1 until very recently supported 5.1.0 as a minimum target version, which still required said patch, but now is 5.3.8+ and so it can be changed. But it's the kind of fringe detail that only miserable old farts like me would know about.
Title: Re: Avast Forum Hack - Results of Analysis
Post by: nadialeigh on August 10, 2014, 07:44:32 AM
I hope they will fix it soon, Is there any problem if I use Avast antivirus. It could be possible if hackers are handling forum then they can do anything with the entire platform.
Title: Re: Avast Forum Hack - Results of Analysis
Post by: Kindred on August 10, 2014, 07:51:11 AM
No... That's not how it works.
Title: Re: Avast Forum Hack - Results of Analysis
Post by: samborabora on August 10, 2014, 09:19:40 AM
Quote from: ‽ on August 04, 2014, 02:47:59 PM
Because it's a vulnerability in PHP itself that was fixed in PHP 5.1.4.

Quick bit of theory: in PHP there are really two kinds of arrays, numeric and hashmap. The latter is where it doesn't use the actual 'key' you give it but instead creates a hash out of it and uses that. Under some circumstances prior to 5.1.4, unsetting a key in an array would clean out one key but a second variation of the key would produce the same hash. It's known as the Zend_Hash_Del_Key_Or_Index vulnerability inside the Zend engine that powers PHP itself.

Unsetting it twice in a row is required to neuter the vulnerabilty. SMF 2.0 still supports below PHP 5.1.4 so it had to be patched like that. 2.1 until very recently supported 5.1.0 as a minimum target version, which still required said patch, but now is 5.3.8+ and so it can be changed. But it's the kind of fringe detail that only miserable old farts like me would know about.
So it was still a requirement for supporting earlier versions? Thanks for the info, I didn't know there were certain hacks in there to overcome certain issues with php itself.

I wonder why Avast blamed a third-party forum software, seems kinda unprofessional.
Title: Re: Avast Forum Hack - Results of Analysis
Post by: Arantor on August 10, 2014, 09:24:11 AM
Yes, it's still a requirement in the 2.0 branch of the code to support pre-5.1.4 versions but it can safely be removed from 2.1 since the minimum target version is 5.3.8 now.

And yes, there are quite a few comments like that in the source where SMF is patching around issues in old versions of PHP.

Avast's blaming a third party software is understandable; a security firm accepting poor security practices on themselves would not be a wise marketing move. Easier to blame a third party, especially when it's 'written by amateurs' and whatever other nonsense normally gets spouted.
Title: Re: Avast Forum Hack - Results of Analysis
Post by: Ninja ZX-10RR on August 10, 2014, 09:33:02 AM
Now they claim that they are using their own SSL encryption for passwords... I am not entirely sure about what that means. Do they claim that the data was spoofed or something? O.o

About them being professional check my (angry) comment here-->http://www.simplemachines.org/community/index.php?topic=523494.msg3704958#msg3704958, do they look professional to you for that?
Title: Re: Avast Forum Hack - Results of Analysis
Post by: SaltedWeb on August 26, 2014, 12:15:03 PM
Quote from: ‽ on August 10, 2014, 09:24:11 AM
. Easier to blame a third party, especially when it's 'written by amateurs' and whatever other nonsense normally gets spouted.

Well maybe these so called Amateurs, should work at Avast and then things would work better as the monkeys over at  Avast are to busy cleaning ticks off each other.

We all see the government workers holding job security digging a 6x6x6 ditch that takes two days with 5 people and a back hoe.
Then you see non-profit organization clean an entire hiway with 5 people and trashbags.
Avast is marketing job security and wouldn't know hard work to get it done if it fell in their lap.
This latest outburst this year by them and the ( my opinion ) disrespectful way it was done. I wont be a buyer
free or not from them.

SMF is the best free software on the planet and runs circles around many paid forum both secure and options.
The work here is a work of passion, not a lets all get rich quick you see so much.
SMF may not be perfect, but how can you compare the hard work done here by people that actually give shoot, to people who want a paycheck the next ten years and will stop at nothing to secure retirement.

Just how I feel, there is right and wrong in this world and seems too many are forgetting we are supposed to act like we are civilized.


Title: Re: Avast Forum Hack - Results of Analysis
Post by: Shanzer on August 28, 2014, 12:02:55 PM
I have never known Simple Machines to less than completely professional. It seems to me that a company who produces security software should know how to protect their own forum. Apparently they made mistakes and due to embarrassment tried to blame others.  At first they refused help from SM because they knew they were at fault. Gradually they began to communicate when they realized they were unable to understand and fix the problem. Avast should take responsibility for their own mistakes and lack of competence. Turns out, SM was not at fault and was completely honest. This tells us something about Avast as a company and about the skill of their people. It's not a major feat to maintain a secure installation of SMF. I would be embarrassed too if I ran a company who made millions selling security software and couldn't maintain security on a forum, especially with the amount of support that is available with SMF. I have never used an Avast product, and wouldn't consider doing so. In my personal opinion, Avast is the "BigLots" of the security industry.

Title: Re: Avast Forum Hack - Results of Analysis
Post by: 青山 素子 on August 28, 2014, 06:40:16 PM
Quote from: Shanzer on August 28, 2014, 12:02:55 PM
It seems to me that a company who produces security software should know how to protect their own forum.

Skills in one area don't often translate over. I know some people who are good coders but couldn't troubleshoot a hardware issue on their development system at all. That said, a company that deals in computer security should be smart enough to know they need people with the right skills.

So keep in mind that security is a process, not a product (https://www.schneier.com/essays/archives/2000/04/the_process_of_secur.html) nor is it a destination (http://www.tripwire.com/state-of-security/security-awareness/given/). No matter how well you defend yourself, if you offer access of any kind, you can be attacked. It doesn't matter if it's your own custom code or that of a third party. While you can take steps to make things less likely by picking third-party products that have good records or using extensive testing on custom code, you'll never find every possible issue in anything complex.

The right steps would have been to acknowledge the issue, work to find the cause without offering any kind of public blame, seek to get that issue fixed, and then put out a report detailing as best you can what happened and how you fixed it. Especially as a security company, you live by your reputation. Turning a public failure into a good example for your customers won't win all of them back, but it may get you some new ones.

Could Avast have fully protected themselves? Doubtful. It's just not possible with the complexity of web applications today. Could they have handled the situation better? Certainly.


Quote from: Shanzer on August 28, 2014, 12:02:55 PM
In my personal opinion, Avast is the "BigLots" of the security industry.

Nah, that's more the domain of AVG, or at least has been lately. Avast has always been the slightly more indie product, more of a Tuesday Morning.

(For those not familiar with the brands, Big Lots and Tuesday Morning are both retail liquidators (https://en.wikipedia.org/wiki/Closeout_%28sale%29), but Big Lots is considered more down-scale and Tuesday Morning positions itself as an upscale store.)
Title: Re: Avast Forum Hack - Results of Analysis
Post by: Arantor on August 28, 2014, 06:48:54 PM
Without raking over the details too much, there are certain practices that I am surprised were not followed. I would expect better in that particular arena from a security company precisely because the same rules apply in other security contexts and *are* transferrable.
Title: Re: Avast Forum Hack - Results of Analysis
Post by: 青山 素子 on August 28, 2014, 08:00:01 PM
Quote from: ♥ on August 28, 2014, 06:48:54 PM
Without raking over the details too much, there are certain practices that I am surprised were not followed. I would expect better in that particular arena from a security company precisely because the same rules apply in other security contexts and *are* transferrable.

Yes, of course there are steps they could have done to better protect themselves. There are best practices they probably didn't follow. It would be interesting to know why, and they certainly could have turned it into a moment to show their users that even people who should know better can sometimes still fail and how to ensure that their (the customers) systems and websites aren't vulnerable in the same way.

Either way, they wasted the chance to turn a public loss of confidence into a PR win (or at least a wash). As I said, as a security company, they deal in trust. The way they handled the situation really damaged that beyond the hit from the forum issue itself.
Title: Re: Avast Forum Hack - Results of Analysis
Post by: Arantor on August 28, 2014, 08:11:38 PM
I would suspect the same reason most other people: convenience.

What really threw me was the PR piece about how they were going to move to a new forum software - and then relaunched with SMF.
Title: Re: Avast Forum Hack - Results of Analysis
Post by: butchs on August 28, 2014, 08:29:52 PM
I am surprised this thread is still going.  Has this become a chest pounding extravaganza?  Why continue to throw rocks at a dead horse?
Title: Re: Avast Forum Hack - Results of Analysis
Post by: Arantor on August 28, 2014, 08:32:13 PM
Because someone decided to bump it and we tried to quell the flames.

No chest pounding here.
Title: Re: Avast Forum Hack - Results of Analysis
Post by: Deaks on August 28, 2014, 08:45:53 PM
maybe this should be locked now
Title: Re: Avast Forum Hack - Results of Analysis
Post by: Kindred on August 28, 2014, 09:12:20 PM
Agreed