News:

Bored?  Looking to kill some time?  Want to chat with other SMF users?  Join us in IRC chat or Discord

Main Menu

SMF 1.1.6 Remote Code Execution Exploit

Started by osjak, November 05, 2008, 07:53:47 AM

Previous topic - Next topic

osjak

To the SMF team: deleting my post at this forum about this exploit only confirms that there is a vulnerability in SMF and you are trying to hide it. This is very irresponsible on your part. If this is in fact a working exploit, your users deserve to know their websites are in danger. Bad guy know that already for sure.

http://forum.joomla.org/viewtopic.php?f=267&t=340826 [nofollow]

N3RVE

Hello osjak,
Thanks for airing your concerns.
I moved the topic and sent you a PM.

Quote from:
Hey! Osjak,
Thanks for the report, we're indeed aware of this and are yet to proove it won't work as the developers are yet to confirm. For the time being, I've moved the topic to the Staff boards.

Please, use the security report form next time ;)
http://www.simplemachines.org/about/security.php

-[n3rve]

Security vulnerabilities shouldn't be reported on the Support boards.

Thank you,
-[n3rve]
Ralph "[n3rve]" Otowo
Former Marketing Co-ordinator, Simple Machines.
ralph [at] simplemachines [dot] org                       
Quote"Somewhere, something incredible is waiting to be known." - Carl Sagan

Deaks

osjak, we do thank you for pointing this out, however constantly posting this on the forum aswell as on other sites does not make it easier for us to confirm the report, we have regulations for situations like this and that is to post a security report, the dev team aswell as team members will use there knowledge to recreate the issues and if it is felt needed a patch will be released, can I please ask you hold on and understand that we are working on it and constant posting is not helping anyone.
~~~~
Former SMF Project Manager
Former SMF Customizer

"For as lang as hunner o us is in life, in nae wey
will we thole the Soothron tae owergang us. In truth it isna for glory, or wealth, or
honours that we fecht, but for freedom alane, that nae honest cheil gies up but wi life
itsel."

osjak

[n3rve], Runic Warrior,
Thank you for taking note of this topic and publicly responding.
Security form makes sense when I am the original person who found a vulnerability. In that case submitting my discovery privately keeps it from getting in wrong hands. What we have here is the opposite - information is already in wrong hands and is available to every person with Internet access who wishes to get it. In this case SMF users should be informed that this is what's going on out there. I understand that it takes time and manpower to figure out if an exploit is real and how it can be patched. I am not here to demand solutions right away. But I believe that SMF users are the very people that will suffer if this information is not on this forum. As a forum admin I can now make an informed decision - to cross my fingers and run my site the way it is, or temporarily disable attachments wait for your information release.

Deaks

osjak, we are also forum owners, when posting it publically you are creating a potential fear amongst users, this will in turn can make the situation worse than it is, we understand exploits are important however posting publically specially a link can make it worse by allowing more potential hackers (illegal ones) to use and try it, thus making it more mess.

Now I have not checked the topic regarding this exploit yet today however I do know by looking at the posts it is being discussed alot and if it is felt a patch ios needed then one will be released.
~~~~
Former SMF Project Manager
Former SMF Customizer

"For as lang as hunner o us is in life, in nae wey
will we thole the Soothron tae owergang us. In truth it isna for glory, or wealth, or
honours that we fecht, but for freedom alane, that nae honest cheil gies up but wi life
itsel."

osjak

Quote from: Runic Warrior on November 05, 2008, 08:43:25 AM
osjak, we are also forum owners, when posting it publically you are creating a potential fear amongst users, this will in turn can make the situation worse than it is,
You look at users as fragile creatures that need an informational greenhouse to survive. I doubt that this is what an average forum admin is, otherwise he/she would not be an admin for long. You call it "potential fear", I call it concern. A concerned but prepared admin is in better position than an admin with a cracked site that has no concerns. It is okay for an admin to be concerned of his forum security. I am concerned all the time, that's why I am subscribed to sites like milw0rm - to be aware of dangerous developments early enough before they hit my sites.

Quote from: Runic Warrior on November 05, 2008, 08:43:25 AM
we understand exploits are important however posting publically specially a link can make it worse by allowing more potential hackers (illegal ones) to use and try it, thus making it more mess.
I seriously doubt that illegal hackers discover new exploits reading this forum. They already know about it from other places they socialize at, regardless of my post here. My post here informs the SMF users that do not read hackers' websites, that's all.

This is great that SMF team is working on it and I will be waiting patiently for the outcome. Thank you!

N3RVE

Quote from: osjak on November 05, 2008, 09:03:08 AM
I seriously doubt that illegal hackers discover new exploits reading this forum. They already know about it from other places they socialize at, regardless of my post here. My post here informs the SMF users that do not read hackers' websites, that's all.

This is true but they have been cases were malicious users (not necessarily hackers) take advantage of such exploits and try to harm other users, I understand your concerns but I really didn't see it necessary to post this after I had sent the PM.
Regardless,
As a temporary measure, you should rename your attachments directory to something else (preferably random alpha characters) and also ensure that the Admin CP has the correct directory name in 'Attachments and Avatars'.

Should you wish to go one step further then you could temporarily comment out the packages line from within action array inside the index.php file in your SMF dir.

Change lines :
Code (Find) Select

'packageget' => array('PackageGet.php', 'PackageGet'),
'packages' => array('Packages.php', 'Packages'),


Code (Replace) Select

// 'packageget' => array('PackageGet.php', 'PackageGet'),
// 'packages' => array('Packages.php', 'Packages'),


-[n3rve]
Ralph "[n3rve]" Otowo
Former Marketing Co-ordinator, Simple Machines.
ralph [at] simplemachines [dot] org                       
Quote"Somewhere, something incredible is waiting to be known." - Carl Sagan

osjak

[n3rve], excellent suggestions! Thank you!

osjak

There is another SMF 1.1.6 exploit posted on milw0rm. I'm not going to post a link here, since you guys don't like it. But can we have some time line from you on when you will have a permanent solution?

By the way, for the second exploit NOT to work you need to turn magic_quotes ON. That seemed to stop it on my forum.

青山 素子

The developers know about it, and it is being worked on. They need to find the source of the issue first, so a real solution is made instead of something that just hides the problem.
Motoko-chan
Director, Simple Machines

Note: Unless otherwise stated, my posts are not representative of any official position or opinion of Simple Machines.


Jorin

Quote from: osjak on November 05, 2008, 08:36:05 AM
What we have here is the opposite - information is already in wrong hands and is available to every person with Internet access who wishes to get it. In this case SMF users should be informed that this is what's going on out there. I understand that it takes time and manpower to figure out if an exploit is real and how it can be patched. I am not here to demand solutions right away. But I believe that SMF users are the very people that will suffer if this information is not on this forum. As a forum admin I can now make an informed decision - to cross my fingers and run my site the way it is, or temporarily disable attachments wait for your information release.

I too would love to get informed by simplemachines itself about such security issues. So I can inform the group of not so experienced users and admins, which will never get these kind of informations, if not posted from you or me.

xact

Quote from: osjak on November 06, 2008, 02:00:34 AM
There is another SMF 1.1.6 exploit posted on milw0rm. I'm not going to post a link here, since you guys don't like it. But can we have some time line from you on when you will have a permanent solution?

By the way, for the second exploit NOT to work you need to turn magic_quotes ON. That seemed to stop it on my forum.

I've seen that; any idea if disabling the theme changing and avatars uploading/attachments will do the job?
photography [nofollow]

Tony Reid

From what I have seen in addition to the above suggestion, it would also be an idea to comment out the themes and jsoption lines from the action array in the same way packages and packageget was done.


Tony Reid

Kermit

#13
AdminCP
Attachments and Avatars
Encrypt stored filenames

should be activated too,it will also encrypt the name of the attachments and what has to mean,that we can not execute file,when we just type


http://[website]/SMF/index.php?action=packages;sa=install2;package=[filename]


that would not work,if we activate the option from above
My Mods
Please don't PM/mail me for support,unless i invite you
Formerly known as Duncan85
Quote
"Two things are infinite: the universe and human stupidity; and I'm not sure about the the universe."

A. Einstein

dangerboy


N3RVE

Ralph "[n3rve]" Otowo
Former Marketing Co-ordinator, Simple Machines.
ralph [at] simplemachines [dot] org                       
Quote"Somewhere, something incredible is waiting to be known." - Carl Sagan

yaax

#16
Note that there also exists second exploit:
Quote
The "theme_dir" setting of users is not properly verified before being used, which can be exploited to include arbitrary files from local resources.

Successful exploitation in combination with malicious uploads (e.g. avatars) allows to execute arbitrary PHP code, but requires a valid user account.


It requires fix in Sources/QueryString.php  & Sources/Themes.php w/ magic_quotes == Off

I dont wish to give a link, but all security sites are full of links to this problem. And it is more critical then problem with packages.
Free SMF hosting:
http://www.ForumSide.com/

Free OpenCart shop hosting -
http://www.GetFreeShop.com/

osjak

Quote from: yaax on November 06, 2008, 12:45:20 PM
Note that there also exists second exploit:
Quote
The "theme_dir" setting of users is not properly verified before being used, which can be exploited to include arbitrary files from local resources.

Successful exploitation in combination with malicious uploads (e.g. avatars) allows to execute arbitrary PHP code, but requires a valid user account.


It requires fix in Sources/QueryString.php  & Sources/Themes.php w/ magic_quotes == Off

I dont wish to give a link, but all security sites are full of links to this problem. And it is more critical then problem with packages.
yaax, yes I was also trying to point that out:

Quote from: osjak on November 06, 2008, 02:00:34 AM
There is another SMF 1.1.6 exploit posted on milw0rm. I'm not going to post a link here, since you guys don't like it. But can we have some time line from you on when you will have a permanent solution?

By the way, for the second exploit NOT to work you need to turn magic_quotes ON. That seemed to stop it on my forum.
Unfortunately we have to keep talking in code here, even though as you already mentioned all other sites are full of links to actual exploits and any bad-intended person can easily fin them. Anyway, let's just hope that 1.1.7 will address both issues.

Can we also ask that there will be instructions on how to update code manually? My sites are modified too heavily to be updated  conventional way.

yaax

Quote from: osjak on November 06, 2008, 02:00:34 AM
There is another SMF 1.1.6 exploit posted on milw0rm. I'm not going to post a link here, since you guys don't like it. But can we have some time line from you on when you will have a permanent solution?

By the way, for the second exploit NOT to work you need to turn magic_quotes ON. That seemed to stop it on my forum.

In php you have three kinds of magic_quotes - which one need to be ON?
You have:
magic_quotes_gpc
magic_quotes_runtime
magic_quotes_sybase

I have magic_quotes_gpc as ON, but not sure regarding all others.
Free SMF hosting:
http://www.ForumSide.com/

Free OpenCart shop hosting -
http://www.GetFreeShop.com/

metallica48423

All, we are aware of both exploits and we will be pushing out a security patch as soon as it can be implemented and tested to ensure that the patches actually work for both issues. 

Our goal is currently to have that patch release out by the end of the weekend, hopefully at the latest.  Normally these issues are patched within 48-72 hours after discovery, however due to the one-two punch and moderate to severe nature of these two it will be a bit longer to ensure that we can properly secure those who depend on our software.

A couple of team members have pointed out in this topic a small number of interim fixes to guard against these.  I would reccommend implementing these on a temporary basis to ensure that you are secured.

Thanks for your patience and understanding!

metallica48423
Lead Support Specialist
Justin O'Leary
Ex-Project Manager
Ex-Lead Support Specialist

QuoteMicrosoft wants us to "Imagine life without walls"...
I say, "If there are no walls, who needs Windows?"


Useful Links:
Online Manual!
How to Help us Help you
Search
Settings Repair Tool

Advertisement: