News:

SMF 2.1.4 has been released! Take it for a spin! Read more.

Main Menu

Hacked: 1.1.8 attachments / avatars still has a vulnerability

Started by rthrash, May 11, 2009, 11:07:12 AM

Previous topic - Next topic

rthrash

And yes, it's from the infamous krisbarteo

For troubleshooting it's accomplished, here's the initial error log from our site, cleaned up:


Error messages from IP (range) 94.142.129.147 for user krisbarteo

8: Use of undefined constant port - assumed 'port'
File: /smf/forums/attachments/avatar_20623.jpg
Line: 1
?action=theme;sa=pick;u=20623;sesc Yesterday at 08:42 AM
8: Use of undefined constant host - assumed 'host'
File: /smf/forums/attachments/avatar_20623.jpg
Line: 1
?action=theme;sa=pick;u=20623;sesc Yesterday at 08:42 AM
8: Use of undefined constant host - assumed 'host'
File: /smf/forums/attachments/avatar_20623.jpg
Line: 1
?action=theme;sa=pick;u=20623;sesc Yesterday at 08:42 AM
8: Use of undefined constant path - assumed 'path'
File: /smf/forums/attachments/avatar_20623.jpg
Line: 1
?action=theme;sa=pick;u=20623;sesc Yesterday at 08:42 AM
8: Use of undefined constant query - assumed 'query'
File: /smf/forums/attachments/avatar_20623.jpg
Line: 1
?action=theme;sa=pick;u=20623;sesc Yesterday at 08:42 AM
8: Use of undefined constant path - assumed 'path'
File: /smf/forums/attachments/avatar_20623.jpg
Line: 1
?action=theme;sa=pick;u=20623;sesc Yesterday at 08:42 AM
8: Use of undefined constant path - assumed 'path'
File: /smf/forums/attachments/avatar_20623.jpg
Line: 1
?action=theme;sa=pick;u=20623;sesc Yesterday at 08:42 AM
8: Use of undefined constant query - assumed 'query'
File: /smf/forums/attachments/avatar_20623.jpg
Line: 1
?action=theme;sa=pick;u=20623;sesc Yesterday at 08:42 AM
8: Use of undefined constant query - assumed 'query'
File: /smf/forums/attachments/avatar_20623.jpg
Line: 1
?action=theme;sa=pick;u=20623;sesc Yesterday at 08:42 AM
8: Use of undefined constant path - assumed 'path'
File: /smf/forums/attachments/avatar_20623.jpg
Line: 1
?action=theme;sa=pick;u=20623;sesc Yesterday at 08:42 AM
8: Use of undefined constant path - assumed 'path'
File: /smf/forums/attachments/avatar_20623.jpg
Line: 1
?action=theme;sa=pick;u=20623;sesc Yesterday at 08:42 AM
8: Use of undefined constant path - assumed 'path'
File: /smf/forums/attachments/avatar_20623.jpg
Line: 1
?action=theme;sa=pick;u=20623;sesc Yesterday at 08:42 AM
8: Undefined index: port
File: /smf/forums/attachments/avatar_20623.jpg
Line: 1
?action=theme;sa=pick;u=20623;sesc Yesterday at 08:42 AM
8: Use of undefined constant port - assumed 'port'
File: /smf/forums/attachments/avatar_20623.jpg
Line: 1
?action=theme;sa=pick;u=20623;sesc Yesterday at 08:42 AM
8: Use of undefined constant port - assumed 'port'
File: /smf/forums/attachments/avatar_20623.jpg
Line: 1
?action=theme;sa=pick;u=20623;sesc Yesterday at 08:42 AM
8: Use of undefined constant php - assumed 'php'
File: /smf/forums/attachments/avatar_20623.jpg
Line: 1
?action=theme;sa=pick;u=20623;sesc Yesterday at 08:42 AM


For reference, we've disabled attachments and uploads for the time being which would have prevented this exploit. The end result was the c99cmdshell being uploaded and running amok for a few hours.

Are the vectors the script kiddies exploiting patched in the 2.0 rc?

Aleksi "Lex" Kilpinen

Quote from: rthrash on May 11, 2009, 11:07:12 AM
For reference, we've disabled attachments and uploads for the time being which would have prevented this exploit. The end result was the c99cmdshell being uploaded and running amok for a few hours.
You seem to have things under control, do you still require some assistance related to this - or can this be marked as solved on the support point of view?
If you wish to discuss this issue further - it might be better out of the support boards.
Perhaps this should be moved to SMF Feedback and Discussion ?
Slava
Ukraini!


"Before you allow people access to your forum, especially in an administrative position, you must be aware that that person can seriously damage your forum. Therefore, you should only allow people that you trust, implicitly, to have such access." -Douglas

How you can help SMF

rthrash

The fact that the avatar upload issue was supposed to be resolved with 1.1.8 definitely leads me to conclude the issue is not resolved. I would appreciate a moderator moving it to the proper locations for ongoing discussion.

Kermit

Quote from: StarWars Fan on May 12, 2009, 07:41:09 AM


Telling people to disable avatar attachment uploads is ridiculous.

Is it ?

It's a temporary solution,untill the patch is released,if you have any other suggestion,just tell it !
My Mods
Please don't PM/mail me for support,unless i invite you
Formerly known as Duncan85
Quote
"Two things are infinite: the universe and human stupidity; and I'm not sure about the the universe."

A. Einstein

Kermit

Quote from: StarWars Fan on May 12, 2009, 07:58:36 AM
Look, I'm a long time user of SMF and quite frankly shocked this this kind of "trick upload" of a php file disguised as an avatar could actually occur with SMF.

We've constantly been told that "encrypted" uploads will protect you. And "SMF is a big boy and doesn't need its hand held". What happened?

I believe (I could be wrong) its been over a week and it appears that the support staff already knew about Krisbertwhatever even earlier.

What's the delay in getting a "make sure the avatar is really an image" patch out?

It's unfortunately not so easy to release a security patch as you thought,the DEVs are working hard on this issue and don't forget we're all volunteers here,also you should just have patience and follow the temporary suggestions
My Mods
Please don't PM/mail me for support,unless i invite you
Formerly known as Duncan85
Quote
"Two things are infinite: the universe and human stupidity; and I'm not sure about the the universe."

A. Einstein

Aleksi "Lex" Kilpinen

Slava
Ukraini!


"Before you allow people access to your forum, especially in an administrative position, you must be aware that that person can seriously damage your forum. Therefore, you should only allow people that you trust, implicitly, to have such access." -Douglas

How you can help SMF

rthrash

SMF should probably officially acknowledge this compromise vector, and officially recommend the temporary measure of locking down uploads until a patch is available. This is a bad, bad, bad thing going on here guys 'n gals, and it's going to affect more and more sites. (This is how we handle any security issues that arise at our CMS project which is running SMF with tens of thousands of users and hundreds of thousands of downloads.)

I'd also submit that the default configuration that ships with SMF be better-tweaked for security out of the box. No new avatars or forum attachments for us for now sadly.

rthrash

Quote from: StarWars Fan on May 12, 2009, 08:25:21 AM
Also, the hacker DID visit my forum and did not succeed. Why? Not sure, but, here's my setup:

Avatar Attachment uploads disabled for new users only.

That's the compromise vector that's currently known so there's the answer. :) Not allowing new users below a certain threshold of posts to upload avatars is only a false security blanket because once the post count is reached the hole remains. Still, better than nothing, but it's why we turned it off completely.

djkimmel

Is there a way for the SMF team to use the admin area of our forums about upgrades to also announce when there is a known vulnerability that is being actively exploited and pointing out a thread for temporary advice to deal with the issue? That might have helped some of us who aren't checking here all the time looking through threads randomly for trouble to have easily avoided this attack before it created 6 or 8 hours of work? Especially those of use who are not PHP or security whizzes.

I understand theses $#%@# hackers will constantly try, but if I had received a message in admin saying temporarily disable avatars and watch for a 'krisbarteo' my life would have been so much simpler. Maybe many others since this looks like it was going on a while before I was hacked. I'd had so many people trying to get on from European IP's one wasn't any more 'trouble' to me than the next.

Is there a way to use that same mechanism about upgrades for other notices? Is it feasible? Or too much to ask? I understand how much work all this is.

N3RVE

Hi all, Thanks for contacting us regarding the exploit. We are aware of it and our developers are looking into the issue as a priority. As a precaution, I would suggest that you disable 'attachments and uploads' for the time being which will prevent this exploit, the option to do this can be found at the Attachments and Avatars section of your administration control panel.

As a temporary measure, you could rename your attachments directory to something else (preferably random alpha characters) and also ensure that the admin CP has the correct directory name in 'Attachments and Avatars'.

We hope to have this issue resolved shortly, and would again like to thank you for taking the time to warn us of this exploit.

Kind Regards,
-[n3rve]
Ralph "[n3rve]" Otowo
Former Marketing Co-ordinator, Simple Machines.
ralph [at] simplemachines [dot] org                       
Quote"Somewhere, something incredible is waiting to be known." - Carl Sagan

N3RVE

Quote from: djkimmel on May 12, 2009, 01:04:27 PM
Is there a way for the SMF team to use the admin area of our forums about upgrades to also announce when there is a known vulnerability that is being actively exploited and pointing out a thread for temporary advice to deal with the issue? That might have helped some of us who aren't checking here all the time looking through threads randomly for trouble to have easily avoided this attack before it created 6 or 8 hours of work? Especially those of use who are not PHP or security whizzes.

I understand theses $#%@# hackers will constantly try, but if I had received a message in admin saying temporarily disable avatars and watch for a 'krisbarteo' my life would have been so much simpler. Maybe many others since this looks like it was going on a while before I was hacked. I'd had so many people trying to get on from European IP's one wasn't any more 'trouble' to me than the next.

Is there a way to use that same mechanism about upgrades for other notices? Is it feasible? Or too much to ask? I understand how much work all this is.

Thanks for posting suggestions, please air all concerns at the SMF Feedback and Discussion board.

-[n3rve]
Ralph "[n3rve]" Otowo
Former Marketing Co-ordinator, Simple Machines.
ralph [at] simplemachines [dot] org                       
Quote"Somewhere, something incredible is waiting to be known." - Carl Sagan

Leemy

1. Do you have to disable all new attachments or can you just turn on the "check extension" option

2. I have disabled all but server-stored avatars.  Good?

rthrash

Quote from: Saleem on May 12, 2009, 04:01:02 PM
1. Do you have to disable all new attachments or can you just turn on the "check extension" option

2. I have disabled all but server-stored avatars.  Good?
No to #1; no uploads for avatars, period.

If #2 means the default ones that SMF ships with then you are probably OK.

Leemy

Quote from: rthrash on May 12, 2009, 04:35:20 PM
Quote from: Saleem on May 12, 2009, 04:01:02 PM
1. Do you have to disable all new attachments or can you just turn on the "check extension" option
No to #1; no uploads for avatars, period.
Sorry to beat a dead horse, but "Can I disable avatars but leave Attachments-uploading enabled?"

rthrash

I wouldn't but I don't think that's the vector that's been exploited to date.

uncajesse

The method is...


  • They register.
  • Log in.
  • Upload an avatar that has PHP code in the EXIF data.
  • Access the avatar using some unknown exploit through index.php (and if someone does figure it out, obviously they shouldn't post it publicly) which causes the avatar to be executed as PHP.

JBlaze

IMHO, allowing uploadable avatars/attachments for brand spankin new users is absolutely ridiculous. Any admin/owner with some common sense and a slight knowledge of the hacks and exploits that are possible out there would disable this option until a member has at least shown interest in being a member of a community.

So, with that said, just disable avatars/attachments or at the least, limit them to users who have posted more than 5-10 posts and patiently await the security patch.

Or see my post that I made here: http://www.simplemachines.org/community/index.php?topic=309717.0
Jason Clemons
Former Team Member 2009 - 2012

rthrash

Quote from: JBlaze™ on May 12, 2009, 05:28:49 PM
IMHO, allowing uploadable avatars/attachments for brand spankin new users is absolutely ridiculous. Any admin/owner with some common sense and a slight knowledge of the hacks and exploits that are possible out there would disable this option until a member has at least shown interest in being a member of a community.

When the SMF project itself posts a point release to prevent that exact type of exploit (with 1.1.8 IIRC), I can see how someone would think it's OK to enable some basic forum bling for new users. That said, hindsight is 20/20. While you're limiting new users, you might as well restrict their PM ability too to prevent PM spam.


wtmpp

Quote from: JBlaze™ on May 12, 2009, 05:28:49 PM
IMHO, allowing uploadable avatars/attachments for brand spankin new users is absolutely ridiculous. Any admin/owner with some common sense and a slight knowledge of the hacks and exploits that are possible out there would disable this option until a member has at least shown interest in being a member of a community.

So, with that said, just disable avatars/attachments or at the least, limit them to users who have posted more than 5-10 posts and patiently await the security patch.

Or see my post that I made here: http://www.simplemachines.org/community/index.php?topic=309717.0
with all due respect, that statement is patently stupid. Why would any one NOT use a legal feature of software they trust?
what about posting? should that be denied also?

How about reading? maybe we should limit that as well?

Having the user avatars be uploaded and hosted locally IS a better security practice because all someone needs to really screw with your forum is post images or avatars on a server they control and they can track all your member ip's (including your admins)  and they can make your performance go to hell (by linking to large images that everyone's browser chokes on trying to download or are really PHP programs with a Sleep() command :(.

I am really disappointed with the SMF behavior of dealing with this/

Without going into details, an announcement of a possible vulnerability and a work-around on the front page or stickied somewhere is , I feel, the appropriate way of dealing with this

I feel strongly (perhaps wrongly), but I feel SMF is more concerned about its perceived security reputation than the safety of its members

:(  :( :( :(:( :(:( :(:( :(:( :(:( :(:( :(:( :(:( :(:( :(:( :(:( :(:( :(:( :(:( :(:( :(

This vulnerability is too important to be buried on a back page somewhere. This is the problem with open source that is not "open" and honest.
:( regards

Advertisement: