News:

SMF 2.1.4 has been released! Take it for a spin! Read more.

Main Menu

Does anyone know of a current privledge escalation hack?

Started by chaos40, December 01, 2024, 09:45:00 AM

Previous topic - Next topic
Print
Go Down Pages1
User actions

chaos40

December 01, 2024, 09:45:00 AM
I have a user on my forum which keeps managing to escalate themselves from normal user to global moderator.

I have banned the account but wanted to know if there is any knowledge of such a hack or any ways to mitigate it entirely?

smf 2.1.3 blue evolution theme

thanks

Doug Heffernan

#1
December 01, 2024, 10:28:31 AM
Quote from: chaos40 on December 01, 2024, 09:45:00 AMI have banned the account but wanted to know if there is any knowledge of such a hack or any ways to mitigate it entirely?

Can you please elaborate a little further on this?

chaos40

#2
December 01, 2024, 10:34:34 AM
Quote from: Doug Heffernan on December 01, 2024, 10:28:31 AM
Quote from: chaos40 on December 01, 2024, 09:45:00 AMI have banned the account but wanted to know if there is any knowledge of such a hack or any ways to mitigate it entirely?

Can you please elaborate a little further on this?

We had a normal user which was able to add themselves to the global moderators group. no log file generated and this change was not done by an administrator.

the first action I took was to place the user in a very confined user group with very limited posting and account change ability. Subsequently, a few weeks later they were able to elevate their privileges back to that of global moderator. No logs. No traces.

Doug Heffernan

#3
December 01, 2024, 11:03:50 AM
Quote from: chaos40 on December 01, 2024, 10:34:34 AMWe had a normal user which was able to add themselves to the global moderators group. no log file generated and this change was not done by an administrator.

the first action I took was to place the user in a very confined user group with very limited posting and account change ability. Subsequently, a few weeks later they were able to elevate their privileges back to that of global moderator. No logs. No traces.

Thank you for the clarification. Now I see what you mean. In order to be able to change their groups like that, they must have access to your database somehow imo. Can you ask your host to check their logs and see if there was any access to your database for around the time that the change of group was made?

When you say no logs, no trace, what logs did you mean?

chaos40

#4
December 01, 2024, 11:07:33 AM
Quote from: Doug Heffernan on December 01, 2024, 11:03:50 AM
Quote from: chaos40 on December 01, 2024, 10:34:34 AMWe had a normal user which was able to add themselves to the global moderators group. no log file generated and this change was not done by an administrator.

the first action I took was to place the user in a very confined user group with very limited posting and account change ability. Subsequently, a few weeks later they were able to elevate their privileges back to that of global moderator. No logs. No traces.

Thank you for the clarification. Now I see what you mean. In order to be able to change their groups like that, they must have access to your database somehow imo. Can you ask your host to check their logs and see if there was any access to your database for around the time that the change of group was made?

When you say no logs, no trace, what logs did you mean?

There were no logs in the SMF forum software indicating this user transitioned from one group to another.

I have access to the underlying server via ssh so I can check the logs. Any log in particular you would recommend?

Also, I did notice that the database was incorrectly listening on 3306 on the publicly routable ip address. I changed that to 127.0.0.1

Arantor

#5
December 01, 2024, 11:17:44 AM
I know of one but it doesn't escalate to global moderator, it escalates to admin.

I've never seen one that escalates specifically to global moderator (and it would be weird if it did, to be honest), especially since it's somehow circumventing the ban system.

Is the profile edits log turned on?

Quote from: chaos40 on December 01, 2024, 11:07:33 AMAlso, I did notice that the database was incorrectly listening on 3306 on the publicly routable ip address.

This is only an issue if the database is publicly accessible which is something you should be checking at this point. Though frankly if they have the ability to escalate their permissions, *why stop at global moderator*?

Do you have any other global moderators?
Holder of controversial views, all of which my own.

chaos40

#6
December 01, 2024, 11:30:41 AM
Quote from: Arantor on December 01, 2024, 11:17:44 AMI know of one but it doesn't escalate to global moderator, it escalates to admin.

I've never seen one that escalates specifically to global moderator (and it would be weird if it did, to be honest), especially since it's somehow circumventing the ban system.

Is the profile edits log turned on?

Quote from: chaos40 on December 01, 2024, 11:07:33 AMAlso, I did notice that the database was incorrectly listening on 3306 on the publicly routable ip address.

This is only an issue if the database is publicly accessible which is something you should be checking at this point. Though frankly if they have the ability to escalate their permissions, *why stop at global moderator*?

Do you have any other global moderators?
The question of why stop at global moderator was perplexing to me as well. Same person did it twice.

I did change the database to listen on 127.0.0.1 via the my.cnf file

the hack you are referring to. Is there any way to mitigate it?

Arantor

#7
December 01, 2024, 11:58:20 AM
It's not so much a hack as much as it is a design fault and a misconfiguration. Basically, don't screw up the post count groups, so there's always a post count starting at 0 posts. If you have a situation where a user posts and there's no valid post group for them to go into, they end up going into admin.
Holder of controversial views, all of which my own.

chaos40

#8
December 01, 2024, 12:02:53 PM
Quote from: Arantor on December 01, 2024, 11:58:20 AMIt's not so much a hack as much as it is a design fault and a misconfiguration. Basically, don't screw up the post count groups, so there's always a post count starting at 0 posts. If you have a situation where a user posts and there's no valid post group for them to go into, they end up going into admin.

this is all I have in terms of post count groups. We don't use post count groups basically. We assign them to a group at registration and they pretty much stay there until there is a private board they are invited to

Newbie    *    625    0    Modify

Arantor

#9
December 01, 2024, 12:28:07 PM
So you have a post count group that starts at 0 posts meaning there's always a valid group for people to be in. No exploit there.
Holder of controversial views, all of which my own.

Kindred

#10
December 02, 2024, 07:57:53 AM
what mods and themes do you have installed?
Слaва
Украинi

Please do not PM, IM or Email me with support questions.  You will get better and faster responses in the support boards.  Thank you.

"Loki is not evil, although he is certainly not a force for good. Loki is... complicated."
Print
Go Up Pages1
User actions
Advertisement: