bofh1459 (bofh1459) wrote,

  • Music:

The people at SMF need to be strung up by their bollocks. Seriously.

So a couple days ago a friend of mine had his forum exploited and a fairly complicated PHP-based trojan got uploaded onto it. I still have not finished disassembly of it, partly due to having too little time and partly due to the fact that it's actually surprisingly complex and well-written, and also stupidly obfuscated in annoying ways (all the variables are what appear to be RC4 hashes, for instance. Makes reading painful until you do a search-and-replace).

Anyway, a couple minutes of googling around reveals that the exploit vector is the attachment upload/avatar upload code. A bit of poking around the codebase of SMF shows that at a key point it is possible to get your custom code included in the rest of the forum codebase.

So eventually shit hit the fan and there's an automated bot going around and infecting all SMF-based forums. So SMF is forced to release a fix. This is quite easily the most pathetic attempt at a fix for a security hole that I have ever seen in my entire life. There are two parts to it, the first is a file with the following contents in it:
<Files *>
IOrder Deny,Allow
IDeny from all
IAllow from localhost
RemoveHandler .php .php3 .phtml .cgi .fcgi .pl .fpl .shtml

Yes, that's right, their idea of a fix is a fucking .htaccess file you drop in your /attachments/ dir that removes a couple protocol handlers and then sets the executable flag on everything in the dir to off. This completely does not fix the exploit at all, as you could just, ya know, upload a file with an executable extension not listed above (say python or ruby or even a fucking dll file) and it'll still get through, not to mention the fact that this underlying bug still exists in the code means you can just use this wonderous concept called XSS. Which we've known about since uh...early 2000? If not earlier.

The other part of the fix is a minor change to ManageAttachments.php which adds a file hash, the ability to store hashes of files and a line that denys uploading of that one file which is being used to infect forums automatically by means of some bot which typically uses the nick "Krisbarteo".

Now, the nice thing about hashes is you can change a single byte in the file, say, for instance, one of the VARIABLE NAMES, and this bypasses this pathetic attempt at a blocked upload trivially.

So in short, this isn't even remotely close to a patch. It does not fix the security hole at all, it's still there and still exploitable. The attempts it tries to mitigate it are pitiful at best and just downright awful at worst.

Let's see if I can get the guys at SMF to win a Pwnie Award for this year for "Worst Vendor Response to a Security Problem". Seriously. What the fuck, guys?!?
  • Post a new comment


    default userpic

    Your IP address will be recorded