rejetto forum

[HFS 2.3a] 0Day Vulnerability discovered by me!

xpl01t · 13 · 7725

0 Members and 1 Guest are viewing this topic.

Offline xpl01t

  • Occasional poster
  • *
    • Posts: 16
    • View Profile
closed.
« Last Edit: August 07, 2014, 03:38:12 PM by xpl01t »


Offline bmartino1

  • Tireless poster
  • ****
    • Posts: 901
  • I'm only trying to help i mean no offense.
    • View Profile
    • My HFS Google Drive Shared Link
interesting...
rejetto should be informed!

i recall a previous version with issue in sharing a real folder giving access to the whole drive....

from what it looks like, you took the source code and turned a specific script into a hacking tool. (  :) / :(  )
do you wish to share any suggestions on how to possibly secure/ prevent remote acess?

and/or as windows "c$" is what it looks like your on, do you have write capabilities???
Files i try to keep and share can be found on my google drive:

https://drive.google.com/drive/folders/1FOWi3Gqaldld6JLXvZ-biDv4RSguf0IC


Offline xpl01t

  • Occasional poster
  • *
    • Posts: 16
    • View Profile
closed.
« Last Edit: August 07, 2014, 03:38:34 PM by xpl01t »


Offline timteka

  • Occasional poster
  • *
    • Posts: 18
    • View Profile
I didn't give access to C$ or anything else, still my hfs.tpl was replaced by 'hacked by...' message (latest stable hfs server)


Offline rejetto

  • Administrator
  • Tireless poster
  • *****
    • Posts: 13308
    • View Profile

Offline vacheron

  • Occasional poster
  • *
    • Posts: 1
    • View Profile
I was informed by one of my users I had the same problem yesterday.
https://www.dropbox.com/s/ji4i894lxvlk49g/2014-08-08%2013.07.57%20-%20Copy.jpg

I've restored the .VFS file from the backup which seems to have removed the user and root folder (at least superficially). The exploit created a root access share and created a user called "Hacked".

There has been an additional file added in the folder:
C:\Users\xxxxxx\AppData\Local\VirtualStore\Program Files (x86)\HFS called "hack.tpl".
The hfs.ini file has then been edited to add the line "tpl-file=hack.tpl"

I have kept the hacked copy of all reference files if it would be of any use to you in solving the problem?
 
« Last Edit: August 09, 2014, 08:58:35 AM by vacheron »


Offline bmartino1

  • Tireless poster
  • ****
    • Posts: 901
  • I'm only trying to help i mean no offense.
    • View Profile
    • My HFS Google Drive Shared Link
btw... c$ is a windows default read only share, as this scrpt gave them acess to c, i asume he was on c$...
http://en.wikipedia.org/wiki/Administrative_share

--------------------------
lolz.. he closed the forum and youtube link... rofl.....
(guess he didn't want to get into trouble...)

well, its was a python code that used rpc

----------------------------
anyways if it helps:
(hfsrpc.py) - was in the cmd windows...

---------picture in with post had:
setting the local host and rhost to the same port something like "444444"
(both were the same for coming in

and remote port, setting up windows traffic to a random connecting port....
something like "124445"
(creating a fake random port conection)
(both were the same for going out...)

Ports are from (memory/don't remember them ... weren't assigned to specific services/protocols as such they must have been random...)

then script sending it through the broadcast to gain access to the root folder of hfs... (random victim)

as if you remotely oppend a cmd prompt on that machine...(unknown if it gave write permissions definitely read/traverse)
didn't have/give much, but it was a python code(he replied back and said so not so much who.how.what)... but deliberate to gain access into hfs2.3a and the c: drive of an hfs machine...

i haven't been hacked, and i'm surprised to see comments of those who have.
-----------------------

this is as much as i can be of help, unknown what protocol/data/how they are getting in, just trying to share form what i saw when i replied to this post... (the fact that on a previous chinese post shows that this user has used this script miscoulious, and possible that he isn't the creator, show that he might never "sign in"...

http://www.rejetto.com/forum/italiano/template-craccato-***importante***-11437/

itialin poster saying xpolit user did this:
-------
https://translate.google.com/#auto/en/Ciao%20a%20tutti%2C%0Ami%20rifaccio%20vivo%2C%20perch%C3%A8%20oggi%20ho%20notato%20che%20il%20mio%20webserver%20era%20stato%20craccato!%0AIn%20pratica%2C%20digitando%20l'indirizzo%20associato%2C%20al%20posto%20della%20pagina%20template%20che%20avevo%20impostato%2C%20compariva%20il%20messaggio%3A%0A%0Ahacked%20by%20xpl01t%20HFS%200day%20exploiter%0A%0ACollegandomi%20al%20server%2C%20mi%20sono%20accorto%20che%20era%20presente%20un%20file%20*tpl%20modificato%20dall'hacker.%20Ho%20subito%20ripristinato%20il%20mio%20ma%20la%20cosa%20mi%20allarma.%20Mi%20sa%20che%20urge%20una%20patch%20correttiva!%20La%20versione%20che%20uso%20%C3%A8%20la%202.3%0A%0AVedi%20anche%20http%3A%2F%2Fwww.rejetto.com%2Fforum%2Fhfs-~-http-file-server%2F%2528hfs-2-3a%2529-0day-vulnerability-discovered-by-me!%2F%20%0A%0ASaluti%0AAL
----------
« Last Edit: August 09, 2014, 03:22:23 PM by bmartino1 »
Files i try to keep and share can be found on my google drive:

https://drive.google.com/drive/folders/1FOWi3Gqaldld6JLXvZ-biDv4RSguf0IC


Offline xpl01t

  • Occasional poster
  • *
    • Posts: 16
    • View Profile
I'm the author so stop posting bullshits:) and i don't want share it i defaced many sites with different names (godness_god , DZONE, MUMMY and many more) script is private and i'm still finishing it with new features .. rejetto review your code this is enough


Offline rejetto

  • Administrator
  • Tireless poster
  • *****
    • Posts: 13308
    • View Profile
xpl01t, i tried to contact you privately (email) but got no reply.
How can i contact you for details?

I already reviewed my code at the time of my previous post, with the little spare time i got, and found nothing. Sorry, i need information to fix it.
« Last Edit: August 22, 2014, 11:10:22 AM by rejetto »


Offline rejetto

  • Administrator
  • Tireless poster
  • *****
    • Posts: 13308
    • View Profile
This time I investigated on the default template and i think i found THERE the flaw xpl01t is using.
To be honest the problems i found are quite embarrassing. I guess at the time of writing the template i was drunk or something.
I've not been provided with the required information yet, so there's no way for me to test and be sure that what i did is enough.
Let's try.


Offline bmartino1

  • Tireless poster
  • ****
    • Posts: 901
  • I'm only trying to help i mean no offense.
    • View Profile
    • My HFS Google Drive Shared Link
Hey rejeto, was searching on google (to get to the forum...)and found your vulnerability stuff and a site that is showing how it was done...

The one you answered...(updated to fix bugs!) http://www.kb.cert.org/vuls/id/251276

Site / concerns...
https://warroom.securestate.com/index.php/building-a-vulnerable-box-rejetto-hfs/

they tested this on build 288 (unknown versions...might have been 2.3 b witch is now patched!)

...versions prior to 2.3.e (the latest version are not vulnarable...) ?
Files i try to keep and share can be found on my google drive:

https://drive.google.com/drive/folders/1FOWi3Gqaldld6JLXvZ-biDv4RSguf0IC


Offline Mars

  • Operator
  • Tireless poster
  • *****
    • Posts: 2015
    • View Profile
there is no reason to worry about this attack, hfs has been patched since rejetto had knowledge the % 00 bug, the test dates announced securestate.com on May 10, 2015, but they could at least give worth testing with a newer version. This is a nice article, but lack of evidence.

Either way, an attack may also come from another program, it has never been claimed that HFS is a software vulnerability zero.

« Last Edit: June 26, 2015, 09:13:49 AM by Mars »


Offline rejetto

  • Administrator
  • Tireless poster
  • *****
    • Posts: 13308
    • View Profile
the article you linked says:
This issue is addressed in HFS version 2.3c and later