rejetto forum
Software => HFS ~ HTTP File Server => Topic started by: xpl01t on August 04, 2014, 11:02:43 PM
-
closed.
-
interesting...
rejetto should be informed!
i recall a previous version with issue in sharing a real folder giving access to the whole drive....
from what it looks like, you took the source code and turned a specific script into a hacking tool. ( :) / :( )
do you wish to share any suggestions on how to possibly secure/ prevent remote acess?
and/or as windows "c$" is what it looks like your on, do you have write capabilities???
-
closed.
-
I didn't give access to C$ or anything else, still my hfs.tpl was replaced by 'hacked by...' message (latest stable hfs server)
-
i just came back from a trip. Will shortly look into this.
-
I was informed by one of my users I had the same problem yesterday.
https://www.dropbox.com/s/ji4i894lxvlk49g/2014-08-08%2013.07.57%20-%20Copy.jpg (https://www.dropbox.com/s/ji4i894lxvlk49g/2014-08-08%2013.07.57%20-%20Copy.jpg)
I've restored the .VFS file from the backup which seems to have removed the user and root folder (at least superficially). The exploit created a root access share and created a user called "Hacked".
There has been an additional file added in the folder:
C:\Users\xxxxxx\AppData\Local\VirtualStore\Program Files (x86)\HFS called "hack.tpl".
The hfs.ini file has then been edited to add the line "tpl-file=hack.tpl"
I have kept the hacked copy of all reference files if it would be of any use to you in solving the problem?
-
btw... c$ is a windows default read only share, as this scrpt gave them acess to c, i asume he was on c$...
http://en.wikipedia.org/wiki/Administrative_share
--------------------------
lolz.. he closed the forum and youtube link... rofl.....
(guess he didn't want to get into trouble...)
well, its was a python code that used rpc
----------------------------
anyways if it helps:
(hfsrpc.py) - was in the cmd windows...
---------picture in with post had:
setting the local host and rhost to the same port something like "444444"
(both were the same for coming in
and remote port, setting up windows traffic to a random connecting port....
something like "124445"
(creating a fake random port conection)
(both were the same for going out...)
Ports are from (memory/don't remember them ... weren't assigned to specific services/protocols as such they must have been random...)
then script sending it through the broadcast to gain access to the root folder of hfs... (random victim)
as if you remotely oppend a cmd prompt on that machine...(unknown if it gave write permissions definitely read/traverse)
didn't have/give much, but it was a python code(he replied back and said so not so much who.how.what)... but deliberate to gain access into hfs2.3a and the c: drive of an hfs machine...
i haven't been hacked, and i'm surprised to see comments of those who have.
-----------------------
this is as much as i can be of help, unknown what protocol/data/how they are getting in, just trying to share form what i saw when i replied to this post... (the fact that on a previous chinese post shows that this user has used this script miscoulious, and possible that he isn't the creator, show that he might never "sign in"...
http://www.rejetto.com/forum/italiano/template-craccato-***importante***-11437/
itialin poster saying xpolit user did this:
-------
https://translate.google.com/#auto/en/Ciao%20a%20tutti%2C%0Ami%20rifaccio%20vivo%2C%20perch%C3%A8%20oggi%20ho%20notato%20che%20il%20mio%20webserver%20era%20stato%20craccato!%0AIn%20pratica%2C%20digitando%20l'indirizzo%20associato%2C%20al%20posto%20della%20pagina%20template%20che%20avevo%20impostato%2C%20compariva%20il%20messaggio%3A%0A%0Ahacked%20by%20xpl01t%20HFS%200day%20exploiter%0A%0ACollegandomi%20al%20server%2C%20mi%20sono%20accorto%20che%20era%20presente%20un%20file%20*tpl%20modificato%20dall'hacker.%20Ho%20subito%20ripristinato%20il%20mio%20ma%20la%20cosa%20mi%20allarma.%20Mi%20sa%20che%20urge%20una%20patch%20correttiva!%20La%20versione%20che%20uso%20%C3%A8%20la%202.3%0A%0AVedi%20anche%20http%3A%2F%2Fwww.rejetto.com%2Fforum%2Fhfs-~-http-file-server%2F%2528hfs-2-3a%2529-0day-vulnerability-discovered-by-me!%2F%20%0A%0ASaluti%0AAL
----------
-
I'm the author so stop posting bullshits:) and i don't want share it i defaced many sites with different names (godness_god , DZONE, MUMMY and many more) script is private and i'm still finishing it with new features .. rejetto review your code this is enough
-
xpl01t, i tried to contact you privately (email) but got no reply.
How can i contact you for details?
I already reviewed my code at the time of my previous post, with the little spare time i got, and found nothing. Sorry, i need information to fix it.
-
This time I investigated on the default template and i think i found THERE the flaw xpl01t is using.
To be honest the problems i found are quite embarrassing. I guess at the time of writing the template i was drunk or something.
I've not been provided with the required information yet, so there's no way for me to test and be sure that what i did is enough.
Let's try.
-
Hey rejeto, was searching on google (to get to the forum...)and found your vulnerability stuff and a site that is showing how it was done...
The one you answered...(updated to fix bugs!) http://www.kb.cert.org/vuls/id/251276
Site / concerns...
https://warroom.securestate.com/index.php/building-a-vulnerable-box-rejetto-hfs/
they tested this on build 288 (unknown versions...might have been 2.3 b witch is now patched!)
...versions prior to 2.3.e (the latest version are not vulnarable...) ?
-
there is no reason to worry about this attack, hfs has been patched since rejetto had knowledge the % 00 bug, the test dates announced securestate.com on May 10, 2015, but they could at least give worth testing with a newer version. This is a nice article, but lack of evidence.
Either way, an attack may also come from another program, it has never been claimed that HFS is a software vulnerability zero.
-
the article you linked says:
This issue is addressed in HFS version 2.3c and later