rejetto forum
Software => HFS ~ HTTP File Server => Topic started by: LeoNeeson on July 22, 2024, 08:16:08 PM
-
Hi everyone! This is a notice to all the users of HFS version 2.x (I will call it 'HFS2' for making it short). Recently, a severe vulnerability (CVE-2024-23692 (https://asec.ahnlab.com/en/67650/)) was found (https://mohemiv.com/all/rejetto-http-file-server-2-3m-unauthenticated-rce/) in HFS2 (known to affect HFS v2.4.0 RC7 (https://github.com/rejetto/hfs2) and HFS v2.3m). This information was kept private until now, to give it time to find a solution, but now I think it's time to make this notice public. This is only an informational message to let everyone know about this. Anyone with Pascal/Delphi knowledge could contribute to finding a fix.
We are discussing how to patch it, here:
https://github.com/drapid/hfs/issues/3 (https://github.com/drapid/hfs/issues/3)
You could contribute by submitting code fixes to the source code, either on GitHub (https://github.com/rejetto/hfs2/pulls) or here in the appropriate forum section: Programmers corner (https://rejetto.com/forum/index.php?board=38.0) (opening a new thread there or leaving a comment here on this very same thread). If we find a correct fix (and since Rejetto will not update HFS2 anymore), perhaps we can build an unofficial "community" version for those who can't upgrade to HFS3.
Let's keep HFS v2.x alive, and...
...please do not panic. ;)
Stay safe,
Leo.-
-
After spending several hours on last weekend, I'm happy to finally announce that I've come up with a simple (one line) solution to this macro vulnerability. :D
The following is a portion of 'main.pas' in 'hfs2.3m.src.zip (https://sourceforge.net/projects/hfs/files/HFS/2.3m/hfs2.3m.src.zip/download)'
Add the line marked in red, after line 5100 in 'main.pas'
(After line 5445 in v2.4 RC07 (https://github.com/rejetto/hfs2/releases/tag/v2.4-rc07), but is hasn't been tested)
url:=conn.request.url; // The next line is a fix for CVE-2024-23692
if anyMacroMarkerIn(url) then url:=encodeURL(xtpl(url,['%','#']));
extractParams();
url:=decodeURL(url);
This was my second 'impossible task' achieved or accomplished here (the first was helping to bring the 'logout (http://rejetto.com/forum/?topic=13286.0;theme=1)' function to HFS), and now an attempt to fix this vulnerability. Those are the good things about programming: almost nothing is impossible with a lot of effort and dedication. :)
-
that's great, congratulations with your achievement, Leo!
i cannot say anything about effectiveness of this fix, but i'm happy if you can find a solution.
Is the url the only way to use the vulnerability? Even if the POC of the CVE uses the url, be sure to consider the possibility of the attack coming from a header.
you prefer 2.3 over 2.4 ?
-
that's great, congratulations with your achievement, Leo!
Thanks, it means a lot that you like it, I appreciate it. :) To me, it's like an exercise to dip my toes on Delphi, although there is still a long way to go...
you prefer 2.3 over 2.4 ?
Not really, some parts of it only (2.4 has huge improvements), but mainly I'm using 2.3 in my tests because it is much easier for me to build it (using TD2006). And since it was the latest stable version published, it was the version I've used it as example.
Is the url the only way to use the vulnerability? Even if the POC of the CVE uses the url, be sure to consider the possibility of the attack coming from a header.
Yes, I know what you mean ('Host' header is not covered, for example), that's why I'm not completely happy with my 'single line' fix (although it works). That's why I'm testing a completely new fix (instead the previous code). See...
» Alternative method to stop this macro vulnerability:
Add the line marked in green, after line 5084 in 'main.pas' (v2.3m)
runEventScript('pre-filter-request');
// Check macro leaks, prevent hack attempts
if anyMacroMarkerIn(conn.request.full) then
begin
data.disconnectReason:='Hack attempt blocked. This event has been logged!';
add2log('Hack attempt blocked: '+ansiToUTF8(conn.request.url));
getPage('deny', data);
conn.reply.mode:=HRM_BAD_REQUEST;
exit;
end;
It works, but even then, it's just a simple check and stop, not a true 'urlvar' filtering (and I can't be 100% sure if it is enough or if some hacker could think a workaround to bypass this measure). And if the browser asks for the 'favicon.ico' along with the same request, it gets logged as hack attempt too (and I don't like this, and I have to think how to handle it, perhaps with 'urlCmd'). Alternatively, I was thinking of doing a 'stringReplace' of macro markers on 'request.full' at an earlier stage, right on the 'handleHeaderData' procedure (which also works, as second measure), but I don't like this approach, since it could mess with other parts of the code.
Well, I think that's all I will be working with this at the moment, I don't have too much time to go deeper analyzing this, it's only a start for now.
-
Hello to both of you, even if I am not involved in HFS3 which for me represents a completely different project from HFS2.x, I keep an eye on the possible changes to be made to the latter.
With some similar approaches I did not arrive at a satisfactory result, there are indeed not only the urlvars to control but also the recursion of the attack used by using %url%, it is also necessary to take into account the postvars and as said rejecto the attacks by headers
I looked into a more restrictive use of the EXE macro, by limiting the programs to launch to those contained exclusively in a subdirectory of HFS, but I do not manage the %url% in the state in loop
procedure exec_();
var
s: string;
code: cardinal;
begin
if not fileExists(exepath+'exec\'+extractFileName(macroDequote(p))) then
begin
pars.clear();
result:='';
mainfrm.add2log('DISCONNECTED'+CRLF+exepath+'exec\'+extractFileName(macroDequote(p)));
disconnect();
exit;
end;
s:=macroDequote(par(1));
if fileOrDirExists(s) then
s:=quoteIfAnyChar(' ', s)
else
if unnamedPars < 2 then
s:='';
if parExist(['out']) or parExist(['timeout']) or parExist(['exit code']) then
try
spaceIf(captureExec(macroDequote(p)+nonEmptyConcat(' ', s), s, code, parF('timeout',2)));
try setVar(parEx('exit code'), intToStr(code)) except end;
setVar(parEx('out'), s);
except end
else
spaceIf(exec(macroDequote(p), s))
end; // exec_
put the file calc.exe (to test) inside a new exec\ subdir and use macro {.exec|calc.exe.} , bad syntax without extension {.exec|calc.} is stopped
This is a safe and absolute start for those who do not leave an executable in the exec\ directory.
What a hacker doesn't know about available resources is an obstacle to hacking.
-
Hi.
I don't know anything about security, nor about the C language.
But if hfs is under cloudflare, does the vulnerability continue?
-
But if hfs is under cloudflare, does the vulnerability continue?
Yes, the vulnerability continues, and it could put at risk the PC (server) where HFS2 (v2.x) runs. Running it under Cloudflare somewhat makes the server more hidden (harder to be scanned by hackers), but once it's discovered and targeted by a hacker, he could run or install any program (malware or anything). Unless you run HFS2 on a VPS (or somewhere you don't have anything valuable), and you can recover your data in case of problems, you should think on updating to HFS3 (https://github.com/rejetto/hfs/releases/latest) (or take the risk and wait until we release an unofficial version of HFS2 with this vulnerability fixed). We are closer to find a solution to this, but the decision of waiting or updating is yours. Keep in mind that HFS3 is a completely different software (written from scratch) and its configuration is not compatible with HFS2, so you should have to configure everything again, but HFS3 (https://github.com/rejetto/hfs) is the currently recommended choice. If you have any questions about HFS3, please ask on the place dedicated to it (here (https://rejetto.com/forum/index.php?board=46.0)), to avoid this thread going off-topic.
-
Thank you very much for the clarification. I hope it can be resolved soon.
-
I think Mars' idea of restricting "exec" is good.
It's a pity I didn't have it at the time :)
I don't like the idea of having a specific folder, tho. I would rather have a way to configure what commands are allowed, so that the user must manually enable them.
-
Maybe can fix this security problem with different settings or template modification or macro deactivation ?
Maybe i am wrong, but it sounds the problem is in template and search function.
In hfs /Home Right click/properties/ deactivate Browsable
It deactivate browse page, search and other. (Files can download now only with direct link)
Probably this is not a solution, but i think the profis here know it better.
Can it help ?
-
Maybe can fix this security problem with different settings or template modification or macro deactivation ?
Maybe i am wrong, but it sounds the problem is in template and search function.
In hfs /Home Right click/properties/ deactivate Browsable
It deactivate browse page, search and other. (Files can download now only with direct link)
Probably this is not a solution, but i think the profis here know it better.
Can it help ?
*** Temporary solution ***
Yes, good idea! :D, if you disable macros, the vulnerability will NOT happen!
But keep in mind, you will not have file list (the default template will not work)
1) Inside HFS, press F5 to switch to 'Expert mode'.
2) Go to Menu > HTML template > and uncheck 'Enable macros'.
3) It will ask you 'Do you want to cancel this action?', click in 'No'.
4) Any visitor will have this message "WARNING: this template is only to be used with HFS 2.3 (and macros enabled)", and that means you have disabled the macros, and -hopefully-, the vulnerability will NOT happen!
- Old answer (read the message above): Unfortunately, that won't stop this vulnerability (I wish it were as simple as that). The only way is to modify the program (recompiling the source code). For the moment, it is better to temporarily discontinue the use of HFS v2.x (at least until this vulnerability gets fixed, something I haven't had time to finish yet), or even better, upgrade to the new version (HFS3 (https://rejetto.com/hfs/)).
Happy Holidays to all (and happy New Year!) :)
-
Very thanks for reply.
ok, as you say browsable not helps with this vulnerability "setting in hfs window part "virtual file system" " /Home Right click/properties/flags deactivate Browsable"
If i switch it off, user become message.
!Forbidden
or||!This resource is not accessible.
And it not only deactivate searchbox, it also deactivate search direct link.
Example
http://0.0.0.0:80/?search=test
If i switch also macro off.
Comes also
!Forbidden
or||!This resource is not accessible.
In this case it is better switch macro off and browsable on ? (The last years browsable off was my default setting)
I have a rootserver, and hfs was a important part, of course i can not use old hfs before have a safe solution.
HFS 3 is not a solution for me.
If macro off is a really safe solution, it is perfect for me, i need only direct linking.
Is a easy way possible for test this vulnerability ?
-
@Alps: Using "deactivate Browsable" doesn't make any difference here (you can use it, but it doesn't stop this vulnerability). The only setting that stops it, is disabling macros (since the problem is there). With macros disabled, even search works fine, you only need to use a simple template that doesn't need or use macros.
For example, I've quickly modified (removing any use of macros) the 'Stripes (http://rejetto.com/forum/?topic=13415.msg1066891#msg1066891)' template, which is a template made by the user Danny (http://rejetto.com/forum/?action=profile;u=103082) for HFS v2.3 and v2.4. These modified templates I've uploaded here, works fine for basic 'file listing' operations but doesn't have the upload, delete or login function (login still works when using v2.3), but you can add those functions back, if you have the knowledge to do it, and you don't use macros (I currently don't have enough free time nor the patience to do it).
Well, that's all for now, hope it helps. :)
-
This sounds all great :)
Maybe this is the best solution.
I am Happy can now use hfs again after 6 months break. :D
In changelogs from "j" "k" "m" i not read security fixes.
versions down to 2.3i now also safe with macro off ?
in a russian forum i found also a solution including fixed hfs download
maybe it is interesting for you.
http://forum.ru-board.com/topic.cgi?forum=5&topic=13365&start=1940#11
i not know how safe it is.
Macro off is the best way for me.
-
versions down to 2.3i now also safe with macro off ?
With macro OFF, those versions could "probably" be safe, but I can't give you a 100% guarantee "that versions down to 2.3i are also safe with macro off" (I haven't tested it to give you confirmation). Macros were always like a 'Pandora (https://ru.wikipedia.org/wiki/%D0%AF%D1%89%D0%B8%D0%BA_%D0%9F%D0%B0%D0%BD%D0%B4%D0%BE%D1%80%D1%8B)box (https://en.wiktionary.org/wiki/Pandora%27s_box)' for vulnerabilities, but many other enhancements were introduced since version 2.3i.
in a russian forum i found also a solution including fixed hfs download
Thanks for the link. :) Sadly, that 'fixed HFS' download is not safe with macro ON. The solution posted there (and that compiled executable), is not enough to stop the vulnerability (since it only search the 'exec' word in the URL, and that word can be split in two words to bypass that solution, so I don't recommend it). You could point those users to visit this forum thread, so they could get updated info about this issue.
-
@Alps: Using "deactivate Browsable" doesn't make any difference here (you can use it, but it doesn't stop this vulnerability). The only setting that stops it, is disabling macros (since the problem is there). With macros disabled, even search works fine, you only need to use a simple template that doesn't need or use macros.
I correct myself (my mistake): @Alps (http://rejetto.com/forum/?action=profile;u=208606) was right on his first message (http://rejetto.com/forum/?topic=13694.msg1067982#msg1067982) (and then here (http://rejetto.com/forum/?topic=13694.msg1067984#msg1067984)), by unchecking the 'Browsable' flag on the 'Home/Root' of HFS, you could avoid this vulnerability and be safe. That seems to be enough, but if you also disable macros, you are twice protected. If you use v2.4 and need to use the login system, then don't disable macros (using v2.3 you can disable macros + uncheck browsable flag, since login system depends on the browser).
Summarizing, now we have 2 options to be safe and avoid this vulnerability:
- Option A: unchecking the 'Browsable' flag
1) Inside HFS, make sure 'You are in Expert mode' (if not switch by pressing F5)
2) In 'Virtual File System' panel, right-click on the 'Home' icon, select 'Properties...'
3) Properties window will open, go to 'Flags' tab, and uncheck 'Browsable' option.
4) Click 'OK' to apply changes, and from now on, any visitor to your HFS server, will see this message: "Forbidden / This resource is not accessible", and you will not have file listing, neither file search.
- Option B: disabling the 'macros' feature
Simply follow the steps described in this post, here (http://rejetto.com/forum/?topic=13694.msg1067983#msg1067983).
I give all the credits for both of these methods to @Alps (http://rejetto.com/forum/?action=profile;u=208606)! :D
Cheers,
Leo.-
-
Not only my credits.
Was only a idea from me.
I not have the knowledge for security relevance.
Without LeoNeeson we not have this solution.
-
Since there are still a fans of hfs 2.3m build 300, and who are concerned about the risk of being hackered with the EXEC macro, the simplest at the moment is to allow a deactivation of this macro which is only rarely used and in very specific cases,
the solution envisaged to limit the number of accessible external programs that would be included in a reduced list is not possible at the moment as long as an effective filtering is not possible for the moment to be possible.
This is an ephemeral link on a version compressed with upx, wich has not be endorsed by rejetto, but because of my previous participation in the project I can afford it without waiting ;)
it integrates a button in the toolbar to activate the use of the macro exec.
HFS 2.3m build 305 (https://1fichier.com/?z5e5af3xv0nqegaehxs0)
the macro is systematically in OFF mode as soon as the server is started up or at each change of state of the latter.
the macro is automatically deactivated when the display is switched to EASY mode, and the button is inoperative.
when the conditions are met, it is possible to activate the use of the EXEC macro for a period of 30 seconds, this value can be modified by right-clicking on the button,
any change to a value other than that displayed on the opening of the message causes the timer to stop, so it is necessary to reactivate the button.
As a measure of simplicity, a zero value inhibits the timer and the button becomes a simple state flip-flop, otherwise it behaves like a timer.
-
Good! :D ...and now we have:
- Option C: Mars’s version of HFS! (v2.3m Build 305 (http://rejetto.com/forum/?topic=13694.msg1067990#msg1067990))
This option is perfect for those who want to make normal use of the default template (while also wanting to programmatically run programs using HFS, but don’t want to leave this option enabled for too long). This also provides another alternative (besides 'Option A or B') for those who wish to disable the 'exec' macro feature to be more secure.
What is the difference between 'Option B' and 'Option C'? The difference is that 'Option B' disables all macros (including the less risky macros that are necessary for normal template functionality), while the Mars compilation only disables the 'exec' macro (which allows other programs to be executed, and this was exploited by this vulnerability). Since the vulnerability still exists, if you use 'Option C' (and enable the 'exec' macro), it's best to allow it only for a short period, or to disable it directly when this feature is not needed.
It’s nice to have more options for those who may need them.
Everything seems fine, and it’s good, coming from Mars (congrats!) :)
-
Hi Leo!
Could you check my versions, if it vulnerable or not? As I'm not really understand your answers per my fixes.
In my tests, I couldn't repeat vulnerability examples. May be I checked not enough?
My latest version: https://rnq.ru/downloads/download/8-hfs/215-hfs-324-x64
-
@Rapid
With a download size of 0 bits, your HFS breaks all compression records ;D ;D ;D
-
Since we are joking... :D
@Rapid: You did it! 0 bits = 0 vulnerabilities ! ;D
@Mars: Now I do understand (https://www.youtube.com/watch?v=2Fznhgw_PBg) why your timer is set to 30 seconds... (https://i.imgur.com/BSWg55Z.gif)
...and also because it only takes '30 seconds to Mars (https://en.wikipedia.org/wiki/30_Seconds_to_Mars)'
...a nice rock band, although I prefer Bruno Mars (https://en.wikipedia.org/wiki/Bruno_Mars)
I'm sorry, I think I went too far today...
(too many jokes in one post) ;)
-
ok, download link is fixed.
I really don't understand, why you afraid only 'exec' macros. With "save" macros it's possible to do the same (if write 'bat' or 'lnk' file). With 'add folder' - it's possible to add home folder of active user, and maybe download something private.
-
In the face of all these hacking possibilities, it is up to the fact that hfs is running on a virtual machine in a restricted environment. ;D
HFS is of an old design, no matter how much we try to plug the holes, but we'll never be safe from further leaks.
it is always possible to use version 2.2f which makes it possible to distribute content as one looks at a film,
otherwise we use a version with macros, which allows a certain interactivity, but it's like with games, there's always some that will always try to cheat to win not much except forge in the idea that they beat the designer in his efforts to make his product inviolable. It's a racing game where we can quickly make mistakes that make us lose the race.
the race here is that of inventiveness that will give the one who will be the most clever to supplant the other by cutting off the grass under his foot, like a chess player it is not because we lose coins or even the queen that we are on the ground as long as failure and matte is not announced 8) 8)
-
Could you check my versions, if it vulnerable or not? As I'm not really understand your answers per my fixes.
I've sent you a private message because I can't run x64 apps.
You can use 1Fichier (https://1fichier.com/) to upload files if that's easier for you.
Until then, I can't review your version; I'm sorry... :-[
I really don't understand, why you afraid only 'exec' macros. With "save" macros it's possible to do the same (if write 'bat' or 'lnk' file). With 'add folder' - it's possible to add home folder of active user, and maybe download something private.
I completely agree with you (and I was already aware of all that).
it is always possible to use version 2.2f which makes it possible to distribute content as one looks at a film,
We can have the best of both worlds if we do this:
(Ideas) The best way to achieve good security would be:
• Make the default template not use or require any macros at all.
• Make the entire macro system behave exactly like user permissions.
• Have a config panel to let HFS admin choose which macros are enabled.
Even then, nobody could guarantee 100% permanent security forever... :(
Making all those changes will take a lot of work, time, and testing.
(but it will provide all the features without compromising security)
-
I've sent you a private message because I can't run x64 apps.
...
32bit: https://rnq.ru/categories/download/8-hfs/216-hfs-324
...
We can have the best of both worlds if we do this:
(Ideas) The best way to achieve good security would be:
• Make the default template not use or require any macros at all.
• Make the entire macro system behave exactly like user permissions.
• Have a config panel to let HFS admin choose which macros are enabled.
Even then, nobody could guarantee 100% permanent security forever... :(
Making all those changes will take a lot of work, time, and testing.
(but it will provide all the features without compromising security)
I think you misunderstands what macroses are. Templates are based on macroses. So "no macros" = "no templates".
For me HFS is just a Home File Server. I don't really care about security.
All changes are just for fun...
Like a beautiful alpha-blend icons, serving thumbnails as WEBP, using ZSTD compression instead of zlib. Nobody needs it, but it's fun to do :)
So the next big fun is to add "zip format for folder archives"
-
what is missing it´s a swtich of templates as exist when we use a computer or smartphones for example, but in this case it´s more simple to have two versions of hfs and run only the one with macros or not ;D
-
I think you misunderstands what macroses are.
Templates are based on macroses.
So "no macros" = "no templates".
By saying 'templates are based' on macros, it could only mean 'some templates depend' on macros (but only those templates that need a macro to work, like, for example, the default template). However, your latest statement is not entirely accurate, since you can have a template without macros. Otherwise, you would not be able to install or use the templates I've modified in this post HERE (http://rejetto.com/forum/?topic=13694.msg1067985#msg1067985), which can be used with macros disabled (obviously, some features are disabled, such as the ability to delete, rename, or upload files, but it's still a template after all). I'm not looking to argue, but I do have a clear understanding of what macros are and how they work.
For me HFS is just a Home File Server.
I don't really care about security.
All changes are just for fun...
Then, just for fun, you have given me the opportunity to say the following: 8) "Ladies and gentlemen, we now have..."
- Option D: DRapid version of HFS! (32 bits (https://rnq.ru/categories/download/8-hfs/216-hfs-324) & 64 bits (https://rnq.ru/categories/download/8-hfs/215-hfs-324-x64))
Yeah! ;D this version is good for those who want to use templates while avoiding this vulnerability, and also for those who, based on his own words (not mine): 'don't really care about security'. So, if you feel comfortable with this, you will find this version very interesting.
» Seriously speaking, from what I've seen by running the program and conducting some tests (and also after reviewing the patch (https://github.com/drapid/HFS/commit/b699f9a1675a9708fa2c14c62a02290bac499de4#diff-af98362b85c574d4b328dfb533a70e7fc17878d1df07a6c374e0a775fab49a05L130-L132) in the source code from an older build), it seems to avoid the vulnerability. However, I don't see this as a definitive long-term solution. That being said, I can't provide ANY guarantees, and it's up to the end-user to decide whether this is appropriate to use or not.
what is missing it´s a swtich of templates as exist when we use a computer or smartphones for example, but in this case it´s more simple to have two versions of hfs and run only the one with macros or not ;D
Even better: two HFS versions on two separate computers! ;D ;D
-
By saying 'templates are based' on macros, it could only mean 'some templates depend' on macros (but only those templates that need a macro to work, like, for example, the default template). However, your latest statement is not entirely accurate, since you can have a template without macros. Otherwise, you would not be able to install or use the templates I've modified in this post HERE (http://rejetto.com/forum/?topic=13694.msg1067985#msg1067985), which can be used with macros disabled (obviously, some features are disabled, such as the ability to delete, rename, or upload files, but it's still a template after all). I'm not looking to argue, but I do have a clear understanding of what macros are and how they work.
...
Ok, if we don't count "%item-url%" as macros, than you are right. But technically it's kind of macros too :)
I like the idea to have a separate template for no-macros mode. So I will add an option "Disable macros for non-local IP" to use separate templates for local and non-local users.
It remains to add the possibility to define these separate templates.
As of start I will add template as a resource. We already have an example "dmBrowser.tpl" for download managers.
-
Ok, if we don't count "%item-url%" as macros, than you are right.
I agree that it looks similar (https://rejetto.com/wiki/index.php%3Ftitle=HFS:_Template_macros.html#Differences_with_symbols), but '%item-url%' is one of the 'Symbols' available (https://rejetto.com/wiki/index.php%3Ftitle=HFS:_Template_symbols.html) (Macros and Symbols are both processed at server-side). %Symbols% (http://rejetto.com/forum/?topic=1939.0) are much safer and already existed in very ancient versions (before Rejetto added macros in v2.3x), and are replaced by the real values at run-time (when the HTML page is built (https://rejetto.com/wiki/index.php%3Ftitle=HFS:_Template.html#How_templates_work)), meanwhile macro works like server-side scripting.
I like the idea to have a separate template for no-macros mode. So I will add an option "Disable macros for non-local IP" to use separate templates for local and non-local users.
I'm glad you like the idea. :)
For any other thing related about this, it's much better to open a new thread in 'Programmers corner (http://rejetto.com/forum/?board=38.0)', to not disturb users subscribed to this thread who are waiting for news on this issue.