NukeSentinel 2.5.05 (nukesentinel.php) File Disclosure Explo

hls-bill · New Member Joined: Feb 14, 2007 Posts: 2

Only registered users can see links on this board!
Get registered or login to the forums!

Any word on this one?

Kind Regards,

Bill

stefvar · New Member Joined: Oct 30, 2005 Posts: 18

Hello,

Look at also this link :

Only registered users can see links on this board!
Get registered or login to the forums!

technocrat · Posted: Tue Feb 20, 2007 6:20 pm

Here is a quick fix for first exploit
Open includes/nukesentinel.php

Find:

Code:

// Load Blocker Arrays

Before add:

Code:

function nsnst_valid_ip ($ip) {
return (preg_match('/^(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)$/', $ip));
}

Find:

Code:

$ip = explode(".", $remoteip);

After add:

Code:

if (!nsnst_valid_ip($remoteip)) {
die('Access Denied');
}

Find:

Code:

if(empty($template)) { $template = "abuse_default.tpl"; }

Before add:

Code:

if (!empty($template) && ereg('.php', $template)) $template = '';

Guardian2003 · Posted: Tue Feb 20, 2007 6:25 pm

I can confirm the developers are aware and working on a permanent fix.

technocrat · Posted: Tue Feb 20, 2007 6:30 pm

Actually you should probably strip out all the ips

Replace

Code:

if(!ereg("([0-9]{1,3})\\.([0-9]{1,3})\\.([0-9]{1,3})\\.([0-9]{1,3})", $nsnst_const['client_ip'])) {$nsnst_const['client_ip'] = "none"; }
if(!ereg("([0-9]{1,3})\\.([0-9]{1,3})\\.([0-9]{1,3})\\.([0-9]{1,3})", $nsnst_const['forward_ip'])) {$nsnst_const['forward_ip'] = "none"; }
if(!ereg("([0-9]{1,3})\\.([0-9]{1,3})\\.([0-9]{1,3})\\.([0-9]{1,3})", $nsnst_const['remote_ip'])) {$nsnst_const['remote_ip'] = "none"; }
if(!ereg("([0-9]{1,3})\\.([0-9]{1,3})\\.([0-9]{1,3})\\.([0-9]{1,3})", $nsnst_const['remote_addr'])) {$nsnst_const['remote_addr'] = "none"; }

With:

Code:

if (!nsnst_valid_ip($nsnst_const['client_ip'])) {$nsnst_const['client_ip'] = "none"; }
if (!nsnst_valid_ip($nsnst_const['forward_ip'])) {$nsnst_const['forward_ip'] = "none"; }
if (!nsnst_valid_ip($nsnst_const['remote_ip'])) {$nsnst_const['remote_ip'] = "none"; }
if (!nsnst_valid_ip($nsnst_const['remote_addr'])) {$nsnst_const['remote_addr'] = "none"; }

And then

Code:

if (!nsnst_valid_ip($remoteip)) {
die('Access Denied');
}

With:

Code:

if (!nsnst_valid_ip($remoteip) && $remoteip != 'none') {
die('Access Denied');
}

montego · Posted: Tue Feb 20, 2007 10:15 pm

Really nice of these guys to have posted the exploit without first giving the author(s) of the tool a chance to prepare a fix. Unbelievable!!

montego · Posted: Tue Feb 20, 2007 10:37 pm

For the second one, in the meantime, I have placed the following in my includes directory:

Code:

<Files nsbypass.php>
<Limit GET POST PUT>
   require valid-user
</Limit>
   AuthName "Restricted for direct access"
   AuthType Basic
   AuthUserFile <<chg to full path to your .staccess file>>
</Files>

Figured this might help initially... I had done something similar awhile back for modules/Forums/admin when we were having all those direct attacks against it.

evaders99 · Posted: Wed Feb 21, 2007 12:58 am

montego wrote:

Really nice of these guys to have posted the exploit without first giving the author(s) of the tool a chance to prepare a fix. Unbelievable!!

Always happens. You really have to wonder if they actually believe they are helping people. It will just be another exploit for script kiddies to use before everyone can upgrade their sites. Its sad that it will just lead to more exploited systems and not better security.

I really hate when it says "for educational purposes only" .. when it is obviously not designed to teach anyone, rather to be used in malicious attacks on innocent sites.

stefvar · New Member Joined: Oct 30, 2005 Posts: 18

Hello,

If my message could cause a gene, I am really sorry. It was absolutely not its goal. These problems having been diffused as a preliminary on several sites, I thought on the contrary that that will be able to help.
In the future, I will make in kind not announce this kind of information more.

Cordially

kguske · Site Admin Joined: Jun 04, 2004 Posts: 6044

They are referring to the people who published the exploit, Stefvar. We definitely appreciate you letting us know!

stefvar · New Member Joined: Oct 30, 2005 Posts: 18

Hello,

Thank you Kguske for the precision. I had not interpreted it thus. I have still enormous progress to make for the good comprehension of the English language Wink

.

technocrat · Posted: Wed Feb 21, 2007 8:28 am

What's odd is this one came out of no where. I did not see it on any of the normal channels before it's release. Usually people are talking about it before hand.

FireATST · Posted: Wed Feb 21, 2007 3:23 pm

ty for posting the fix for it technocrat.... Cheers

hls-bill · New Member Joined: Feb 14, 2007 Posts: 2

Seems the acid-root site went poof -- I will depoly the posted fixes this evening.. seems like PhP 5 took a hit today as well. Thanks for the replies on this. One thing that I would like to mention is. What is going on here with NukeSentiel if it was not deployed widely and affected so many --- no one would care if it was exploited. Please keep up the great work on this much needed tool to protect our sites.

Kind Regards,

Bill

montego · Posted: Wed Feb 21, 2007 6:00 pm

stefvar, yes, what Kguske said is what I was referring to. Please do not hesitate to let any of us know. Like technocrat said, this "came out of no where".

technocrat, were you actually successful in testing this exploit (actually "these")? I had issues last night with it, but will not mention any details here. Just curious if you had. Thanks.

Gremmie · Posted: Wed Feb 21, 2007 6:04 pm

Could someone post complete fixes? I can't tell if Technocrat had changed his mind about his first set of fixes.

evaders99 · Posted: Wed Feb 21, 2007 7:11 pm

Yep stefvar, we were commenting on the group that released the exploit and how to use it. We definitely want people to come here and tell us if they notice such things!

FireATST · Posted: Wed Feb 21, 2007 7:31 pm

Montego, would you then be advising me to remove his fixes for now. I know you don't want to say what you had problems with, but is it worth me setting it back to the way it was? Guess I just assumed ( I know, I know.... Smile

) that is was good to go.

montego · Posted: Thu Feb 22, 2007 5:33 am

Quote:

Montego, would you then be advising me to remove his fixes for now

No! Until this is confirmed by the developers and a fix is provided (if needed), there is no reason not to apply these temporary "patches".

Gremmie, Either set of "fixes" should be fine in the interim. Technocrat, in his second post, was just suggesting something a little better and possibly closer to a final fix.

technocrat · Posted: Thu Feb 22, 2007 7:50 am

Montego - Yes I did and it stopped it as far as I could tell. If you PM me or email me technocrat498 yahoo com I will look at what you found.

Gremmie · Posted: Fri Feb 23, 2007 5:38 pm

I have implemented these two fixes, and now two of my AOL users are seeing 'Access Denied'. Any ideas?

technocrat · Posted: Fri Feb 23, 2007 5:47 pm

Look through your Tracked IP for those users and see what their IPs are. I wonder if AOL is sending a blank IP.

Gremmie · Posted: Sat Feb 24, 2007 10:53 am

I didn't have IP tracking turned on, but I turned it on last night. I don't see anything out of the ordinary in the tracked IP listings.

Gremmie · Posted: Sun Feb 25, 2007 9:59 pm

Crap now I have a non-AOL user complaining about Access Denied. Is there another way to fix this? What is the first exploit doing? Thanks.

technocrat · Posted: Mon Feb 26, 2007 10:09 am

Try changing:

Code:

if (!nsnst_valid_ip($remoteip) && $remoteip != 'none') {

To:

Code:

if (!nsnst_valid_ip($remoteip) && $remoteip != 'none' && !empty($remoteip)) {