Ravens PHP Scripts: Forums
 

 

View next topic
View previous topic
Post new topic   Reply to topic    Ravens PHP Scripts And Web Hosting Forum Index -> NukeSentinel™
Author Message
64bitguy
The Mouse Is Extension Of Arm


Joined: Mar 06, 2004
Posts: 1159
Location: Sanbornton, NH USA

PostPosted: Mon Dec 12, 2005 8:44 am Reply with quote

Hi Everyone

In the past 24-hours I have been inundated with PM's regarding people being hacked. One has been running Nuke-Evolution, but most regular Nuke, or mainly Platinum

Some of those hacked have explained that they have had NukeSentinel installed, albeit older versions, some the latest version.

Below, I will attempt to explain what has been going on and what you can do to protect yourselves.

First, the biggest thing you can do to protect yourself is to eliminate PHP-Nuke Platinum from your domain if you run it.

I hate to say it but as no official support exists for Nuke Platinum and it is not being "actively" patched, you should seriously consider moving away from it and onto a new, better solution where there is at least a community of supporters.

Sorry but TechGFX abandoned us (I say us, because yeah, I too run Platinum... albeit my own custom patched version which will be gone next month) and thus we must do what needs to be done, and use a version of Nuke that is at least being actively updated.

The biggest problem relative to Platinum are the mods that it employs. Over the past year, literally hundreds of updates have been made to these mods to fix various problems and known vulnerabilities and very few of those have actually made it into any of the distributed code.

This isn't the fault of the Platinum Mods community or anyone else, but rather they have done their best to fix core and known mod issues. Again, the problem is that having so many mixed mods creates vulnerabilities that are not protected by the core updates. The fact remains that when you update your version of BBtoNuke, All of the updates must be done in the right order, or you are exposed. Having so many mods definitely makes this more problematic.

Next, one of the biggest gaping holes in the forums module (and all versions of phpBB) is the ability to enable remote avatars. This is a known exploit and it is actively abused by hackers. No, NukeSentinel cannot protect you against this known vulnerability!!

To prevent being attacked by this exploit, go to your forums administration screen and select the "Configuration" option under the section "General Admin". Scroll down to "Enable remote avatars" and select "disable".

This one exploit can cause your site to be taken apart at the seams and can also allow the hacker to obtain access to other areas including your administration sections depending on your configuration. If you use the same passwords for (for example) your hosting access, you have potentially exposed even your database to the hackers or at minimum your config.php which gives them everything they need to know to further compromise your domain!

One major way to protect yourself is to NEVER use the same passwords on multiple sites and to NEVER use the same password for your Nuke Administration screen as you use for NukeSentinel and/or your hosting space and whatever you do, never use the same passwords on ANY domain out there. Your Nuke database should also use a unique ID/password.

WHY? In a recent post, I read how a script kiddie got access to a domain through the above exploit (a nuke domain) the webmaster was using the same ID/Passwords for everything. The script kiddie then got the entire database with guess what... EVERYONE'S ID and Password. The script kiddie then proceeded to visit the websites of all of the users and attempted to login as admin which he did successfully at about 20% of the domains using the stolen passwords. Using the same passwords ANYWHERE is a bad idea and webmaster should take steps now to protect themselves from this!. I won't mention any names, but the idiot webmaster was attacked because he basically dared the wrong group of people to do so, which leads to my next point.

NEVER EVER EVER bother script kiddie groups or dare them to hack your domain! Don't "challenge" them unless you are asking politely that they test a "test domain" for vulnerabilities. I've found that offering a reward for finding holes is a good method to test your software. In the past, I have paid $100.00 for every documented weakness.

Alternatively, attacking a group of script kiddies (and yeah, you know who they are so we won't mention any of their names that might show up in Google and thus draw them here) and calling them names is just going to make your life a living hell.

There is never a good reason to do things like this, even if you have been hacked in the past. You got hacked, it happens, move on. Going to their websites and calling them names for defacing your site isn't going to make them go away, trust me. It will have the opposite affect.

What else can you do?
It is very important that you run the latest Nuke Patched files from NukeResources.com and that you perform the phpBB updates to get your site's forums to the latest build. No, you can't just load the files, you need to run the updates in chronological order as well (they are not all inclusive!).

Finally, there have been reports of issues with NukeSentinel relative to some of the methods of protection not including lower-case letters as part of the Union attacks. Specifically, there are apparently two demonstrated examples of Union attacks where %2a (versus %2A) were part of the string representing an asterisk as in %2a%2Funion......

I want to point out that there are no such thing as hexadecimal conversions of lower case letters. They simply don't exist in the hex conversion table, thus there should be no way to properly format an attack that is based on lower case letters.

You can test this theory yourself by attempting any known union attack against your build. I believe that what you will find is that the string will go through (because Nuke still isn't fixed to prevent XSS / Injection in fields); however, because the string is not properly formatted (as %2a = nothing but %2a versus %2A equaling an asterisk) it is not actually formatted properly to trigger the union exploit and thus there is no valid command going on that would put your domain at risk. No, NukeSentinel won't block it, but no, it shouldn't have to because %2a/union/%2a doesn't mean (or do) anything.

In the meantime, we should probably be looking at the forums module to find new problems. I suspect this is where the real issue is (as is the case with the above exploit).

Steph

_________________
Steph Benoit Only registered users can see links on this board! Get registered or login!
1CMS, 100% Section 508 and W3C XHTML/CSS Compliant (Truly) 
View user's profile Send private message Visit poster's website
technocrat
Life Cycles Becoming CPU Cycles


Joined: Jul 07, 2005
Posts: 511

PostPosted: Mon Dec 12, 2005 9:28 am Reply with quote

It's with much respect that I completely disagree with you. I have tested the exploites personally over the past 2 days and you are wrong the lowercase is the problem and it does work. I can prove it to you if you want.

I can remove the sentinel fix on platinummods and you can try it yourself, it will work, I promise. You guys can continue to ignore it if you wish, but I think the large amounts of defacements that have occured are showing that its more than stolen u&p and phpbb exploites. They are doing to many sites to fast. PLEASE stop pretending that there isnt a problem with Sentinel, I beg of you. Sad

The Sentinel baindaid: Only registered users can see links on this board! Get registered or login!
We are working on a more perm solution to it.

I should note that 64bit as usually has many good points that should be followed.

_________________
Only registered users can see links on this board! Get registered or login!
Only registered users can see links on this board! Get registered or login! / Only registered users can see links on this board! Get registered or login! 
View user's profile Send private message
64bitguy
PostPosted: Mon Dec 12, 2005 9:35 am Reply with quote

Hi Techno

I tested the search exploit documented at zone-h and frankly, I couldn't get it to work. It simply did not inject the code. Can you PM me with a string that will actually perform the injection?

Thanks
Steph
 
technocrat
PostPosted: Mon Dec 12, 2005 10:06 am Reply with quote

Sure, I will send it to you right now.
 
64bitguy
PostPosted: Mon Dec 12, 2005 10:45 am Reply with quote

Thanks

So much for HEX not converting lower case. It is indeed a vulnerability and I (as others are now explaining) believe that the solution is to replace all of the stristr functions with preg_match functions. This will require a substantial amount of work, but I don't see any other real way around the problem.

I should also point out that people using older (before 2.4.x) versions will not be able to use the supplied fixes of adding the two additional stristr commands on the end (even using the old methodology of $querystring and $querystringBase64)... it won't work, I've already tried it.

I'll PM Raven about this now and see what he thinks.

Steph
 
Raven
Site Admin/Owner


Joined: Aug 27, 2002
Posts: 17077

PostPosted: Mon Dec 12, 2005 11:20 am Reply with quote

technocrat, I was contacted about this yesterday and tried repeatedly to get it to work and was unable to, on a couple of sites that were patched and had NS on it. This was not Platinum as we don't support Platinum. Would you please PM me the exploit that you say works on regular nuke sites?
 
View user's profile Send private message
technocrat
PostPosted: Mon Dec 12, 2005 11:29 am Reply with quote

Yeah I will send you the basics of it, it does work on standard nuke, with some exceptions. If you look at the defaced sites you will see plenty of standard nuke sites.
 
64bitguy
PostPosted: Mon Dec 12, 2005 11:36 am Reply with quote

Yeah, it is definately a Sentinel hole. I've tested it successfully on every version of Nuke from 7.0 through 7.8 including Platinum 7.6 as well.

It shouldn't matter whether or not it is platinum as the standard Nuke files are the same.

Steph
 
technocrat
PostPosted: Mon Dec 12, 2005 11:39 am Reply with quote

Right now the quick solution would be to catch '/union/' on both sets of strings.
 
Raven
PostPosted: Mon Dec 12, 2005 11:41 am Reply with quote

Sentinel is not looking for that hex as much as it looks for what is inbetween the hex. I still can't get it to work.
 
Raven
PostPosted: Mon Dec 12, 2005 11:46 am Reply with quote

Please email me the exact exploit that you say works. I cannot get it to work on a patched site with ns 2.4.2. I'm not saying it doesn't, but before we start advertising that there's a NS hole and cause a mass panic, I need to be sure.
 
technocrat
PostPosted: Mon Dec 12, 2005 11:47 am Reply with quote

Look I am not trying to be a pain but both Steph and I have gotten this to work. The list of sites they have got to is growing and with the expliot in the wild its going to get 10x worse. Something needs to happen. Sad
 
technocrat
PostPosted: Mon Dec 12, 2005 11:52 am Reply with quote

OH GREAT!! 2 script kiddie sites have picked up on it. Bang Head

Look if you want I will do what I did to show steph and take the fix off my site and show you that it works.
 
Raven
PostPosted: Mon Dec 12, 2005 11:56 am Reply with quote

Then SEND me the exploit.
 
Raven
PostPosted: Mon Dec 12, 2005 12:11 pm Reply with quote

I got it and tried it and it distorts the screen somewhat but it doesn't exploit anything on a patched site with NS. BTW, the solution is not for NS or any other addon. The solution is to firm up the code. We need to stop using NS as a crutch and fix the underlying code.
 
technocrat
PostPosted: Mon Dec 12, 2005 12:17 pm Reply with quote

I agree 100% but Sentinel should still be catching those, as we know that not everyone is going to be patching. Plus not fixing this leaves the door open to continue to attacking sites. This is a pretty large hole.
 
Raven
PostPosted: Mon Dec 12, 2005 12:32 pm Reply with quote

I could not disagree with you more. You are expecting NS to do the work of the coder. It is a simple matter to clean up the code but do you thing FB will do it? Of course not. Why? because he can't. He is not a coder. He is a thief at best. He waits for others to do his work and then claims it.

Regardless, you can't use NukeSentinel(tm) if you aren't patched so you are running in circles with your logic. Yes, you can hack NukeSentinel(tm) to work but then you aren't using it as designed. As I said, there is not exploit if you are patched and/or NukeSentinel(tm) is applied. This is not, per se, a NukeSentinel(tm) issue. I still can't get it to exploit anything. Try it on my site. If it works then you've proven your point. if not, send me an email and I will unban you, if need be. If people won't patch, they won't bother to install protection either.
 
technocrat
PostPosted: Mon Dec 12, 2005 12:59 pm Reply with quote

Raven wrote:
I could not disagree with you more. You are expecting NS to do the work of the coder. It is a simple matter to clean up the code but do you thing FB will do it? Of course not. Why? because he can't. He is not a coder. He is a thief at best. He waits for others to do his work and then claims it.

I agree, and its a shame. But we know that this is something that is not go away, but probably get worse. Sad

Raven wrote:
Regardless, you can't use NukeSentinel(tm) if you aren't patched so you are running in circles with your logic. Yes, you can hack NukeSentinel(tm) to work but then you aren't using it as designed. As I said, there is not exploit if you are patched and/or NukeSentinel(tm) is applied. This is not, per se, a NukeSentinel(tm) issue. I still can't get it to exploit anything. Try it on my site. If it works then you've proven your point. if not, send me an email and I will unban you, if need be. If people won't patch, they won't bother to install protection either.

Ok look lets assume that they find a new UNION (which I think they might have, but I am still trying to figure that one out) which isnt fixed with patched (yet). So now that gets in the wild and since Sentinel doesn't have the hole plugged and patched doesnt either, well your in a world of hurt.

So why not plug this huge whole in your system? Because I can tell you right now the script kiddies are ploting:
Quote:
Sentinel doesn't block %2a UNIONs what a bunch of l33t l8mrs


Look its your site, and the NSN teams project. You can do what ever you want. I have proven the hole is there. I have given you a fix for it. If you do not want to do anything about then I really can't do anything else. So I guess I just give up.
 
Raven
PostPosted: Mon Dec 12, 2005 1:10 pm Reply with quote

You misunderstand. I just loaded up a virgin nuke 76, a virgin nuke site with pl3.1 and NO NS, and my RavenNuke76 package. I tested that exploit against all 3 and none of them were exploited. So, what exploit is there to patch? What version of phpnuke are you testing?
 
technocrat
PostPosted: Mon Dec 12, 2005 1:21 pm Reply with quote

I do not have an exploit that will work on 3.1 atm. I am trying to figure out if the ones that I have are old or a new and if it will work against 3.1. But its hard to tell with all the information I am getting bombed with (40 PMs and counting). I have people telling me different things some of which make no sense, like the Zend-Cart is the hack they used when this person doesnt even have it Rolling Eyes

Plus many of them are PNP issues, which I am sure you do not want to hear about.

But still Sentinel should fire off with the UNION blocker on and it is not. For me that is all there is to this right now.
 
Raven
PostPosted: Mon Dec 12, 2005 1:35 pm Reply with quote

But I can't reproduce the exploit. That's the problem. I can't prove that NukeSentinel(tm) is NOT working because it's not getting the UNION code. You have to tell me what environment you are using so I can replicate it. I wish you would understand that. It's not that I don't want to fix something. I've yet to see where anything is broken.

The bottom line is that base nuke7.6 is not exploitable. So, that takes pl3.1 and NukeSentienl(tm) out of the picture. I am using 6.9 and it is not exploitable. So, those sites that are getting cracked are getting cracked because they are either not patched current or not using current NukeSentinel(tm). NukeSentinel(tm) was and is designed to work in addition to the core code and patch code. Nothing more .. Nothing less. Show me how to replicate the code and if a fix is needed I will issue one.


Last edited by Raven on Mon Dec 12, 2005 1:38 pm; edited 1 time in total 
Raven
PostPosted: Mon Dec 12, 2005 1:38 pm Reply with quote

BTW, that is not a new exploit. It is an old one that was patched even before 3.1
 
64bitguy
PostPosted: Mon Dec 12, 2005 2:01 pm Reply with quote

It looks like this thing is a pre-3.1 issue.

In the test environment, I could get past every version of virgin nuke with Sentinel with no problems. I then tried 2.9 and 3.0 and I could get past both of those too. I can't however get past 3.1 on 7.6 or 7.8. I can only assume there is a change in there.

What does concern me however is that in the baseline installation instructions for NukeSentinel, we have users removing UNION protection from the mainfile in favor of using NukeSentinel's Union protection. It is with that in mind that I personally classify this as a NukeSentinel hole. I think we should have NukeSentinel looking at ANY possible exploit of this nature. If it is possible to inject the query, we've missed something IMHO.

I'm not saying that the problem isn't a baseline Nuke problem, of course it is! This goes back to the fact that every version of PHP-Nuke that introduces so called "features" actually introduces more bugs and security holes instead of fixes. I think by now we all know that there is no such thing as a stable baseline version of PHP-Nuke. It simply doesn't exist and the terminology in fact is an oxymoron. Baseline Nuke itself exists as the perfect example of a CMS that totally lacks stability (is full of bugs) and has so many security holes it can be hacked by the dumbest script kiddie on the planet in less than 5 minutes.

Anyone that would blame this on FB would be 100% correct. On the other hand, I think (as being the poor saps that have to maintain this steaming pile of dung) that we should apply whatever is needed in terms of "patching" NukeSentinel to IDENTIFY and protect against any such hack attempt. Again, this is what we are employing it for, so in my mind, whenever someone tries a Union attack (regardless of the format) they should be identified and banned immediately. The fact that we can "slip past" NukeSentinel bothers me and that is my only point.

Do we need to further fix this crap so injections can't be made? Yes. Is that something we can accomplish in an hour or less... um.. no. However, I think the NukeSentinel change is something that we can quickly address and after that, we can start looking at the rest of the queries that exist and start thinking about eliminating the XSS exposure where possible (again, hopefully with some input filtering as well as by properly defining fields and functions).

That's just what I'm thinking... Please by no means consider this an attack against anything (especially NukeSentinel) nor anyone or group, other than Baseline Nuke code and Mr. Fransisco Burzi, the worst code thief and most untalented so-called coder on Earth.

If this crap were right in the first place, none of this would be an issue, but that's unfortunately not the real World.

'Nuff Said on my part.
Steph


Last edited by 64bitguy on Mon Dec 12, 2005 2:08 pm; edited 1 time in total 
technocrat
PostPosted: Mon Dec 12, 2005 2:07 pm Reply with quote

I showed you where it was broken on my own site. It has Sentinel 2.4.2 with the UNION blocker on, and I sent you the link did you not see it work?

Steph did. He is even saying that it works.

I am sorry that I cannot give you step by step directions to get it to be reproducable right now.

But again Sentinel should still be going off on this. Thats really at the core of this whole thing for me. Sentinel says it blocks UNION attacks, but right now that isnt a true statement.
 
Raven
PostPosted: Mon Dec 12, 2005 2:11 pm Reply with quote

technocrat, Is your site pl3.1? If not, then upgrade.

Steph, I know you're not attacking Smile. The reason those instructions are in there is that we replicate them in NukeSentinel(tm). By leaving both in you can nullify other NS protection.


Last edited by Raven on Tue Dec 13, 2005 10:45 pm; edited 1 time in total 
Display posts from previous:       
Post new topic   Reply to topic    Ravens PHP Scripts And Web Hosting Forum Index -> NukeSentinel™

View next topic
View previous topic
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You can attach files in this forum
You can download files in this forum


Powered by phpBB © 2001-2007 phpBB Group
All times are GMT - 6 Hours
 
Forums ©