Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

High risk vulnerability (Critical severity) #3

Closed
LeoNeeson opened this issue Jun 8, 2024 · 11 comments
Closed

High risk vulnerability (Critical severity) #3

LeoNeeson opened this issue Jun 8, 2024 · 11 comments

Comments

@LeoNeeson
Copy link

Hi!, this is only a reminder. Since you maintain a fork of HFS, and in case you didn't know, a severe vulnerability (that demands immediate attention) has been recently discovered, known to affect HFS v2.4.0 RC7 and v2.3m. It's CVE-2024-23692, and you will find more information, on the following links:

Even if Rejetto made his versions 2.3.x and 2.4.x as 'obsolete' (or 'no longer supported'), there are too many HFS-based servers still running (including yours), that will never know about this issue, until it's too late (when they've already been hacked). I'm sure Rejetto and his community, will appreciate if you submit a patch for his build too... :)

Cheers,
Leo.-

@rejetto
Copy link

rejetto commented Jun 12, 2024

in my tests, 2.4rc7 doesn't seem to be affected in its default configuration, that is with default template, as its template doesn't use the "get|url" command.

correction: the POC in the latest link is not affecting rc7, but the one on "attackerkb.com" is

@drapid
Copy link
Owner

drapid commented Jun 12, 2024

I think the problem is in this line https://github.com/rejetto/hfs2/blob/140528bac87e4ae37d444b218b5ef6ff793edc80/scriptLib.pas#L121
So that not all symbols "%" replaced.
I think change to "ReplaceStr(s, '%','%')" should work better.

drapid added a commit that referenced this issue Jun 12, 2024
Fix for #3
@rejetto
Copy link

rejetto commented Jun 13, 2024

image

these are the steps that lead to the execution

@LeoNeeson
Copy link
Author

I'm doing some Public Relations (PR) here, to alert others about this vulnerability (discovered by @mohemiv). Please forgive me if this notice bothers or upsets someone (in this case, remember that “it's better be safe than sorry”). This message is to notify all those who have a copy or fork of HFS2: https://github.com/rejetto/hfs2

(List of users who have a fork of HFS2) [Part 1] @10ae; @1aq; @1INSIDIOUS; @24minFan; @506124204; @674778709; @93Codes; @a1198457636; @aifans; @ajunlonglive; @Alligator-1; @Amoystyle; @arvindown; @atkins126; @AtotallyRandomGuy; @AureliusPatiens; @Azimiao; @barlowhaydnb; @bb33bb; @blkdevcon; @blog2i2j; @Brainhub24; @bryanchance; @cbcs; @ccwy; @cedececa; @ChasingD; @classic130; @CrazyForks; @crazyNing; @cyrex562; @diegoverdan; @divinity76; @do8pgg; @dsvabek; @ducbang; @FallPeanut; @ffrbl; @flyarong; @GaryLao; @GitCnSH-DSLIN; @gmh5225; @goofwear; @h824612113; @ha271923; @hafewa; @harishgavel;

@LeoNeeson
Copy link
Author

» Regardless development has moved onto HFS3, and even if HFS2 probably won't be updated by @rejetto, any collaboration will be useful to others who also have a fork of HFS2 (and compile the binaries on their own). Those who want to collaborate, can leave a comment on this issue, or even better, send a 'Pull request' on the original project: https://github.com/rejetto/hfs2/pulls

(List of users who have a fork of HFS2) [Part 2] @hi-noikiy; @HowardWhile; @IcyG1045; @icyhoty2k; @iloeng; @iMeta1; @ios1024; @jacelift; @jacobin; @jeethualex; @jn7163; @josedachao; @JosiahMg; @juankprz; @junqinhu; @khongten001; @l-g-t; @lakecenter; @lanxianhui; @laojiajun; @LeChatNoir666; @lianghuiyuan; @lion8418; @lllrrr2; @LordGarfio; @lzxkulou; @mangoriver; @mapoupier; @mcubeta; @minol; @mnplay; @mybbsky2012; @ncnnnnn; @netusb; @neverso; @oabi; @ojbkxc; @Ok-every-day; @oycl; @peaceanddemocracy; @pigbaby6309; @prafulbusa; @PravinShahi0007; @progray; @Loop80; @protonuniverse;

@mybbsky2012
Copy link

mybbsky2012 commented Jun 14, 2024 via email

@LeoNeeson
Copy link
Author

Being listed here, doesn't mean you have any commitment or obligation to collaborate with this issue. If you don't want to collaborate, please disregard this notice. This is only an informational message!

(List of users who have a fork of HFS2) [Part 3] @RahimBangla; @redcocoa; @redlinejoes; @redtrillix; @rellai; @rsiralla; @sdlkdsdda; @shayanw; @shead0n; @simhaonline; @simrit1; @siwa2-w; @snakegj; @SWDRam; @swoky; @TengShow; @teze; @VantIer; @venhow; @vivienskm; @waldonhendricks; @wesinator; @weweaaa; @wuenci666; @xGreat; @xiaoshzx; @xsgx; @xxfwajj84; @XZVB12; @yangjinhe; @yogtop; @z-cub; @mr-highball; @Zhengzhouhao; @zmf963; @zxysm; @ZZKK000

» Code submission guidelines (Code contribution suggestions):
Although HFS v2.4.0 RC7 was compiled using modern (Unicode compatible) Delphi versions, since this vulnerability also applies to HFS v2.3m, which was originally compiled using “Turbo Delphi 2006” (similar to ‘Delphi 2007‘), please keep changes compatible with older Delphi versions. Please keep changes small and focused (meaning: no code clean-ups, no new features). This applies to everyone, except for @rejetto (the original developer), and @drapid (the owner of this repository), those who may do whatever they want/wish.


By the way, this vulnerability was published yesterday in the legendary ‘Packet Storm Security’ website: https://packetstormsecurity.com/files/179083/Rejetto-HTTP-File-Server-HFS-Unauthenticated-Remote-Code-Execution.html
 

@rejetto
Copy link

rejetto commented Jul 6, 2024

I think change to "ReplaceStr(s, '%','%')" should work better.

won't this change badly affect style attributes using % ?

@mybbsky2012
Copy link

mybbsky2012 commented Jul 6, 2024 via email

@LeoNeeson
Copy link
Author

I've thoroughly analyzed the source code, and after doing several tests, I've come up with a simple solution. I'm sure this may not be the most elegant way to do it (and it's far from being perfect), but at the moment is the most direct way to stop this (and probably future macro vulnerabilities).

The following is a portion of 'main.pas' from 'hfs2.3m.src.zip'
Add the second line, after line 5100, always in file 'main.pas'
(After line 5445 in v2.4 RC07, but that hasn't been tested)

  url:=conn.request.url; // The next line is a fix for CVE-2024-23692
  if anyMacroMarkerIn(url) then url:=encodeURL(xtpl(url,['%','#']));
  extractParams();
  url:=decodeURL(url);

I take this opportunity to tell you that "perhaps" (as my spare time permits, at some undetermined time in the future, whether it be in several days/weeks/months/years), my idea is to publish this fix (or a better enhanced fix), in a "Community Edition" of HFS (maintaining it and applying only minimal changes, especially those related to security issues).

Anything I publish will be signed with my ‘PGP Public Key’, and it will probably be available here on GitHub, also on Rejetto's forum, but mainly at the following address (not yet available): http://netizen.zoho.to/

If anyone has any better ideas about this, you can open a new issue here or leave a comment in the forum, or simply submit a pull request. Since there has been no collaboration or activity in this issue for almost 3 months, and since I have just shared, in my opinion, an effective solution (in addition to the one previously published by DRapid), I've decided to close and consider this issue resolved, at least for now.-

» Here is my ‘PGP Public Key’ (Key ID: 07CFD45A104B6793) -----BEGIN PGP PUBLIC KEY BLOCK-----

mQINBFtrCyoBEADUN9pYEPnSJdAnw8Q2LOlSlwgrdYgyXGf6Mt2Cmhgy1lBTRG+C
7pzaNr4VrOA4WW6JUVT2QVrb7nT1FH7Xmg5WLv9VSX+cFDXD06tfoNMqY2X7Q41b
WS1zHxcGAv86G4yrtW7FZp0Dcm99lp1WBArUUZjfX4HPgqhEKiwzc+IyJbfCgxk/
mzw+FnEsntdN/IDaMU/okudqT1+6JZ4iO+iHr1KMb9LFtceoONZAplm6yKzaI1Ge
dHs8e4JgrKlDKbXwcXfLMr++hjM1QDOwI8SvxzRxUi/XdcQwloFdcCPfHNYr74bR
gRu4rVb2jkGC6C5z3aOvmECW6xiQfwXwpLnrKkHRnOUWNqvob7rAIjBU6JW/OOvN
cGVwWIBxk3XKRgI/PDw3yDNdXU+k1ezD0xndjNyMepgQD7LFDpDXAdKihQxUzvn6
Vxu8/eHz5I7v/6g5N5hAmpg2YnA9r3d9GL8BteVotTB9UG8DQFj+LCqVWRJrD32D
NmcXi3X0dU0xqDPLSipjXuakhd1l6ngklOggmUtElQm7cXj8AKvVRkIwCD6Sn64l
NXTxpwRg49qtkuIsiIAVL9OFOZzoenZUflxHH3R2cOh9HH5+o0QDMrWuy2JAhAWe
LGi9oA+F+CqI2nbMAPRXeL06eh2BjPVjCxoQlV9CmVfzDkI9aWa9E6EWgQARAQAB
tDJMZW9uYXJkbyBOaWVsc2VuIChMZW9OZWVzb24pIDxMZW9OZWVzb25AZ21haWwu
Y29tPokCOAQTAQIAIgUCW2sLKgIbAwYLCQgHAwIGFQgCCQoLBBYCAwECHgECF4AA
CgkQB8/UWhBLZ5P5cQ//fk+2DULetLkbldFAL3J3R4jsZtgCQFbf3vAGqF32/m9M
Ig+OejoAY1yCwsrX0Qwr97MBeWY/zcLbQgb70kp0Qusz46V5PyVElxPFyDihAKhz
0vJeoJ/T0/0eh0VhjrGx8ozZLp9NOd0NyZDZ0aBaHjTcvvz3JtZ6D/91rPuNCrJu
mxT/G+eReOC8ZPQgVFX3SPNADsEEdfUVNQFdDBeLh5HYm2Sp269XIEXVy2xdnf0P
7KbLUvOrW6ozAv3Dek8SbSK/UKmGSnB3kdGCpVKIa/gaSMTUiCzmXCA1ZPsoLBPn
69YEvXcVlMxcBaEj8HZdrvfDHF0SnAtt991GqFJb9ulw2jDOjTfF0fprTaoO3ssb
fZPeqGSX8BdS8EY48Bq9/paw/0Wh1tFHKreFI8rqC4AWmyGbh0yqzlbVFbhtM3Ik
oPFLFJhRhsiDDP3PJRuoMzc0Dkj0amW0f4IPHWiTYXJ1FqAzPqmAIU91tQCp5xjv
UE0OxZECNWBJlXtzoa9IeoBrsEQ1SOoEl/RZDWLfvBfp1NubMvRzfRt2IJoPXMeZ
H2m3O3JzYAkR91uSdhbSD2awJk6aK+1iRCKGNn8Hd6hwS40tVu2GrRrWuYKLe5PK
UI71f2d4u9r1hI7LLIp8vKMgxysBC5wuEtzXJ1dgU7fArhtJ3z45fNn3s2Yvc7K5
Ag0EW2sLKgEQALerRhI9VlI4VlM6oukStNcnvszgUROPaZLl9oSJMhQ6EoXP1Ty2
KrASsPnjwMdiOl/XEf4mBQBI4Fn0OcSnztjBiRMMkw9PXtAa70YvdVfj4Nqdy3md
GxlUGTFvpZiJT4qDdlRPwoaUb8R30ICphNqHg4/ZD2JnOLj6+tx+ZzidHsicpUJT
x7sBtctf1umV6ao8uc9AOYez4vdUH1WxYAgV3lgw5EvX+wwLYdGMjBi2N8Zd8YBq
KEukK0xZFph+IZBmxqFNZssSNesLL2SirimXjteIHJnhkkV93v/49D+m+YuXD004
/nASTysiea2zYiz9llCQtK4g7IHU82JVCG8Ilo5KMqSfknvfLlTU/cwrJu9IDPyR
XKLwbHbeJDUYazgyugBJmfuWy/qhro3JoodRnpyoa7C8mrrYAFAh76Ah0XWSLcsq
wiNcz7TGxmdZKSFtv4fyy6qYkkYH96vqYlZdq+9dJ7rSxMGyW+oS5l1UmYzPfYO0
RaTEECrcXlPUzHUm+ydDinI09IUIUDjBMxuKIS28OIiR5pq+AOa03kAvBnkwIEnT
buz5EWyPgZ+Na6O7VXYbeFAoia+UBKYddnxqlX4PmHUY4Aq6YH6KNZly+4ba+Z7p
tV7FJk5ysKhxKMQNNxRPafIGGyUuT/2PZFQ/TLKuSp7i6uB6Fz1negZJABEBAAGJ
Ah8EGAECAAkFAltrCyoCGwwACgkQB8/UWhBLZ5Mu+xAAqiuFCIbqpX+5kJf7wgAv
9Ie5TvBoi3C6mcB0q1pC9Y4DVtKFAMY7LV1PFVagNaQzZ9Wk4W6RQT/gxu1a6CRU
IOEIWJd7VCjOTJ5fEPGh7+p4SN4VKeOrkdb1yYmlHwiYuyVeertO3Yh7pZgmDqNm
+6ohslayRFPe6joUFvAp390KYzC1OYidwf5vkGLVUtcESmTB3Z0usni5t9ondqis
xdiZt9T6ZrZC+aCoMSRyq9VZ48g7dUYZJVXNffbO2xn4tcdoPOWqhdQLiANyPajZ
DLti4Tkbgwp8yOmLGB3BbdXBySqmB/duilpbsWfNAQBjaL51yNh+u0zjdce0Apym
NTVA8MMvm7eEpmzo0UdEV3t80atl+o0hK8N5uqVmTN8rWcw6vNBeaAcWHxDEcoBE
l8WUsGgAcg4CgShFjv77Vl4DP1doKV5d16nTVgM3tUsTXKZo2FSoJuPzOWJAs9lp
PBU42IJ+sAlgGYeEHIS94M+AIUILOYp8GiHSkLXPXutRsS8sjErd0S7YFiS5/S4t
zjzmkRbROD1Rbj/wtu3BkbajAfOmhXITu4C/qGnTTNO1u0f+F4uiXhwn8e5jsq1R
4IDd8WZtTwYqxPMGqx3u4dvAq1cIHDzJ5arzj1pdU3Ts4etN2CT6j1oyz9d0CF3q
DuFGg3OjjvH0O5K0iwMia6w=
=mQIC
-----END PGP PUBLIC KEY BLOCK-----

@mybbsky2012
Copy link

mybbsky2012 commented Oct 2, 2024 via email

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

4 participants