SmartFoxServer PRO flaw

Need help with SmartFoxServer? You didn't find an answer in our documentation? Please, post your questions here!

Moderators: Lapo, Bax

uPlayEveLLC
Posts: 11
Joined: 06 Mar 2017, 19:28

Re: SmartFoxServer PRO flaw

Postby uPlayEveLLC » 16 Mar 2017, 17:18

Well, where could that be in the first place? SQL is never executed directly, and, only when some handlers are called. Those handlers have the _server.escapeQuotes in the query string.
User avatar
Lapo
Site Admin
Posts: 23008
Joined: 21 Mar 2005, 09:50
Location: Italy

Re: SmartFoxServer PRO flaw

Postby Lapo » 16 Mar 2017, 18:13

Well, where could that be in the first place? SQL is never executed directly, and, only when some handlers are called.

If you remove them, no one can access your database. At least not from SmartFoxServer.
I can't speak for other ways as I don't know the details of your setup or the possible routes to reach your DB.
So something must be going on in that code...

Those handlers have the _server.escapeQuotes in the query string.

That might no be sufficient.
My suggestion still stands log the data being sent to the server an see exactly what kind of requests are being sent.
Lapo
--
gotoAndPlay()
...addicted to flash games
Zaseth

Re: SmartFoxServer PRO flaw

Postby Zaseth » 17 Mar 2017, 20:02

Lapo wrote:The only thing that connects your database to SmartFoxServer is your server-side code.
If you remove that, your DB cannot be attacked.

The first place I would investigate is the server code that interacts with the DB. For example do you handle scenarios such as SQL injection?
If not that's likely to be an attack vector.

cheers

We have been discussing to sniff for packets, which I will do later.
Yet, since this user can basically do anything, but it is very hard to record packets from the user that has a different timezone and keeps messing with the database. There will be some in-game events this weekend and i will record any packet with Winsock 2.0. This would include any user that sends a packet or responses from the server. When I have any confirmed packets containing the issued code, I will quote back on this thread. I did a little research and as I know, it could be XML injection. I am not sure and not charging him of using it. Could also be XPath, since he has access to Config.xml. Also, he was bombing the server: http://pastebin.com/raw/8tpPTknC (Packets)
He made himself admin and kicked all the mods. Send a couple of GlobalMsg:
{"b":{"r":-1,"o":{"msg":"Global Message~Guess whos back!","_cmd":"gameMsg"}},"t":"xt"}.
{"b":{"r":-1,"o":{"msg":"Global Message~Taking over this server again!","_cmd":"gameMsg"}},"t":"xt"}.
{"b":{"r":-1,"o":{"msg":"Global Message~Bye everyone!","_cmd":"gameMsg"}},"t":"xt"}.
The packet sizes of the bombing:
7974 bytes
8192 bytes
4096 bytes
1448 bytes
Since he has access to the Config.xml, he must be using XPath combined with some unknown CDATA queries and XML bombing.
Zaseth

Re: SmartFoxServer PRO flaw

Postby Zaseth » 17 Mar 2017, 21:09

Lapo wrote:
Well, where could that be in the first place? SQL is never executed directly, and, only when some handlers are called.

If you remove them, no one can access your database. At least not from SmartFoxServer.
I can't speak for other ways as I don't know the details of your setup or the possible routes to reach your DB.
So something must be going on in that code...

Those handlers have the _server.escapeQuotes in the query string.

That might no be sufficient.
My suggestion still stands log the data being sent to the server an see exactly what kind of requests are being sent.


User just banned everyone in the database. We again tried to record packets, but got nothing. He's using some remote exploit. Fix asp.
User avatar
Lapo
Site Admin
Posts: 23008
Joined: 21 Mar 2005, 09:50
Location: Italy

Re: SmartFoxServer PRO flaw

Postby Lapo » 18 Mar 2017, 09:47

The packets you have captured don't contain any Xpath expression or XML exploit and don't even seem to target your database.
I would suspect that your server has been compromised in other ways while you keep focusing on SmartFoxServer.

We'll be happy to help if there's any concrete evidence that an attack has been performed via a bug or flaw in the server API, but we don't have anything to work on.

Send us your server's public address and a copy of your server code and we'll take a look.
You can zip and send it to our support@... email box with a reference to this thread.

Also you should turn on the debug logging so that all incoming requests are logged and you can investigate anomalous traffic.

Thanks
Lapo

--

gotoAndPlay()

...addicted to flash games
Zaseth

Re: SmartFoxServer PRO flaw

Postby Zaseth » 19 Mar 2017, 10:45

Lapo wrote:The packets you have captured don't contain any Xpath expression or XML exploit and don't even seem to target your database.
I would suspect that your server has been compromised in other ways while you keep focusing on SmartFoxServer.

We'll be happy to help if there's any concrete evidence that an attack has been performed via a bug or flaw in the server API, but we don't have anything to work on.

Send us your server's public address and a copy of your server code and we'll take a look.
You can zip and send it to our support@... email box with a reference to this thread.

Also you should turn on the debug logging so that all incoming requests are logged and you can investigate anomalous traffic.

Thanks


So we have been looking around and we think that the exploit could be in the core of SFS (jysfs.jar)
Still, we are not sure. All values that the ''hacker'' has been using is in the file.
User avatar
Lapo
Site Admin
Posts: 23008
Joined: 21 Mar 2005, 09:50
Location: Italy

Re: SmartFoxServer PRO flaw

Postby Lapo » 20 Mar 2017, 08:25

Zaseth wrote:Still, we are not sure. All values that the ''hacker'' has been using is in the file.

Which file?
Lapo

--

gotoAndPlay()

...addicted to flash games
Zaseth

Re: SmartFoxServer PRO flaw

Postby Zaseth » 20 Mar 2017, 13:23

Lapo wrote:
Zaseth wrote:Still, we are not sure. All values that the ''hacker'' has been using is in the file.

Which file?


jysfs.jar
There are some XML handling and CDATA stuff in there. Pretty sure the flaw is somewhere in that file.
Any feedback / code look from you would be appreciated. Again, it's jysfs.jar for SmartFoxServer 1x.
Thanks.
User avatar
Lapo
Site Admin
Posts: 23008
Joined: 21 Mar 2005, 09:50
Location: Italy

Re: SmartFoxServer PRO flaw

Postby Lapo » 20 Mar 2017, 13:39

Sorry but I have no idea what you're trying to say...
Did you actually follow our suggestion and log the requests so that you can isolate the suspect ones?

That is the only way to get a clue of what kind of issue(s) might be going on.

thanks
Lapo

--

gotoAndPlay()

...addicted to flash games
Zaseth

Re: SmartFoxServer PRO flaw

Postby Zaseth » 20 Mar 2017, 14:23

Lapo wrote:Sorry but I have no idea what you're trying to say...
Did you actually follow our suggestion and log the requests so that you can isolate the suspect ones?

That is the only way to get a clue of what kind of issue(s) might be going on.

thanks


As i already said, we can't log the packets. We already tried. We believe the exploit / flaw is in your created file: jysfs.jar.
User avatar
Lapo
Site Admin
Posts: 23008
Joined: 21 Mar 2005, 09:50
Location: Italy

Re: SmartFoxServer PRO flaw

Postby Lapo » 20 Mar 2017, 14:45

I am afraid but if you can't provide any substantial information and actual data we'll have no way to even start investigating whatever problem you're reporting.

Thanks
Lapo

--

gotoAndPlay()

...addicted to flash games
Zaseth

Re: SmartFoxServer PRO flaw

Postby Zaseth » 20 Mar 2017, 18:34

Lapo wrote:I am afraid but if you can't provide any substantial information and actual data we'll have no way to even start investigating whatever problem you're reporting.

Thanks


We believe that verifyuser and Login are pretty vulnerable.
Edit: We finally talked to the user! He is sniffing incoming/outcoming packets on the SFS port. He is using something remotely to perform his actions. He bypassed the SFS admin login since he told us he never got the password for it. Any more information from your side?
User avatar
Lapo
Site Admin
Posts: 23008
Joined: 21 Mar 2005, 09:50
Location: Italy

Re: SmartFoxServer PRO flaw

Postby Lapo » 20 Mar 2017, 19:56

We believe that verifyuser and Login are pretty vulnerable.

Vulnerable to what?
Do you have a proof of concept of an attack scheme?
A packet capture with suspicious requests?
Anything?

If so send it over via email to our support@... mail box (with a reference to this thread)

Edit: We finally talked to the user! He is sniffing incoming/outcoming packets on the SFS port.
He is using something remotely to perform his actions. He bypassed the SFS admin login since he told us he never got the password for it. Any more information from your side?

Sorry but none of this provides any clue.
These are still vague references that don't really point to any specific issue.
You said the attacker has got your config.xml and now you're saying he never got the password... which is contradictory, so which one is it?

thanks
Lapo

--

gotoAndPlay()

...addicted to flash games
Zaseth

Re: SmartFoxServer PRO flaw

Postby Zaseth » 21 Mar 2017, 12:06

Lapo wrote:
We believe that verifyuser and Login are pretty vulnerable.

Vulnerable to what?
Do you have a proof of concept of an attack scheme?
A packet capture with suspicious requests?
Anything?

If so send it over via email to our support@... mail box (with a reference to this thread)

Edit: We finally talked to the user! He is sniffing incoming/outcoming packets on the SFS port.
He is using something remotely to perform his actions. He bypassed the SFS admin login since he told us he never got the password for it. Any more information from your side?

Sorry but none of this provides any clue.
These are still vague references that don't really point to any specific issue.
You said the attacker has got your config.xml and now you're saying he never got the password... which is contradictory, so which one is it?

thanks


Well again, we couldn't record the user's packets since he sent them with a special tool to the port 9718. So we couldn't record the packets. He also said he stopped and wouldn't do it. He stated clearly that only he is able to do it. So he basically sent a packet to the SFS port. We can't record that and our HDD is too small to do a more finer log method.
User avatar
Lapo
Site Admin
Posts: 23008
Joined: 21 Mar 2005, 09:50
Location: Italy

Re: SmartFoxServer PRO flaw

Postby Lapo » 21 Mar 2017, 14:33

Zaseth wrote:Well again, we couldn't record the user's packets since he sent them with a special tool to the port 9718. So we couldn't record the packets.

Why not? A packet capture utility such as Wireshark (which is free) can capture any network traffic.
Lapo

--

gotoAndPlay()

...addicted to flash games

Return to “SmartFoxServer 1.x Discussions and Help”

Who is online

Users browsing this forum: No registered users and 30 guests