SmartFoxServer PRO flaw

Need help with SmartFoxServer? You didn't find an answer in our documentation? Please, post your questions here!

Moderators: Lapo, Bax

uPlayEveLLC
Posts: 11
Joined: 06 Mar 2017, 19:28

SmartFoxServer PRO flaw

Postby uPlayEveLLC » 14 Mar 2017, 16:05

Hello,

I've got an issue with my server. Recently, there have been some 'hackers' if I can call them so, who have been attempting access to my server and actually gained it. They managed to fetch the smartfoxserver admin details (which are quite secure), and from there, obtaining SQL access. As I couldn't identify the issue, I restricted access to admin area, yet, they managed to modify database rows (I'm sure there is no database break-in as the logs don't show it, all external files are secure and I had them checked for SQL injection). When one of the moderators on my game was able to contact one of those, they learned that the exploit is with CDATA. Though, no more details were given from their side and we haven't seen them for a couple of weeks now. I need some help with fixing this as anybody can come and make use of this exploit, apparently.
Zaseth

Re: SmartFoxServer PRO flaw

Postby Zaseth » 14 Mar 2017, 20:14

uPlayEveLLC is a friend of mine.
so xt packets are handled in extensions
And XML in core
This explains why he can manipulate everything with cdata
This is obviously a flaw in SmartFoxServer and not at our end.
User avatar
Lapo
Site Admin
Posts: 23007
Joined: 21 Mar 2005, 09:50
Location: Italy

Re: SmartFoxServer PRO flaw

Postby Lapo » 15 Mar 2017, 09:20

Hi,
what version of SFS PRO are you using exactly?
The latest release is 1.6.19
http://www.smartfoxserver.com/download/sfsPro#p=updates

If you're using an older version you may be vulnerable to a series of attacks, so I highly recommend updating.

Better yet, consider migrating to SmartFoxServer 2X, since the PRO is quite and old product and doesn't provide all the security features among which there is TLS encryption.

If you're interested in learning about the security features in 2X take a look at the whitepaper here for all the details:
http://docs2x.smartfoxserver.com/Overview/white-papers
(third item in the list)

Thanks
Lapo
--
gotoAndPlay()
...addicted to flash games
User avatar
Lapo
Site Admin
Posts: 23007
Joined: 21 Mar 2005, 09:50
Location: Italy

Re: SmartFoxServer PRO flaw

Postby Lapo » 15 Mar 2017, 09:22

Zaseth wrote:uPlayEveLLC is a friend of mine.
so xt packets are handled in extensions
And XML in core
This explains why he can manipulate everything with cdata
This is obviously a flaw in SmartFoxServer and not at our end.

Sorry, but this doesn't explain very much.

If you're aware of a vulnerability that works with the latest release (1.6.19) and you have a working proof of concept, you can get in touch with us directly via email, sending all the details.

Thanks
Lapo

--

gotoAndPlay()

...addicted to flash games
uPlayEveLLC
Posts: 11
Joined: 06 Mar 2017, 19:28

Re: SmartFoxServer PRO flaw

Postby uPlayEveLLC » 15 Mar 2017, 14:34

Yeah, my server is using the latest SFS PRO version. In order to upgrade to 2X, I have to rewrite the whole game (for which, I don't have the time as developing it is more of a hobby than a job, I don't get paid for it and I do it in my free time), that's why I'm sticking with PRO. Anyhow, I'm not really sure either how this exploit works as the user is nowhere to be seen for now and there is no other way I can find out what happens.

I think I've got an idea how to fix it, but I need to do some CDATA character detection to determine whether, for example, the XML packet that's being received is a SQL query. Is there any function similar to handleRequest, or is there an option to forbid such data containing those characters to be ignored in the xml file?

I'd also like to clarify that the user doesn't make use of the SWF client, they use software that can actually make up packets.
User avatar
Lapo
Site Admin
Posts: 23007
Joined: 21 Mar 2005, 09:50
Location: Italy

Re: SmartFoxServer PRO flaw

Postby Lapo » 15 Mar 2017, 14:52

uPlayEveLLC wrote:Yeah, my server is using the latest SFS PRO version. In order to upgrade to 2X, I have to rewrite the whole game (for which, I don't have the time as developing it is more of a hobby than a job, I don't get paid for it and I do it in my free time), that's why I'm sticking with PRO.

Well 2X offers more CCU in it's free edition, 100 CCU (2X) vs 20CCU (for the PRO)... unless of course you're using a non legit version... in which case I won't be able to help you ... :wink:

Anyways...

I think I've got an idea how to fix it, but I need to do some CDATA character detection to determine whether, for example, the XML packet that's being received is a SQL query.

This sounds like you're allowing clients to send SQL code to be executed on the server side. If this is the case, no wonder your server has been compromised. This is a really bad idea. Never ever execute any code (SQL or else) sent by a client. SQL code must reside on the server side, all the time.

I'd also like to clarify that the user doesn't make use of the SWF client, they use software that can actually make up packets.

Yep, that's expected.

Cheers
Lapo

--

gotoAndPlay()

...addicted to flash games
uPlayEveLLC
Posts: 11
Joined: 06 Mar 2017, 19:28

Re: SmartFoxServer PRO flaw

Postby uPlayEveLLC » 15 Mar 2017, 16:10

Hello!

No, it's not about the license or anything, I just don't have the time to add stuff to the game as I previously explained, since I had a few HDD losses and some of the original flash documents are gone and I had to reverse engineer them (which method failed and basically those files are no longer editable, so that's why I meant that I have to rewrite the whole game).

No, I don't execute anything directly sent from users. Actually, all packets are in JSON, except for login, which is XML. Neither of these executes directly data send from user and stuff is being parsed carefully (and respectively, checked if the string is a proper one). I suppose that the exploiter uses some internal sfs handler, though.
User avatar
Lapo
Site Admin
Posts: 23007
Joined: 21 Mar 2005, 09:50
Location: Italy

Re: SmartFoxServer PRO flaw

Postby Lapo » 15 Mar 2017, 16:20

Why do you assume the vulnerability is in SFS PRO and not somewhere else in your server?
Do you have evidence that the attacker exploited SFS PRO to gain access to your machine?
Lapo

--

gotoAndPlay()

...addicted to flash games
uPlayEveLLC
Posts: 11
Joined: 06 Mar 2017, 19:28

Re: SmartFoxServer PRO flaw

Postby uPlayEveLLC » 15 Mar 2017, 16:25

Indeed, I'm pretty sure. There is nothing suspicious in the server logs (SSH login, etc, MySQL as well).
User avatar
Lapo
Site Admin
Posts: 23007
Joined: 21 Mar 2005, 09:50
Location: Italy

Re: SmartFoxServer PRO flaw

Postby Lapo » 15 Mar 2017, 19:42

Ok, but what is the evidence that the attacker exploited SFS PRO?
Do you have specific ideas? Maybe log data? Or any other clue?

And why are you worried that a client might send SQL data? SFS doesn't parse or execute any SQL data. Actually it doesn't even talk to any database unless you specifically do it in your server side code...

thanks
Lapo

--

gotoAndPlay()

...addicted to flash games
Zaseth

Re: SmartFoxServer PRO flaw

Postby Zaseth » 15 Mar 2017, 20:51

Lapo wrote:Ok, but what is the evidence that the attacker exploited SFS PRO?
Do you have specific ideas? Maybe log data? Or any other clue?

And why are you worried that a client might send SQL data? SFS doesn't parse or execute any SQL data. Actually it doesn't even talk to any database unless you specifically do it in your server side code...

thanks


As uPlayEveLLC said, it's something with CDATA. I personally think it is CDATA combined with XML injections.
Image
This is the user that has been doing this.
With ''send'', the user means sending the CDATA request with a Packet Editor. In this case, he is using WPE PRO. (Winsock Packet Editor, Discontinued Development and website is closed.)
User avatar
Lapo
Site Admin
Posts: 23007
Joined: 21 Mar 2005, 09:50
Location: Italy

Re: SmartFoxServer PRO flaw

Postby Lapo » 16 Mar 2017, 09:25

The user told you he's attacking your database...
What does that mean?

Do you have server side code talking to a database? Isn't it possible that the user is exploiting a vulnerability in your code?
Lapo

--

gotoAndPlay()

...addicted to flash games
User avatar
Lapo
Site Admin
Posts: 23007
Joined: 21 Mar 2005, 09:50
Location: Italy

Re: SmartFoxServer PRO flaw

Postby Lapo » 16 Mar 2017, 09:26

Suggestion: if you want to fully understand what is going my advice is to capture the traffic towards your server with a tool like Wireshark so that we can take a look and see what might be going on.
Lapo

--

gotoAndPlay()

...addicted to flash games
uPlayEveLLC
Posts: 11
Joined: 06 Mar 2017, 19:28

Re: SmartFoxServer PRO flaw

Postby uPlayEveLLC » 16 Mar 2017, 16:13

They cannot be attacking the database from elsewhere.
Thanks for the suggestion, I'll let the log files to get bigger and log more info.
User avatar
Lapo
Site Admin
Posts: 23007
Joined: 21 Mar 2005, 09:50
Location: Italy

Re: SmartFoxServer PRO flaw

Postby Lapo » 16 Mar 2017, 16:42

The only thing that connects your database to SmartFoxServer is your server-side code.
If you remove that, your DB cannot be attacked.

The first place I would investigate is the server code that interacts with the DB. For example do you handle scenarios such as SQL injection?
If not that's likely to be an attack vector.

cheers
Lapo

--

gotoAndPlay()

...addicted to flash games

Return to “SmartFoxServer 1.x Discussions and Help”

Who is online

Users browsing this forum: No registered users and 26 guests