vtiger CRM Exploit Bots

I recently noticed various similar entries in my web server’s error log:

[date+time] [error] [client IP] File does not exist: /path/to/vtigercrm

The access log contained 404 entries of the form

IP - - [date+time] 
"GET /vtigercrm/graph.php?current_language=../../../../../../../..//etc/elastix.conf%00&module=Accounts&action 
HTTP/1.1" 302 - "-" "Mozilla/5.0 (Windows; U; Windows NT 5.1; de; rv:1.9) Gecko/2008052906 Firefox/3.0"

starting about March 2012 and going on until today.

The files required also include /etc/asterisk/sip_additional.conf, /etc/amportal.conf, indicating a search for free communication means.

Sometimes there is only a request probing whether the /vtigercrm directory or the /vtigercrm/index.php file exist.

The internetz know more about vtiger CRM exploits, such as this advisory describing a couple of vulnerabilities, e.g. directory traversal to retrieve the contents of a configuration file by passing the current_language parameter.

If only PHP programmers knew that their programming language is full of holes, and created code accordingly.

Something is wrong in the state of Denmark, or somewhere else?

Your company name contains the word “Home”? Too bad you won’t have customers from Denmark if this story (German) from netzpolitik.org (and others) is to be believed, which links to this (machine-translated) story on comon.dk.

Funny enough, if you google for the keywords Telenor and homelifespain (the supposed blocker and the supposed domain name), you only get German news stories starting with the sentences

Der dänische Provider Telenor sperrt jetzt die Webseite HomelifeSpain.com. Ein Gericht hatte die Sperre angeordnet, weil das Wort “Home” die Markenrechte eines anderen Immobilienmaklers verletzt.

Could it be a hoax intended to warn us about abusing laws “extended” over their original intension? Will this story live on in conspiracy theories?

So much fun!

Update

Telenor confirmed the report per email on 18 Jan 2013:

I can confirm that Telenor Denmark since December has been blocking the domain HomelifeSpain.com, as a result of the trial at the District Court at Frederiksberg.

What happens to Your Data when the Cloud starts to rain?

“The Cloud” and Cloud Computing in general are the latest hype in IT. However, the news that made the headlines in recent months give cause to worry.

As you put your data into the cloud, how will you regain control over the data again? Who else has access to your data? What happens to your data once the cloud infrastructure fails, and who is responsible (under what terms) to restore data and your access?

Just a couple of news articles on recent outages and privacy failures:

Microsoft Azure (Feb ’12)

Microsoft’s Azure cloud down and out for 8 hours

Amazon (June ’12)

Amazon cloud knocked out by violent storms in Virginia

Instagram and Netflix back online after Amazon cloud outage

Bad generator and bugs take out Amazon cloud

RavenHQ & Amazon EC2 Outage

Salesforce (July ’12)

Salesforce goes titsup, causes CRM outages worldwide

Microsoft Azure (July ’12)

Microsoft Azure goes titsup across Western Europe

Twitter (July ’12)

Never mind Azure: They BROKE Twitter!

Twitter titsup: Our failover was actually just FAIL ALL OVER

Giacom (July ’12)

Cloudy emails up in smoke for FIVE days after fire knackers Giacom

Mat Honan (Aug ’12)

How Apple and Amazon Security Flaws Led to My Epic Hacking

Yes, I was hacked. Hard.

Scribe’s mobe, MacBook pwned after hacker ‘fast-talked Apple support’

Amazon exploited by hacker in scribe’s epic Apple iCloud pwn

Amazon Boosts Security After Journalist Hack

After Epic Hack, Apple Suspends Over-the-Phone AppleID Password Resets

Apple, Amazon, close password door after horse bolts

iCloud et al (Aug ’12)

Ausfälle bei iCloud, FaceTime, iMessages und iTunes Store

Prime Hosting (Aug ’12)

Hundreds of websites go titsup in Prime Hosting disk meltdown

Wikipedia (Aug ’12)

Wikipedia collapses threatening the very fabric of civilisation

Conclusion

I am not alone with my doubts, and other people see issues as well:

Woz: Cloud computing trend is ‘horrendous’

With the cloud, you don’t own anything. You already signed it away. I want to feel that I own things […] A lot of people feel, ‘Oh, everything is really on my computer,’ but I say: the more we transfer everything onto the web, onto the cloud, the less we’re going to have control over it.

There are alternatives though, such as Owncloud and OpenNebula. So why not give them a try?

Owncloud-Apps für Android und iOS

BKA Ransomware spreading

Just a couple of days after I removed the BKA ransomware virus from a friend’s laptop, the laptop got infected again. The result looked the same, a seemingly official warning that law enforcement detected illegal files or images on the PC, and that the machine would be unlocked after payment of a certain amount of money via payment providers.

This time, however, it was not possible to remove the virus so simply, as the symptoms were different:

  • no msconfig.dat
  • a hellomoto directory under \Users\****\AppData\Roaming\
  • the \Users\****\AppData\Local\Microsoft\Windows\ directory contains a directory named 3 or 4 digits with an executable inside

The German-language forums trojaner-board.de and botfrei.de already contained a couple of threads (here, here, here) mentioning these symptoms, but provided no help for removing them, with reformatting and re-installing as the only solution.

Yesterday Heise News reported that the malware is spreading so fast that even the FBI issued a warning about the virus. Surf carefully!

Removing the BKA Trojan

A friend of mine caught the so-called BKA Trojan, and asked me to help him remove it.

This trojan makes using Windows impossible, as it displays an official-looking statement (see sample) if connected to the Internet, and only a white empty desktop if not connected, and does not allow any user action. The only way to revert to normal is supposedly by sending money using PaySafeCard or Ukash.

The warning page (which is full of typos, even in the heading: “Investignation”) lists a couple of possible Internet crimes that have been committed and caused the “computer” to be locked by law enforcement, and unlocking is as easy as sending 100€ via the linked payment providers.

What to do?

We started Windows in command-line safe mode and started msconfig to find suspicious start-up entries, unfortunately without any obvious success.

By cd’ing and dir’ing around we found the date and time the infection took place. The temp directory C:\Users\[username]\AppData\Local\Temp contained an executable with a “funny” name (5628386cos7655422.exe), an HTML file and a couple of images.

Some removal tips mention the Shell setting in the registry, and we had another look using regedit (which can also be called from the win7 command line boot).

Navigating to

HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Winlogon

the Shell key contained the following string:

explorer.exe,C:\Users\[username]\AppData\Roaming\msconfig.dat

This seemed suspicious, as it should only contain “explorer.exe”, and nothing more.

In Explorer, I dragged the file into Notepad (size 47.104 bytes), and found that it contained the MZ and PE headers (wiki, SO), a clear sign that it was not an innocent data file, but an executable.

The next steps were pretty straight-forward: clean the Shell key to read “explorer.exe” only, remove the msconfig.dat, and reboot back to normal.

Surprisingly, the Trojan does not seem to contain any sophisticated survival code (such as copying itself all over the boot disk, planting several hooks in the registry, run a watchdog, etc) – things that can make malware removal a nightmare.

Latest Firefox issues

I honestly get more and more reluctant to update each and every piece of software, simply because UPDATES BREAK EVERYTHING.

Most recently example: Firefox.

As a happy user of Firefox since Netscape I occasionally dare to update the software (I mentioned reluctance? I stayed on 3.6.x until an upgrade to 8 or so was unavoidable). The last version that ran smoothly for me was 13.0.

Then came 13.0.1, and problems started: When you opened a link in a new tab, Firefox lost focus after a couple of seconds. From the bug reports I read it seemed to be a problem with the Flash plugins. No rescue in sight.

I noticed that the scrolling was swifter, though. Subjective impression.

I hoped 14.0.1 would solve that focus problem, just to find out that initial scrolling on a page only started after a delay, sometimes a couple of seconds, with CPU usage hogging one core. Plus, the focus problem remained.

I also noticed that the font in the address bar and search bar was a bit smaller, and looked slightly distorted and blurred.

Not amused.

So, back to Firefox 13.0.

Chrome, Firefox reset Flash plugin if display: property changes (Update)

To resolve the mystery of Flash plugins restarting when their display property changes (directly or inherited), I created a couple of plain and simple HTML files to test a set of operations to toggle visibity in IE 9 (9.0.8112.16421), Chrome 18 (18.0.1025.168 m), and Firefox 12 (12.0).

The Flash player has version 11.1.102.55, and the Flash object is initialized by swfobject.js.

Each of the 3 browsers were tested on 2 different pages with 3 different toggle operations:

  • Page 1 contained the Flash object inside an iframe inside a div.

DOM hierarchy:
<div><iframe><html etc><div class=”flashContent”>

  • Page 2 contains the Flash object inside a div.

DOM hierarchy:
<div><div class=”flashContent”>

The toggle operations were

  • assign a .hidden class setting visibility to hidden
.hidden { visibility: hidden; width: 0px; height: 0px; }
  • assign a .displaynone class setting display to none
.displaynone { display: none; }
  • using jquery .show() and .hide()

.show() actually does not clear the display: property, but sets it to ‘block’, ‘inline’ etc, which might interfere with other operations, such as addClass(“displaynone”), etc.

Results for Page 1 (using iframe):

IE 9 Chrome 18 Firefox 12
toggling top-level div
hidden ok ok ok
display:none ok ok restart
show/hide ok ok restart
toggling iframe
hidden ok ok ok
display:none ok ok restart
show/hide ok ok restart

Results for Page 2 (directly embedded Flash):

IE 9 Chrome 18 Firefox 12
toggling top-level div
hidden ok ok ok
display:none ok restart restart
show/hide ok restart restart
toggling flash object
hidden ok ok ok
display:none ok restart restart
show/hide ok restart restart

The only method to set a Flash object hidden and visible again while keeping the object running turns out to be setting a CSS class with visibility:hidden.

So I put the code (swf inside iframe) that worked in plain HTML files and added it into a DotNetNuke installation. It almost worked.

A new issue occurred: IE9 was not able to display a Flash object once the visibility:hidden style was removed! F12 did not help me to make the object visible again. Strangely though, using JavaScript to re-assign some other iframe to the same src URL caused the Flash to display again!

$("#someotheriframe").attr("src", 
    $("#someotheriframe").attr("src"));

A DNN page simply contains too much generated code (ASP.Net, MS Ajax, DNN framework, jQuery, various controls and .js files) so that I did not think it was worth debugging the issue further. My JavaScript functions to toggle visibility now contain a browser detection based on $.browser to decide which alternative to choose.

Chrome, Firefox reset Flash plugin if display: property changes

Working on a web site that dynamically (i.e. upon user action) shows and hides HTML content and Flash content, everything worked as expected in IE9.

When I checked the same page in Chrome 18 and Firefox 12, however, the Flash object would reset everytime I invoked the jQuery .show() method on the object (initialization takes some time for some of the objects I embed).

This behavior has already been mentioned in blogs and support forums.

My solution was to roll-back some of the changes I made, and put the Flash object back to its iframe. Toggling the iframe display does not seem to affect Flash.

Other people worked around this behavior by setting visibility and size, or adding/removing a class that defines display:none.

Computer says “fakepath”

In a web application, we originally implemented the following functionality:

  • a user is allowed to upload files (Word documents, PDFs, etc)
  • if the uploaded file is from a network share (mapped drive), the mapped drive path needs to be translated into a UNC path
  • using the UNC path, a server component can check for changed file dates
  • if a changed file is detected, some workflow should be initiated

Files uploaded with IE (6 and 7) automatically included the path information of the file, whereas for Firefox 3, no file path was passed. This was worked around with a bit of JavaScript:

    ClientScript.RegisterClientScriptBlock(GetType(), "copy",
@"function copyName(){
    document.getElementById('" + edFullFilename.ClientID + "').value = 
        document.getElementById('" + edFilename.ClientID + @"').value;
}", true);
    edFilename.Attributes.Add("onkeyup", "copyName()");
    edFilename.Attributes.Add("onfocus", "copyName()");
    edFilename.Attributes.Add("onchange", "copyName()");

which essentially copied the original file path to a hidden input field.

As browsers are becoming more aware of security, and implement more and more HTML 5 features, all this changes.

IE8 started to introduce the c:\fakepath\ pseudo directory, and other browsers followed. As stated on the WHATWG mailing list,

The original plan was to just have the filename. Unfortunately, it turns out that if you do that, there are certain sites that break, because they expect the path (and they expect a Windows path, no less). This is why Opera and IE8 return a fake path — not because HTML5 says to do it. In fact I made HTML5 say it because they were doing it.

(I would expect Firefox, Safari, and Chrome to follow suit; Firefox for compatibility, and Safari and Chrome for privacy.)

For IE, there remains the solution to add the web server to the Trusted Internet Zone

Additionally, the “Include local directory path when uploading files” URLAction has been set to “Disable” for the Internet Zone. This change prevents leakage of potentially sensitive local file-system information to the Internet.

but we are looking for a generic cross-browser solution.

Probably it’s time to rethink the whole feature and make users copy+paste the file name rather than upload the file for such a scenario.