TubeAce exploits

[cd34]

If you are running tubeace, the following rules should be added to your webserver config. Doing it in .htaccess doesn't help as they are able to override that. This assumes Apache 2.x.

Code:

<Directory /var/www/domain.com/avatars/>
AllowOverride none
RemoveHandler cgi-script .cgi .py .pl
<FilesMatch "\.php$">
  SetHandler none
</FilesMatch>
</Directory>
<Directory /var/www/domain.com/cache/>
AllowOverride none
RemoveHandler cgi-script .cgi .py .pl
<FilesMatch "\.php$">
  SetHandler none
</FilesMatch>
</Directory>
<Directory /var/www/domain.com/thumbs/>
AllowOverride none
RemoveHandler cgi-script .cgi .py .pl
<FilesMatch "\.php$">
  SetHandler none
</FilesMatch>
</Directory>
<Directory /var/www/domain.com/uploads/>
AllowOverride none
RemoveHandler cgi-script .cgi .py .pl
<FilesMatch "\.php$">
  SetHandler none
</FilesMatch>
</Directory>

[JK]

Hi cd34, please excuse my ignorance but are the hackers able to override the .htaccess file by simply deleting the contents or the .htaccess file completely due to elevated privelages or some such through whatever means. (Maybe a more familiar term for techs could be elevated privilege , cross site scripting, SQL injection etc?)

Also, is this a common attack vector on .htacess files or specific to a bug in Tube Ace which allows them to override/edit/delete .htaccess files and/or any other file on the server?

If my limited knowledge is somewhat correct, it appears as though the following directories:

domain.com/avatars/
domain.com/cache/
domain.com/thumbs/
domain.com/uploads/

Are susceptible to allowing uploads and hence the execution of potentially malicious/dangerous CGI scripts consisting of (python, Perl, or PHP scripts) that can be uploaded to the above directories due to some bug such as not sufficiently checking the filename/filetype (or many more advanced measures) or simple user input validation?

I'm interested to know if this could affect a lot more than just Tube Ace, or if it's a simple oversight by this one script that is usually accounted for.

[cd34]

The site that was hacked had half a dozen tubeace installs, all but one were the most recent update. By looking at the logs, I wasn't able to determine how they got in, but, it looked like a call to functions.php had been used - or perhaps just used to check to see if it was vulnerable and they got in a different way.

If you run on a machine with Apache in Setuid mode, none of these changes matter as the hackers can write their exploits anywhere. If you run Apache in low privilege mode, these rules prevent them from being able to execute scripts in the directories that are commonly uploaded to. Since those directories are normally chmod 777, any existing .htaccess could be modified. A directory could be created with a new .htaccess that changes the handler to allow .eiw files to be executed as php, hence disabling overrides.

At this point it is a bug in Tubeace that is automated. A file called 885.php is dropped into the thumbs directory and a few days later, they start to use that file to add other tools.

We're testing a very similar combination of rules for WordPress as one of the templates included with one site contained a remote exploit. I suspect we'll do the same with Joomla since it is also constantly under attack and older versions get compromised.

When you have software that is at least actively updated, make sure you keep up with those updates especially with WordPress and Joomla. However, in TubeAce's case, development is dead and security holes in it will probably never get patched.