KusabaX follow thread DOS exploit

[Laurelai]

Details on exploit here

https://github.com/frankusrs/Kusaba-X-Threadshitter

[ghost]

-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1

On 09/12/11 22:16, Laurelai wrote:

Details on exploit here

https://github.com/frankusrs/Kusaba-X-Threadshitter

---

Reply to this email directly or view it on GitHub: https://github.com/Laurelai/tsukiboards/issues/21

OH SHI-

lol, you know, it's rather late now but if I was going to choose an imageboard to fork it probably wouldn't have been kusaba :3 IIRC Tee wrote it originally mostly to learn PHP, so it's not the most secure implementation ever ... the python one he wrote later is supposed to be better designed.

Anyway, it ought to be possible to fix this. Looking at the code this attack was obviously never considered, it just runs the watch query (at high priority, no less) with no checking of any kind.

Oh yeah, and you probably want to commit that faptcha improvement I did fairly soon ... as obliquely referred to in the comments, it turns out that google reverse image search can defeat the current faptcha a majority of the time :^/ I tested it previously with tineye and iqdb which couldn't, but unfortunately it turns out google is a lot better, there's some serious AI shit going on there. Anyway, the new implementation is largely immune to this attack.

-----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.11 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iQEcBAEBAgAGBQJO4r7XAAoJEOOx/E9veunfxgIH/jjTEKCAYOnpT+WteuzMmH9T cZIxE2wKmpnx8xMdDqqjcUiz92/P30BDuzjxIxO1cpy4lF4yUq8v3YqFSiiC13p0 Ur2dIykK1/1E3tcbabxH8x3nPPN748sXjtr0WxyVjZg1dOSla5Lwkr5EVull0Bfk suINdCnktpeQNOCCWdnAVpZD3nTr8poEIQvCif/pTPgGkhTVQzgndWbzMhh6bVB5 +yqyxX6C71/hD8CX9H9lLkrdBAzMQNVXOLnadZLuek2XSL0FM7BeZbtpITWHAMD5 imkoy/dKhqG0eXUfPZg1bynZQiv3BuNs7Ro2HGs0MEvXnunWPKilxU6OxF+UEqo= =o0RK -----END PGP SIGNATURE-----

[Laurelai]

ok

[Laurelai]

Did i not commit it already?

[ghost]

-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1

On 10/12/11 02:15, Laurelai wrote:

Did i not commit it already?

---

Reply to this email directly or view it on GitHub: https://github.com/Laurelai/tsukiboards/issues/21#issuecomment-3088743

Well, it's not currently active on oneechan I mean. Commit 497802417a55572625ba33b773d4fcd3ae623263 , it does random rotation on a random colour background, result looks something like http://imgur.com/liLCi

-----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.11 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iQEcBAEBAgAGBQJO4sxqAAoJEOOx/E9veunfXswH/2FoU/4tiNrkIrWcZAGiK8gM XVpzmltIdG6CTu0WpnsG8FcRvqWQ18TwiSyVUctzDb5zepx1f2aWsX+UU80v2Dp+ sLdmxbTc5Wt8gsnjHNhRNb2Zg0UXZyJ9synCGAGIYWKR2iQtSBwJLLBS9pQRBcVK NkXQOFWMN1fy3FsJkJWWJydkxd2O4WZy1jWcQ3rlbMLlbL0QBmd/PYS7TifeBtdA xMLewDaUneVsdg568sEc9qaCZV74n8l3JPMZGxwvZ7PGvaHOC1vzW6saG9BHfKs9 tVW/W0XOnjODX0soPYT9hpIVVYg6jG8elQ5FNoGNKWdyEN0qmFKsXaWHo7xs1+A= =80/R -----END PGP SIGNATURE-----

[Laurelai]

ah

[Laurelai]

ok done

[ghost]

Hmm, the faptcha still isn't working for me at the moment. Permissions?

[ghost]

Umm, the other possibility is that your ImageMagick isn't working ... I certainly found it a total PITA to get set up correctly. In which case it'll be necessary to revert to the previous version for now. I used it since you mentioned in an earlier thread that it was installed ...

[Laurelai]

hmm yeah its this error 2011-12-10 00:01:45: (mod_fastcgi.c.2701) FastCGI-stderr: PHP Fatal error: Class 'Imagick' not found in /srv/www/lighttpd/img.oneechan.org/faptcha.php on line 89

[ghost]

-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1

On 10/12/11 05:04, Laurelai wrote:

hmm yeah its this error 2011-12-10 00:01:45: (mod_fastcgi.c.2701) FastCGI-stderr: PHP Fatal error: Class 'Imagick' not found in /srv/www/lighttpd/img.oneechan.org/faptcha.php on line 89

---

Reply to this email directly or view it on GitHub: https://github.com/Laurelai/tsukiboards/issues/21#issuecomment-3089300

Yeah it's ImageMagick then, please revert to the previous faptcha till we can fix this ... in my experience it's a pain to get working so we can't really do it whilst r/a/dio is in session. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.11 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iQEcBAEBAgAGBQJO4ujzAAoJEOOx/E9veunffSYIALc7mjS8AEMGLhn1wgv9jbfi xNe4vKCf67PrEbwpZECoTdF8DpiQKEFVLhI5HUaogV/w/TSD2qVgvIEL9/yU+vYz +3cKbXFxvPMziOqNC7w+XJRB7hYuPvmI0tk2BalstRv+BFpLPEHudPH/mfjLY1kT 9bWTyE0JNC7yrjVJhzmW6k+Y6BjLWd67WfrZ0bdAjV0dy2pIubBCOHJibOISdYGC MQb9TE+eeLyhEteBc/+V1UT4O3PoKHvl0IGkAVCzM5cUeGKDsRISPmlQ7Bfj1TLA E5u8I7IYM0QVvoaw2ZbrEJiet+2vT+41jsL26U0pO1jdCfXcsmtHOGksRdE7IpY= =ZL6i -----END PGP SIGNATURE-----

[Laurelai]

yeah i reverted it then went to sleep

[ghost]

Yeah that's what I figured ... as of right now it's broken again though, which doesn't really make any sense. Like I say it did work for a few minutes after you reverted it. Grasping at straws, maybe some weird PHP caching / acceleration issue has restored the imagemagick version, in which case restarting the server might fix it?

[Laurelai]

ive done that already, ive even reverted to a previous previous version

[ghost]

Gah. http://www.qwantz.com/index.php?comic=1163

I dunno, maybe we're at the "try random illogical things until it suddenly works for no apparent reason" stage then. E.g. delete faptcha.php entirely / restart / replace with the c8bf5c711e52c152ff20f72570ffd8eace72838d version.

[Laurelai]

have you tried switching it off and then on again :D

[ghost]

Heh yeah, quite often simple things like that actually are the most efficient solution though ...

[Laurelai]

lets see if that works

[Laurelai]

doesnt look like it

[ghost]

;_; Any error messages in the logs? Permissions on the faptchas/ directory?

[Laurelai]

2011-12-10 11:18:03: (mod_fastcgi.c.2701) FastCGI-stderr: on line 37 PHP Warning: readdir() expects parameter 1 to be resource, boolean given in /srv/www/lighttpd/img.oneechan.org/faptcha.php on line 37

[ghost]

-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1

On 10/12/11 16:22, Laurelai wrote:

2011-12-10 11:18:03: (mod_fastcgi.c.2701) FastCGI-stderr: on line 37 PHP Warning: readdir() expects parameter 1 to be resource, boolean given in /srv/www/lighttpd/img.oneechan.org/faptcha.php on line 37

---

Reply to this email directly or view it on GitHub: https://github.com/Laurelai/tsukiboards/issues/21#issuecomment-3091559

That's the point at which it tries to opendir() the faptchas/ directory, so I think it's not readable to the webserver. Actually the directory may not be present at all, I get a 404 if I go to http://img.oneechan.org/faptchas/ ...

-----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.11 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iQEcBAEBAgAGBQJO44jcAAoJEOOx/E9veunfp5gH/1Bdqinqle6DSj4p5rWFsdsZ KGBBYLiivi+Q2ydmVs9s4KXkyFyRWG6ZkwBktukBt8sXhXkI4MjfQFi7J5hVd7oi WOI4zZXHZMD+wX5o0mrMOyt3yvMDNYr1u9GxBlUQHpkNi5844KJFOj0HTZFXCBvp ujAS+ZutLYjQ7P3VjwwFwF53xd0NxqTyLLj0vo9YzQDfGQqLiPJKyrwiz7ZjFwjq e3SqSTZozBFntdYedDlf5UAcoPaUfRYPj8eu92Hry66IkvYPFY7RakebT6fN6Je+ pAuINcIegnij7yshtC3nk/3vwJZz8WMcNgQtSdnBmsIHs/T0mHsopqHa1KzWL7g= =IVfZ -----END PGP SIGNATURE-----

[Laurelai]

drwxr-xr-x 2 lighttpd lighttpd 28672 Dec 9 23:47 faptchas its there and the permissions seem ok

[Laurelai]

and it works again

[ghost]

Yay! So, any idea what the cause was?

[Laurelai]

faptcha.php permissions

[ghost]

Returning to the DoS issue, a temporary workaround for oneechan would be to disable it by renaming threadwatch.php, since nobody will be using this feature anyway.

[Laurelai]

ok

[Laurelai]

so whats going on with this

[ghost]

I haven't done anything on this yet, although I have a workaround for the (Chrome) session timeout thing I'll commit soon. Like I say it can be "fixed" for now by just disabling it.

[ghost]

Actually you can disable the thread watch feature more elegantly by setting KU_WATCHTHREADS to false in config.php.

Also please commit the session timeout fix I did earlier ASAP, on the assumption that another r/a/dio thread may occur this Friday ...

[ghost]

Mitigation in f73c1e81eff71a44ba4fb985b149bfd1919dbe7b , with this change if I max out the watched threads then run the "SELECT raeping" phase of the attack my apache2 CPU usage is steady at about 7%.

A query is still done on every page load, but I can't see any obvious way of fixing this atm ... trying to track requests by IP would also require DB access. I guess this might be okay if it banned IPs that made too many requests.

[Laurelai]

the guy who wrote the exploit advised rewriting it in javascript

[ghost]

Doh, yeah that's a much better solution, there's no reason for this to be done server-side at all. I'll see what I can do with my limited JS abilities, theoretically I can extract the relevant functionality out of dollchan or something. Assuming I manage that we should also integrate thread auto-updating, people have repeatedly asked for that in r/a/dio threads.

Also prodding you again to please apply aa94ff2c0a49b86832e2afef2e0d52ab2ec94497 if you haven't already, I'm fairly confident that it will resolve all the "people getting banned due to the faptcha saying their answer is wrong when it isn't" issues. If we get another r/a/dio thread tonight it's otherwise likely that this will happen ...

[Laurelai]

applied commit

[Laurelai]

board is also somehow significantly faster

[ghost]

Cool, thanks. There's no reason why any of the recent changes should have sped it up though ...

[Laurelai]

O_O

[ghost]

Thinking about this further, we should just remove the feature and forget about it rather than try and re-invent the wheel. Dollchan has a thread watcher (which it calls "favourites") and we're already recommending its usage. Inevitably any built-in version that we make is going to have its own issues, interfere with dollchan etcetera.

So :

1. Set KU_WATCHTHREADS false if it isn't already
2. At some point I'll remove the threadwatch.php stuff entirely
3. Make sure the site works well with dollchan (which hopefully commit eedcd92a51f70ccba48da68287bc6c13fc58e3e8 helps with) and recommend people use it ... on the FAQ page? >Implying people read the FAQ.

[Laurelai]

Yeah i would have to agree in this case, why put a follow feature when end users can create one if they want it.

[ghost]

Hmm, I've removed the threadwatch stuff now but github isn't showing the commit for some reason, presumably it will appear at some point. Issue can be closed once it does.

[Laurelai]

shows for me, since its already disabled on the board im closing the issue.