add arrow-down arrow-left arrow-right arrow-up authorcheckmark clipboard combo comment delete discord dots drag-handle dropdown-arrow errorfacebook history inbox instagram issuelink lock markup-bbcode markup-html markup-pcpp markup-cyclingbuilder markup-plain-text markup-reddit menu pin radio-button save search settings share star-empty star-full star-half switch successtag twitch twitter user warningwattage weight youtube

Our 404 page is not a security vulnerability

philip

43 months ago

Another day, another person thinking that they broke into our site because of our 404 page "FileNotFoundShell". I threw it together a while back for fun and to break the tedium of some other dev work I was doing at the time.

However, sometimes I wonder if it's been more trouble than anything. When I pushed it live, we probably got a dozen or so emails over the next month of people letting us know we had a serious security vulnerability on the site - that they suddenly had shell access. Never mind that it's just a simulated shell with nothing that actually hooks up to a real shell. I'm not a security expert, but I've dabbled in it enough over the years, participated in CTF-like challenges, etc. But I know better than to try and expose a real shell, even with keyword filtering and whatnot. There's always loopholes you won't anticipate. So that's why our "shell" doesn't really do a whole lot.

There are some silly things that happen when you try to sudo. Or typically popular, rm -rf /. I'm working on making those commands do something a bit more realistic, but that means actually running those commands on a system and watching the real carnage. I used to run Linux as my desktop OS starting back in 1996. I used Slackware, and there were no package managers at all - if you wanted something you had to manage the dependencies yourself and download and compile everything. Once when upgrading from libc5 to glibc I knocked out my dhcp client and had to walk over to the computer lab with 3.5" floppies to download the source for dhclient (or whatever the equivalent was then) so I could compile it again for glibc. Floppies. Those days sucked. (Says me who never dealt with punchcards.) Anyhow, I remember one day I had a total brainfart and accidentally deleted ld.so. That was a bad day.

Anyhow, back to the command shell in our 404 page. Right now it doesn't do a whole lot. I hope to flesh it out more over time and make it look more like a real shell. Eventually I think I might use it as a recruiting tool and actually embed some sort of skill-interview type things in it.

We do log what people type into the shell, because I'm always curious to see what people try to do with it. Ironically, some people like to use it as a venting mechanism (profanity filtered):

[Sun Nov 08 11:53:43 2015] [error] DEBUG    CMDBOX(sdfsdfffffffffffffffffffffffffffffff)
[Sun Nov 08 15:51:27 2015] [error] DEBUG    CMDBOX(well s***)
[Sun Nov 08 16:28:42 2015] [error] DEBUG    CMDBOX(tell me about your problems)
[Sun Nov 08 18:03:30 2015] [error] DEBUG    CMDBOX(s*** my d***)

This one made me chuckle. They definitely got the xkcd reference:

[Sun Nov 08 04:18:26 2015] [error] DEBUG    CMDBOX(sudo buy me a pc)

Or this one:

[Sun Nov 08 03:04:50 2015] [error] DEBUG    CMDBOX(hacked sql injection)

LOL not quite. Your SQL injection attempt resulted in a bogus URL that sent you to our 404 shell. Cheers!

Comments

  • 43 months ago
  • 3 points

I normally keep JavaScript shut off, so I had no idea the "shell" was interactive. Dude, that's awesome.

Suggested new command:

  • list games (The proper response should be from the movie War Games: Chess, Poker, Fighter Combat, Guerrilla Engagement, Desert Warfare, Air-to-Ground Actions, Theaterwide Tactical Warfare, Theaterwide Biotoxic and Chemical Warfare, Global Thermonuclear War.)

Oh. And every 45 seconds or so, you should pop out a message reading, "There is another system."

  • 43 months ago
  • 1 point

"Follow the white rabbit..."

  • 43 months ago
  • 2 points

Had some fun.

Wish I could apply more of my Bash-fu to do amusing and stupid things, like Rube Goldberg ls scripts.

echo "$(for f in *; do ls | grep "$f" | cat | sed s/*/\1/; done)" | xargs | find | sed s/^\.// | sed s/^\\///
  • 43 months ago
  • 1 point

LOL yeah my rudimentary parser isn't going to run that properly...

  • 43 months ago
  • 1 point

My limited programming knowledge says that is some sort of multi output program? Is that anywhere near right?

  • 43 months ago
  • 1 point

It's a very complicated replacement for the ls command. It serves no practical purpose save amusing me and others, as ls is far simpler and more useful.

  • 43 months ago
  • 2 points

You should make :(){ :|:& };: work. Maybe figure out a way to lag the person's browser?

  • 43 months ago
  • 1 point

Feel like a script kiddie in a AP level programming class, but what is sudo and rm -rf /?

  • 43 months ago
  • 2 points

sudo is to run things as a root user. rm -rf / means recursively delete everything from root (forcing if necessary). basically nuke the filesystem. If you run 'sudo --no-preserve-root rm -rf /' on a unix system, you'll get a very long list of 'Operation not permitted errors' for the /sys/kernel/ and /proc dirs, then a completely non functional system.

  • 43 months ago
  • 1 point

This is what made me go into hardware. Putting a stick of RAM into a DIMM is easier than trying to understand that. I'll probably have to change that soon though, everyone in this area (Silicon Valley) is shoving STEM everywhere and saying everyone has to be a programmer. I gave up on it a while ago though. After Python and Lua, Java seemed like quantum physics.

  • 43 months ago
  • 1 point

No need to learn programming to use the Konsole (sorry, Kubuntu user here), or any other Unix shell. In fact, it's even a necessity if you're a System admistrator, as you're probably have at least 1 Linux-based server.

But unless you're working as an app developer, it's not really needed, but cool if you like.

  • 43 months ago
  • 1 point

Well, that's what I'm probably going to do. I've started working on cyber security and white hat and I'm okay at it, no where near proficient.

[comment deleted]
  • 43 months ago
  • 1 point

Even better: find / | sudo xargs shred

Deletes everything and overwrites with zeroes.

  • 42 months ago
  • 1 point

What if you ran the command

rm -rf /

In the 404 page on a mobile device? What would happen?

  • 43 months ago
  • 1 point

I feel like someone who does not understand at all what this means. Partly because the only programming i know is making collections of shapes move across the screen in javascript

  • 43 months ago
  • 1 point

Basically my 5th grade programming class.

  • 43 months ago
  • 1 point

You had programming in fifth grade? Lucky. I got to do some programming in 3thrd grade, it was a program where we could design a game. It was based off of that kne game whe re a ball bounces up and down and whenever kt hits the top blocks, the block dissappear and you need to bounce them back with a rectangle thing

  • 43 months ago
  • 1 point

you kids had it made... we didnt have any classes.... and the internet sucked... learning code in the 90s meant reading books and archived notes that may not even be in english lol

i wish my schools had those classes...

  • 43 months ago
  • 1 point

Yeah we got to use these huge macintosh computers that took at least 5 minutes to boot up and when we got to code we had to stare at board at memorize what the teacher typed.

[comment deleted]
  • 43 months ago
  • 1 point

I loved the xkcd reference. It's one of the Easter eggs in the amount of Easter eggs I found (I have a counter in my profile description). I just didn't talk about it since it is so much better to find a cool Easter egg without any help.

  • 43 months ago
  • 1 point

Any shell that pops up on a web page is obviously not a real shell access to the server (unless done on purpose by the admins for some reason... Real shell exploits are usually done through input fields or url boxes if not other methods.... since anyone who knows about the topic would know that, you should cook up a hoax reply to all the noobs that tell you they found a vulnerability there... make them really think its real... :P

awesome to know you read the logs on it though lol, theres a chance someone might actually try to gain real shell from that thing if they can find an exploit in it...

  • 43 months ago
  • 1 point

awesome to know you read the logs on it though lol, theres a chance someone might actually try to gain real shell from that thing if they can find an exploit in it...

It doesn't call into a shell to execute anything. It's simple string parsing and returning results. So I think the odds of exploiting it to get to a real shell are very, very, very low.

  • 43 months ago
  • 1 point

i figured it may have been a server side application, which is where the risk is... but if its all local javascript, then thats a different beastand a hell of alot more secure since it wouldnt need to make server requests... you said you log it though, so theres something coming back to your server... granted its not much, there MAY be a possibility of exploit there much like old web site guest lists used to get ransacked by bored hackers back in the day to find all kinds of unintended capabilities. The key is in how the logs come back to you, and how they are used after being stored.... without the knowledge of that, hacking it is a hell of a lot harder. The risks may be very small, but any server interfacing system is exploitable in the end. Idealy the server side code for all this would be sandboxed on a virtual machine or something just in case and the only interaction from that to your main web server would be just url redirections to other sites like xkcd or back to the main pcpartpicker site.

that said, its an awesome feature... i just wish there was a user manual for common things that do work in it since im lazy :P

  • 43 months ago
  • 1 point

It does handle the requests on the server side. However, you're making assumptions about the implementation and overstating the risk. :)

  • 43 months ago
  • 1 point

skepticism comes naturally to me when it comes to computer security lol. But ya, i have no idea what its doing, so its idle skepticism based only on possibilities not probabilities. I still say you should screw with people who think they actually got through though :P

  • 43 months ago
  • 1 point

Any shell that pops up on a web page is obviously not a real shell access to the server (unless done on purpose by the admins for some reason [ ... ]

Allow me to introduce you to the root shell interface of FreeNAS.

  • 43 months ago
  • 1 point

Any admin that allows that to be accessable through the web domain of a public facing site is asking for it... That should really be kept on a local only network and cut off from any web server... It does falls under this though:

unless done on purpose by the admins for some reason

  • 42 months ago
  • 1 point

SaratogaJ profile is missing

  • 42 months ago
  • 4 points

SarantogaJ was banned for vote manipulation.

  • 42 months ago
  • 1 point

Wow, really? His builds were pretty good though Thx for replying though

[comment deleted by staff]
  • 42 months ago
  • 6 points

So what If I had high comment Karma? Seriously doesn't matter. ... I did not break the ToS and you could at least give a warning before you just go banning people.

If you want to earn the respect of the community with your comments and build guides, then earn it. Creating multiple accounts and upvoting yourself several hundred times per account is an abuse of the system and the trust of users here. I won't have it on my site.

[comment deleted by staff]
  • 42 months ago
  • 5 points

You got caught. You got banned. You could have owned up to it, but chose not to. You're not welcome here.

[comment deleted by staff]
  • 42 months ago
  • 3 points

My logs do not agree with your assessment at all.

[comment deleted by staff]
[comment deleted by staff]
[comment deleted]
  • 42 months ago
  • 1 point

We don't run with Ruby. Our shell was done in house without reusing anything.

[comment deleted]
  • 42 months ago
  • 1 point

Python.

[comment deleted]
  • 42 months ago
  • 1 point

So... ?

Sort

add arrow-down arrow-left arrow-right arrow-up authorcheckmark clipboard combo comment delete discord dots drag-handle dropdown-arrow errorfacebook history inbox instagram issuelink lock markup-bbcode markup-html markup-pcpp markup-cyclingbuilder markup-plain-text markup-reddit menu pin radio-button save search settings share star-empty star-full star-half switch successtag twitch twitter user warningwattage weight youtube