Currently Sejeal and Hmei7 are performing defacement's around the clock.
As Hmei7 posted on twitter, he might be using an old DNN [Dot Net Nuke] Exploit. But how difficult is this exploit? To be honest, it is as easy as hell. Only script kiddies would still use them.
First Check whether the website is vulnerable or not.
To find such websites simply copy this code to Google and hit enter:
inurl:/portals/0
or
inurl:/tabid/36/language/en-US/Default.aspx
Open the home page and check any image which is located in /portals/0/
Check the location of the image. It should be located in /portals/0/
For e.g. in case of http://www.example.com the image is located at location:
http://www.example.com/Portals/0/SHM.jpg
Yeah... it means this website is vulnerable and we can change the front page pic.
Now the current image name is SHM.jpg. Rename the new image as SHM.jpg which you want to upload as a proof of you owned the system.
Now here is the exploit :
Providers/HtmlEditorProviders/Fck/fcklinkgallery.aspx
How to deface ?
Simply copy paste it as shown below:
www.site.com/Providers/HtmlEditorProviders/Fck/fcklinkgallery.aspx
You will see the portal where it will ask you to upload. Select the third option File ( A File On Your Site)
After selecting the third option, replace the URL bar with below script:
javascript:__doPostBack('ctlURL$cmdUpload','')
After running this JAVA script, you will see the option for Upload Selected File.
Now select you image file which you have renamed as SHM.jpg & upload here.
Go to main page and refresh... That's it, you have defaced the website.
How to mitigate ?
Because there is no known fix, there are only ways to mitigate this attack (and hence it is a zero-day hack).
1. Rename the fcklinkgallery.aspx fileAs fcklinkgallery.aspx is the entry point for this hack attack, the first thing to do is to rename this file. I suggest using a random file name – like a guid. After you rename the file, you will need to update the “LinksGalleryPath” setting in your config file. This will be found in the
section. Just look for “LinksGalleryPath” and update the value to the newly named file name.
If the hacker cannot browse to the fcklinkgallery.aspx file, he will not be able to upload a ASP file onto your DNN site.
An extra step that needs to be taken to get the link editor to work after renaming it. Basically you need to also rename the "\Providers\HtmlEditorProviders\Fck\App_LocalResources\fcklinkgallery.aspx.resx" to match the renamed fckLinkGallery file.
2. Remove Execute permission on the Portals folder of your DNN site.The sub-folder “Portals” in your DNN site typically does not need to be able to run ASP files or any other files. So remove “Execute” permissions on that folder.
Open up IIS.
Expand the website node for your DNN site.
Select the Portals node in the explorer view on the left.
Right click on the Portals node and open the Properties dialog.
Chose the Directory Node.
Set Execute Permissions to “None”.
If you like more info about DNN exploits, Google will give you thousands of links.
Lets hope those sysadmins will wake up like those of the Belgium Royal Military Academy.
