HFS 2.3.m Hack - Remote Command Execution about hfs2 HOT 7 OPEN

i don't think it's ok to make "selfdestructing" software (or similar), but I guess AFTER the damage a lot of people would accept that, when it's too late.
The POC i was given at the time was not working on 2.4, so i was not very worried.
I discovered the other POC only when it was too late.

from hfs2.

Yeah, move to HFS3 and thank you for feedback ;-)

from hfs2.

A strange point : during hack on my server, hfs.exe has been deleted, maybe by hacker ?
It helped me to react, as I was unabled to share files and I didn't pay attention to logs....
Installer should be removed or modified, to tell users that security is compromised

from hfs2.

@Ptit-Philou Sure, it was also the initial reason that I found this out: #43
I also agree that it might have been the attackers themselves that removed HFS, maybe to prevent other attackers from connecting to the same compromised machine. Thank goodness that they did, otherwise I also wouldn't have found it out!

from hfs2.

that's right.
people who didn't disable automatic check for updates, must have got this warning several days ago

as that front-page of this repo says, this project is obsolete and i'm not working on it anymore.
i cannot exclude you may find a fix from some fork.

my suggestion is to use HFS 3 https://github.com/rejetto/hfs

from hfs2.

Thank you for feedback : Updated to HFS 3 :-)
Great job ;-)

from hfs2.

@Ptit-Philou Great write up; I wish I was notified of this attack sooner. According to @mohemiv, this issue was first reported to @rejetto in 18/08/2023 and the PoC was released in 25/05/2024

Guess what? I was happily running and using HFS 2 on my servers during these dates! A quick check of the Windows Defender logs (also known as Security Essentials) shows that the 1.exe file, RR.exe file, Crash.exe all were downloaded on these servers and only some were detected and blocked by Windows Defender.

That nasty Roboform.dll is a malicious Keylogger and Clipboard monitor in fact that has been collecting ALL secret tokens, passwords, cookies, etc on the Server for the past couple of weeks. Sheesh! 😭

@mohemiv next time please ALSO LET ME KNOW too. (I'm joking of course) but this is really pissing me off! @rejetto Thank you for the great software. It's my bad for not using HFS 3 instead of HFS 2, but I wish you had implemented a self destruct for HFS 2 instead of the warning message, or at least made the update disable the template processing/search functionality or something like that.

Now let's everyone move onto HFS 3, and R.I.P to HFS 2.

from hfs2.