Results 1 to 15 of 15
-
05-24-2009, 01:57 AM #1Disabled
- Join Date
- Aug 2005
- Posts
- 443
Lxadmin / Kloxo security: all hype, little substance
Note to mods: no details are being given in this thread which could assist someone in gaining access to, escalating privileges from, or otherwise harming any server using Lxadmin / Kloxo. Something to please consider before prematurely mashing the "edit post" button.
I like to seek truth in things, which is why I'm compelled to write this. What software someone chooses to use is of no concern to me, and influencing anyone's decision is not the point of this post. I have nothing to gain from posting this. However, someone else reading this might.
Recently someone was plugging Lxadmin / Kloxo on WHT for its stellar reputation for security, presumably partly due to its lack of public history of security problems, and also because of claims made by the vendor on their website. As someone who enjoys looking for bugs in software, this prompted me to install OpenVZ and Kloxo (hostinabox575 on CentOS, specifically). What I found over the course of a few days were numerous issues, both local and remote, that directly contradict many statements made by the vendor on their website.
To be very blunt: the security of Kloxo sucks. Let's start with the following quote from http://lxlabs.com/software/kloxo/security
Kloxo itself runs as user 'lxlabs' which is simply yet another user in the system, who has absolutely no special permissions. All system executions are handled by another process that runs in the background and communicates with kloxo through a socket. This security model works on both Windows and Linux, and makes sure that even if kloxo itself is compromised, the attacker cannot have any access to the system.
PHP Code:[root@testing574 ~]# ps -u lxlabs
PID TTY TIME CMD
10054 ? 00:00:00 kloxo.httpd
PHP Code:[pid 17662] execve("/bin/sh", ["sh", "-c", "id 2>&1"], [/* 34 vars */]) = 0
PHP Code:uid=0(root) gid=0(root)
Here's another quote from that site:
User cannot perform any operation on any file other than the one's he own. Before every operation is carried out, it is determined to see if the user fully owns every file that are involved in the operation, and kloxo will fail otherwise. Any attempts by the user to read or copy the system files or any other's files will result in an exception being raised. (That is, IF he manages to break out of the jail).
All program executions are carried out only after the context is switched to that of the user who requested it. Thus even if the user manages to break out of the jail, the maximum privileges that he can achieve is that of the system user consigned to him.
Complete Logging. Kloxo logs every single change that was made to the file system, and also every single execution of any external program. These logs will help you track down any kind of attempts to gain system privileges.
Other bugs that exist in this software include:
- the ability for resellers to potentially hijack new accounts before they're even created (all software that offers reseller capabilities is vulnerable to this to some extent. cPanel is the only one I've seen so far that has actually done anything about it. DA might have as well, but I haven't checked. They were informed of this 9 months ago).
- using unprivileged ports for services by default, and doing nothing if something else is binded to them (cPanel checks to make sure that it, and only it, is what's using the ports it listens on. I don't recall what DA does. Kloxo doesn't care). You can change at least 2 of the ports (7777 and 7778), and I would recommend doing so.
- default passwords for root, for the admin user, and for the kloxo db (and for other services? Is this documented anywhere at all?).
- local users (clients or resellers) can quite trivially execute commands as root. This has nothing to do with the Command Center as mentioned above while logged in as the admin user.
- remote, unathenticated users can cause lxguard to block any IP address of their choice
- remote, unathenticated users can cause Kloxo to consume all server memory
- remote, unathenticated users can create directories of their choice anywhere on the filesystem
- more
Now, for those using Kloxo, I have emailed them about this a few days ago. Someone did respond a few days later saying they would look into the issues. As best as I can tell from my webserver logs, nothing yet has been investigated (although that is not the point of this message). I haven't shared the actual details of this information with anyone, nor do I plan to at this time. The fact that the bugs exist is not the point. The incredibly arrogant, egotistical, and belittling statements from the vendor about others is why you are reading this now. They are attempting to profit off of making others look bad, when in fact the ones they so often talk bad about are the ones that generally don't give up root nearly as easily, and nearly as often.
Here is just 1 of a number of such statements posted by the vendor in their own forum, which I just came across earlier, and was the catalyst for making this post:
We are not emulating [competitor panel] dev's lack of programming ability or their incapacity to understand security.
Bottom line: go ahead and use Kloxo. You will either get hacked, or you won't. That holds true for most software. But I'd recommend against buying into the hype and the vitriol from this vendor, at least until their software stops constantly giving up root, and letting people trash the filesystem, and letting people remotely crash the software, etc etc. Kloxo has some good ideas (many of which are just borrowed from actual implementations of other panels), but it is just a baby right now and, as such, has little to no defense against attacks.
-
05-24-2009, 12:59 PM #2WHT Addict
- Join Date
- May 2009
- Posts
- 150
I haven't heard anything about lxadmin security issues or any hacking incident.
lxadmin is not using by most of the webhosting companies. What I heard is that lxadmin is best for VPS servers. A Vps server can not host domains like a dedicated server.
I do have a lxadmin vps and it is online since 7 months, no problem
-
06-06-2009, 10:10 AM #3New Member
- Join Date
- Mar 2009
- Posts
- 1
I have checked a few (now public available!!!) vulnerabilities of kloxo (lxadmin). And yes, there is many security issues.
I think, nothning you can do about this if you use kloxo for shared hosting services with many users and etc.
In my opinion, if you use kloxo only for your own sites, and no one else use this, then as minimum you shuld do this:
1) Change default paswords for MySQL users: root, kloxo.
Changing default password for MySQL user "kloxo":
Code:# mysql -u root -p grant all on kloxo.* to kloxo@localhost identified by 'newpass'; flush privileges; exit;
Code:echo -n newpass > /usr/local/lxlabs/kloxo/etc/conf/kloxo.pass
Code:iptables -I INPUT -p tcp --dport 7776 -j DROP
4. Disable access to ports 7777 and 7778. Allow only connect to these ports from your ip:
Code:iptables -I INPUT -p tcp --dport 7777 -j DROP iptables -I INPUT -p tcp --dport 7778 -j DROP iptables -I INPUT -s x.x.x.x -p tcp --dport 7777 -j ACCEPT iptables -I INPUT -s x.x.x.x -p tcp --dport 7778 -j ACCEPT
Important! After rebooting your server, you need to setup iptables rules again.
This will helps a little to be more secure.
This will not help if someone you dont trust has local access to your server, or has user in your kloxo panel.
If someone has local access to your system, then you nothing can do about this, because of kloxo big security issues.
And one more thing about "Roundcube" installed with kloxo.
I'm not sure, is this issue is fixed in the latest Roundcube version. But there has been serious security bug.
I choose to disable Roundcube at all and use other Webmail programs.Last edited by infinityxxx; 06-06-2009 at 10:14 AM.
-
06-09-2009, 05:10 PM #4Web Hosting Master
- Join Date
- Mar 2009
- Posts
- 634
http://www.webhostingtalk.com/showthread.php?t=867100
124 pages of exploit.
-
06-11-2009, 01:55 PM #5Mr. Awesome
- Join Date
- Jul 2002
- Posts
- 6,347
It's too bad the owner of lxadmin/kloxo didn't bother reading threads like this before killing himself over the fact that his software destroyed more then a few businesses that relied on it.
At this point, anyone who is still using this *proven* insecure software is an idiot.
We are eNom PLATINUM PLUS resellers!
Sign up today for an eNom.com reseller account with lowest possible pricing.
* We provide support and service to over 4275 happy eNom domain name and SSL certificate resellers!
-
06-11-2009, 02:09 PM #6WHT Addict
- Join Date
- May 2009
- Posts
- 150
Might be. But you tell me a free control panel which has almost all features of lxadmin and tell me how to switch to your control panel easily. If you can't answer to this question, then you need to understand that those "idiot" peoples are waiting to get a right answer for this question.
-
06-11-2009, 02:11 PM #7WHT Addict
- Join Date
- May 2009
- Posts
- 150
-
06-11-2009, 02:12 PM #8Web Hosting Master
- Join Date
- Mar 2009
- Posts
- 634
-
06-11-2009, 02:15 PM #9Web Hosting Master
- Join Date
- Mar 2009
- Posts
- 634
-
06-11-2009, 02:16 PM #10Mr. Awesome
- Join Date
- Jul 2002
- Posts
- 6,347
Really? So it's safe to use a control panel from a vendor with an owner who just killed himself rather then face the shame (and responsiblity) that comes with having his products hacked, even though he was told about the massive number of security exploits a long time before?
I suppose those people who are waiting for something better to come along will be quite proud of themselves for waiting, after they discover their server is toasted.
If there is nothing else out there as an alternative, then they have some choices.
- Build their own.
- Do it manually.
Notice that one of the choices was not "continue using an insecure product".
What this issue highlights is the fact that the vast majority of "hosting company's" are owned and operated by kiddie hosts, who know very little or nothing at all about how a server actually works. Instead, they are dependent on a control panel, and find they can't operate without it. When that control panel is discovered to be insecure.. they either fold up and disappear, continue using the insecure product, or can hire someone to take one of the two options I posted above.Last edited by mrzippy; 06-11-2009 at 02:19 PM.
We are eNom PLATINUM PLUS resellers!
Sign up today for an eNom.com reseller account with lowest possible pricing.
* We provide support and service to over 4275 happy eNom domain name and SSL certificate resellers!
-
06-11-2009, 02:47 PM #11Junior Guru
- Join Date
- Jun 2001
- Location
- Ljubljana, Slovenia
- Posts
- 222
You have a very simplified view on this issues.
First, you are jumping to conclusions about Ligesh's motives that lead to his suicide. Knowing a little bit more about his personality and family would tell you that there is much more behind the scenes.
Second, major HyperVM and Kloxo vulnerabilities were addressed before he died. Thinking that he left all his clients at the mercy of the hackers is simply not true.
Third, this VAServ breach is most likely not connected to Lxlabs products at all. There have been numerous reports (such as this) suggesting that it was a matter of sniffed passwords.
It is sad that Ligesh has no one to speak for him with authority now. One more reason not to spread FUD.
And man, there has been plenty of FUD on WHT, Lxlabs forums, etc. since all these events took place.
-
06-11-2009, 03:00 PM #12Mr. Awesome
- Join Date
- Jul 2002
- Posts
- 6,347
Ya. So I guess all those exploits posted up to the milworm website are probably not accurate, right?
And the fact he killed himself shortly after discovering his "successful" business that he bragged about to everyone was going to go down the toilet, is probably just coincidence.
I have no doubt he had many things going on in his life. Based on his blog, he sounded like a rather "interesting" person.
However.. I really don't care.
But if you're going to try and say that his software was safe and secure.. that's just untrue. The fact is there are numerous proven exploits, the least of which would allow the hacker to execure the "rm -rf" command as root, which is exactly what happened.
FUD? Not about the software security problems. Those are fact.
Feel free to go to the milworm website and address the hundreds of proven/public exploits if you feel so sure.We are eNom PLATINUM PLUS resellers!
Sign up today for an eNom.com reseller account with lowest possible pricing.
* We provide support and service to over 4275 happy eNom domain name and SSL certificate resellers!
-
06-11-2009, 03:49 PM #13Junior Guru
- Join Date
- Jun 2001
- Location
- Ljubljana, Slovenia
- Posts
- 222
There was a single post about Kloxo there, containing 24 issues. Some of them were variants of the same problem. And they were accurate, but most of them were also fixed by Ligesh before he died.
Fixes were distributed to clients and VAServ was running the latest version of HyperVM as far as I know. I'm sure we'll know more once this is over.
If this VAServ incident is what tipped Ligesh into suicide, than it only makes it that much more sad.
Btw, we have been evaluating HyperVM when all this happened and you can actually read my posts on Lxlabs forum from the day this all came out. Needles to say, we have also tested the exploits on our test servers before and after the fixes were issued.
I apologise if I insulted you with the FUD comment but some of your statements are simply not true and, correct me if I'm wrong, you are talking about things without having any personal knowledge of the matter.
Like I sad, there has been a lot of FUD since these events took place and it's spreading.
-
06-16-2009, 05:22 AM #14Junior Guru Wannabe
- Join Date
- Jun 2008
- Posts
- 31
-
06-16-2009, 06:29 AM #15Junior Guru
- Join Date
- Jun 2001
- Location
- Ljubljana, Slovenia
- Posts
- 222