Page 1 of 2 12 LastLast
Results 1 to 25 of 33
  1. #1
    Join Date
    Mar 2010
    Posts
    43

    litespeed hacked?

    this legit and real?

    frind showwd me it just now on msn

    http://************.org/forums/topic...-byte-exploit/

  2. #2
    Join Date
    Jun 2010
    Location
    Phoenix, AZ, USA
    Posts
    30
    This exploit is just a proof of concept for a file disclosure vulnerability. It would take quite a bit of effort on the part of an attacker to gain complete control of a system with it. Although this particular exploit would not allow an attacker to get remote root control of a web server, I would still upgrade as soon as possible.

  3. #3
    Join Date
    Mar 2008
    Posts
    1,717
    It's not really a "proof of concept" considering it's got an actual exploit code with it. I was unable to test it because I don't have a LSWS with an active license, and I couldn't get another trial license to work - it just fails to start.

    It looks legit to me though. Wait for LiteSpeed or mistwang here to confirm/deny it.
    I used to run the oldest commercial Mumble host.

  4. #4
    Quote Originally Posted by fwaggle View Post
    It's not really a "proof of concept" considering it's got an actual exploit code with it.
    That's the definition of "proof of concept" as commonly understood in the security research community.
    edgedirector.com
    managed dns global failover and load balance (gslb)
    exactstate.com
    uptime report for webhostingtalk.com

  5. #5
    Join Date
    Jun 2004
    Location
    Oregon
    Posts
    1,315
    just tried with the latest Litespeed version and an older version, both doesn't work.
    anyone find the expoit works?

  6. #6
    Join Date
    Aug 2002
    Location
    Milton Keynes
    Posts
    354
    Yup, just confirmed this works

  7. #7
    Join Date
    Mar 2008
    Posts
    1,717
    Quote Originally Posted by plumsauce View Post
    That's the definition of "proof of concept" as commonly understood in the security research community.
    In my mind, a "proof of concept" would be a mostly harmless exploit, something without any payload - you can download the config.php of any webapp you desire (that's hosted on LSWS) with that script, that's hardly harmless.

    Meyu: Define "doesn't work"?
    I used to run the oldest commercial Mumble host.

  8. #8
    Join Date
    Jun 2004
    Location
    Oregon
    Posts
    1,315
    it actually did work...hope they have it fixed soon.

  9. #9
    Join Date
    Mar 2008
    Posts
    1,717
    BTW if mod_security works on litespeed, I'd imagine it's probably trivial to write a rule to block this - not sure on that though.

    I'm guessing anything that includes %00 would work? Someone more familiar with mod_security than me could probably confirm it.
    I used to run the oldest commercial Mumble host.

  10. #10
    Join Date
    Jun 2004
    Location
    Oregon
    Posts
    1,315
    maybe this
    Code:
    SecFilterCheckURLEncoding On
    SecFilterSelective THE_REQUEST "!^[\x0a\x0d\x20-\x7f]+$"

  11. #11
    Join Date
    Dec 2007
    Location
    Indiana, USA
    Posts
    19,196
    I tested this against 4.0.13 and 4.0.14 both x86 and x64 and the exploit doesn't appear to be affecting either of these builds.

    Perhaps it only affects older/outdated software (i.e. it should have been kept up to date).


    Quote Originally Posted by drspliff View Post
    Yup, just confirmed this works
    Quote Originally Posted by meyu View Post
    it actually did work...hope they have it fixed soon.
    What version and architecture?

  12. #12
    Join Date
    Apr 2007
    Location
    United Kingdom
    Posts
    1,861
    Out of interest, what version are you guys running?

    I just tried it on 4.0.14 and it didn't work.

  13. #13
    Join Date
    Jul 2009
    Posts
    69
    Nothing on 4.0.14 here, too.

  14. #14
    4.0.14 is vulnerable under my tests.
    bin/lshttpd.4.0.14: ELF 64-bit LSB executable, AMD x86-64, version 1 (GNU/Linux), statically linked, stripped
    However, the exploit linked here did *NOT* work. I had to write my own version to get reproducible effects.
    Here is the source: pastebin.ca/1882204 (can't directly link, I don't have 5 posts )


    -05:04:20- seraphic:~/test luna% ./litespeed.pl <censored> /test.php
    [.] webserver accepted the request
    [.] <censored>:80 is running LiteSpeed
    [+] file (test.php.txt) has been saved.
    -05:07:03- seraphic:~/test luna% cat <censored>\:80-test.php
    <?php
    $super_secure_password = "vulnerable";
    ?>

    Yes, I am aware the reported file it saves to is wrong, I wrote it at 4 in the morning. Cut me a little slack.

    Let everybody you know running LiteSpeed (especially in place of Apache on cPanel servers, like I'm doing) to either hotfix with mod_security (does this work?) or switch back to Apache until an upgrade is released.

  15. #15
    Join Date
    Mar 2009
    Location
    /home/khunj
    Posts
    433
    Just add this to 'Request Filter' at the server level:

    Name : NULLBYTE
    Action: deny,log
    Eabled: yes
    Rules Definition: SecRule REQUEST_URI "\x00"

    Restart LS.
    NinTechNet
    ★ NinjaFirewall : Web Application Firewall for PHP and WordPress.
    ★ NinjaMonitoring : Monitor your website for suspicious activities.

  16. #16
    Join Date
    Jun 2004
    Location
    Oregon
    Posts
    1,315
    Quote Originally Posted by MikeDVB View Post
    I tested this against 4.0.13 and 4.0.14 both x86 and x64 and the exploit doesn't appear to be affecting either of these builds.

    Perhaps it only affects older/outdated software (i.e. it should have been kept up to date).




    What version and architecture?
    4.0.11 and 4.0.14 x86_64
    the attack code will need a little adjust because of some newline characters added when copy&paste.
    it does work.

  17. #17
    Join Date
    Dec 2007
    Location
    Indiana, USA
    Posts
    19,196
    Quote Originally Posted by meyu View Post
    4.0.11 and 4.0.14 x86_64
    the attack code will need a little adjust because of some newline characters added when copy&paste.
    it does work.
    Found that out, very unfortunate.

    Hopefully nobody has remote mysql on and/or shares a root password with a mysql password.

  18. #18
    Join Date
    Dec 2009
    Posts
    122
    Doesn't work

    LiteSpeed Technologies Web Server Remote Source Code Disclosure
    Exploit
    By Kingcope
    June 2010

    Saving source code of index.php into testlsws-index.php

    And nothing happens after this - newest version of LiteSpeed

  19. #19
    Join Date
    Mar 2009
    Location
    /home/khunj
    Posts
    433
    Replace:
    Code:
    print $sock "GET /$file\x00.txt HTTP/1.1\r\nHost: $ARGV[0]\r\nConnection:
    close\r\n\r\n";
    with:
    Code:
    print $sock "GET /$file\x00.txt HTTP/1.1\r\nHost: $ARGV[0]\r\nConnection: close\r\n\r\n";
    Should be one single line.
    NinTechNet
    ★ NinjaFirewall : Web Application Firewall for PHP and WordPress.
    ★ NinjaMonitoring : Monitor your website for suspicious activities.

  20. #20
    Join Date
    Jan 2005
    Posts
    2,203
    Are there anymore mod_security rules to prevent this?

  21. #21
    Join Date
    Jan 2005
    Posts
    2,203
    4.0.15 is out to address this bug.
    http://www.litespeedtech.com/support...0085#post20085

  22. #22
    Join Date
    May 2009
    Location
    London, United Kingdom
    Posts
    472
    Quote Originally Posted by nukuki View Post
    this legit and real?

    frind showwd me it just now on msn

    http://************.org/forums/topic...-byte-exploit/
    May I ask you why did you link to ************? They have nothing to do with it. Next time link to the official source or one of the well known exploit sites out there as seclists or c/p it directly to WHT.

    This can be considered as advertising as you are the owner of ************(who by the way got banned from WHT multiple times - Viz0n, Visi, yah0m, Yulia...) and I believe it's NOT allowed in this section, same goes for duplicate accounts. *REPORTED*

    About the exploit, it wouldn't do much harm if your config files had the correct permissions. E.G If "others" had no read access to config.php of phpBB3.
    LiteSpeedTech already came up with a patched version and you can download it here:
    http://www.litespeedtech.com/package...4-linux.tar.gz

  23. #23
    Join Date
    Mar 2008
    Posts
    1,717
    Quote Originally Posted by SceneSRV View Post
    May I ask you why did you link to ************? They have nothing to do with it. Next time link to the official source or one of the well known exploit sites out there as seclists or c/p it directly to WHT.

    This can be considered as advertising as you are the owner of ************(who by the way got banned from WHT multiple times - Viz0n, Visi, yah0m, Yulia...) and I believe it's NOT allowed in this section, same goes for duplicate accounts. *REPORTED*
    Good catch, if accurate. How do you know he's the owner of that site? To be fair, I also didn't see this exploit posted on milw0rm or anything like that when the OP's post was made, and it only hit FD sometime this morning AFAIK... but I honestly have been out of the game so long that I don't know where the cool cats are posting their exploits any more.

    About the exploit, it wouldn't do much harm if your config files had the correct permissions. E.G If "others" had no read access to config.php of phpBB3.
    "Permissions" on web servers these days are garbage anyway - we've got this whole idea that web scripts should either be run as the owner of the files (bad), as a central www user (worse), and I cringe every time I see "if something doesn't work just chmod -R 777" in instructions someplace.
    I used to run the oldest commercial Mumble host.

  24. #24
    Join Date
    Dec 2007
    Location
    Indiana, USA
    Posts
    19,196
    Quote Originally Posted by fwaggle View Post
    "Permissions" on web servers these days are garbage anyway - we've got this whole idea that web scripts should either be run as the owner of the files (bad), as a central www user (worse), and I cringe every time I see "if something doesn't work just chmod -R 777" in instructions someplace.
    If you're not going to run it as the owner of the file, or as some other central user (www, nobody, etc) how would you suggest running a file?

    The thing you have to note about this exploit is that it is an exploit in LSWS itself - the PHP isn't even processed through LSAPI/PHP as the web server is just grabbing the file itself and then making the contents available. I didn't test, but I'd venture to say that even with 644 or 640 the exploit would still allow the grabbing of the file contents whether you're running suEXEC or not.

    And yes, there is a fix out for LSWS, 4.0.15.

  25. #25
    Join Date
    May 2006
    Posts
    1,426
    Sigh, here we go again. With the latest support fiascos I and others I have turned on to litespeed have had I doubt them to get this fixed quick IF they even check the bug email anymore

    This was supposed to have been fixed LONG ago when some defaced group found a simlar exploit

Page 1 of 2 12 LastLast

Similar Threads

  1. Paypal got Hacked or my paypal acct got hacked
    By chefwong in forum Web Hosting Lounge
    Replies: 14
    Last Post: 09-23-2008, 02:48 PM
  2. Replies: 77
    Last Post: 04-03-2007, 09:57 AM
  3. Think I've been hacked
    By cfaice in forum Hosting Security and Technology
    Replies: 2
    Last Post: 12-02-2005, 11:12 PM
  4. Hacked or not?
    By BooBoo in forum Dedicated Server
    Replies: 1
    Last Post: 12-13-2002, 02:01 PM

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •