Results 1 to 25 of 33
Thread: litespeed hacked?
-
06-13-2010, 12:07 AM #1Junior Guru Wannabe
- Join Date
- Mar 2010
- Posts
- 43
litespeed hacked?
this legit and real?
frind showwd me it just now on msn
http://************.org/forums/topic...-byte-exploit/
-
06-13-2010, 12:25 AM #2Junior Guru Wannabe
- Join Date
- Jun 2010
- Location
- Phoenix, AZ, USA
- Posts
- 30
This exploit is just a proof of concept for a file disclosure vulnerability. It would take quite a bit of effort on the part of an attacker to gain complete control of a system with it. Although this particular exploit would not allow an attacker to get remote root control of a web server, I would still upgrade as soon as possible.
-
06-13-2010, 12:50 AM #3Web Hosting Master
- Join Date
- Mar 2008
- Posts
- 1,717
It's not really a "proof of concept" considering it's got an actual exploit code with it. I was unable to test it because I don't have a LSWS with an active license, and I couldn't get another trial license to work - it just fails to start.
It looks legit to me though. Wait for LiteSpeed or mistwang here to confirm/deny it.I used to run the oldest commercial Mumble host.
-
06-13-2010, 01:33 AM #4******* Unleaded
- Join Date
- Feb 2004
- Posts
- 3,849
edgedirector.com
managed dns global failover and load balance (gslb)
exactstate.com
uptime report for webhostingtalk.com
-
06-13-2010, 01:53 AM #5Web Hosting Master
- Join Date
- Jun 2004
- Location
- Oregon
- Posts
- 1,315
just tried with the latest Litespeed version and an older version, both doesn't work.
anyone find the expoit works?
-
06-13-2010, 02:09 AM #6Aspiring Evangelist
- Join Date
- Aug 2002
- Location
- Milton Keynes
- Posts
- 354
Yup, just confirmed this works
-
06-13-2010, 03:10 AM #7Web Hosting Master
- Join Date
- Mar 2008
- Posts
- 1,717
I used to run the oldest commercial Mumble host.
-
06-13-2010, 03:33 AM #8Web Hosting Master
- Join Date
- Jun 2004
- Location
- Oregon
- Posts
- 1,315
it actually did work...hope they have it fixed soon.
-
06-13-2010, 03:39 AM #9Web Hosting Master
- Join Date
- Mar 2008
- Posts
- 1,717
BTW if mod_security works on litespeed, I'd imagine it's probably trivial to write a rule to block this - not sure on that though.
I'm guessing anything that includes %00 would work? Someone more familiar with mod_security than me could probably confirm it.I used to run the oldest commercial Mumble host.
-
06-13-2010, 03:56 AM #10Web Hosting Master
- Join Date
- Jun 2004
- Location
- Oregon
- Posts
- 1,315
maybe this
Code:SecFilterCheckURLEncoding On SecFilterSelective THE_REQUEST "!^[\x0a\x0d\x20-\x7f]+$"
-
06-13-2010, 07:12 AM #11Web Hosting Industry Expert
- Join Date
- Dec 2007
- Location
- Indiana, USA
- Posts
- 19,196
I tested this against 4.0.13 and 4.0.14 both x86 and x64 and the exploit doesn't appear to be affecting either of these builds.
Perhaps it only affects older/outdated software (i.e. it should have been kept up to date).
What version and architecture?
-
06-13-2010, 07:12 AM #12Web Hosting Master
- Join Date
- Apr 2007
- Location
- United Kingdom
- Posts
- 1,861
Out of interest, what version are you guys running?
I just tried it on 4.0.14 and it didn't work.
-
06-13-2010, 07:21 AM #13Junior Guru Wannabe
- Join Date
- Jul 2009
- Posts
- 69
Nothing on 4.0.14 here, too.
-
06-13-2010, 08:16 AM #14New Member
- Join Date
- Jun 2010
- Posts
- 2
4.0.14 is vulnerable under my tests.
bin/lshttpd.4.0.14: ELF 64-bit LSB executable, AMD x86-64, version 1 (GNU/Linux), statically linked, stripped
However, the exploit linked here did *NOT* work. I had to write my own version to get reproducible effects.
Here is the source: pastebin.ca/1882204 (can't directly link, I don't have 5 posts )
-05:04:20- seraphic:~/test luna% ./litespeed.pl <censored> /test.php
[.] webserver accepted the request
[.] <censored>:80 is running LiteSpeed
[+] file (test.php.txt) has been saved.
-05:07:03- seraphic:~/test luna% cat <censored>\:80-test.php
<?php
$super_secure_password = "vulnerable";
?>
Yes, I am aware the reported file it saves to is wrong, I wrote it at 4 in the morning. Cut me a little slack.
Let everybody you know running LiteSpeed (especially in place of Apache on cPanel servers, like I'm doing) to either hotfix with mod_security (does this work?) or switch back to Apache until an upgrade is released.
-
06-13-2010, 08:33 AM #15Aspiring Evangelist
- Join Date
- Mar 2009
- Location
- /home/khunj
- Posts
- 433
Just add this to 'Request Filter' at the server level:
Name : NULLBYTE
Action: deny,log
Eabled: yes
Rules Definition: SecRule REQUEST_URI "\x00"
Restart LS.NinTechNet
★ NinjaFirewall : Web Application Firewall for PHP and WordPress.
★ NinjaMonitoring : Monitor your website for suspicious activities.
-
06-13-2010, 09:04 AM #16Web Hosting Master
- Join Date
- Jun 2004
- Location
- Oregon
- Posts
- 1,315
-
06-13-2010, 09:56 AM #17Web Hosting Industry Expert
- Join Date
- Dec 2007
- Location
- Indiana, USA
- Posts
- 19,196
-
06-13-2010, 10:22 AM #18Temporarily Suspended
- Join Date
- Dec 2009
- Posts
- 122
Doesn't work
LiteSpeed Technologies Web Server Remote Source Code Disclosure
Exploit
By Kingcope
June 2010
Saving source code of index.php into testlsws-index.php
And nothing happens after this - newest version of LiteSpeed
-
06-13-2010, 10:34 AM #19Aspiring Evangelist
- Join Date
- Mar 2009
- Location
- /home/khunj
- Posts
- 433
Replace:
Code:print $sock "GET /$file\x00.txt HTTP/1.1\r\nHost: $ARGV[0]\r\nConnection: close\r\n\r\n";
Code:print $sock "GET /$file\x00.txt HTTP/1.1\r\nHost: $ARGV[0]\r\nConnection: close\r\n\r\n";
NinTechNet
★ NinjaFirewall : Web Application Firewall for PHP and WordPress.
★ NinjaMonitoring : Monitor your website for suspicious activities.
-
06-13-2010, 11:23 AM #20Web Hosting Master
- Join Date
- Jan 2005
- Posts
- 2,203
Are there anymore mod_security rules to prevent this?
-
06-13-2010, 01:22 PM #21Web Hosting Master
- Join Date
- Jan 2005
- Posts
- 2,203
4.0.15 is out to address this bug.
http://www.litespeedtech.com/support...0085#post20085
-
06-13-2010, 01:54 PM #22Web Hosting Evangelist
- Join Date
- May 2009
- Location
- London, United Kingdom
- Posts
- 472
May I ask you why did you link to ************? They have nothing to do with it. Next time link to the official source or one of the well known exploit sites out there as seclists or c/p it directly to WHT.
This can be considered as advertising as you are the owner of ************(who by the way got banned from WHT multiple times - Viz0n, Visi, yah0m, Yulia...) and I believe it's NOT allowed in this section, same goes for duplicate accounts. *REPORTED*
About the exploit, it wouldn't do much harm if your config files had the correct permissions. E.G If "others" had no read access to config.php of phpBB3.
LiteSpeedTech already came up with a patched version and you can download it here:
http://www.litespeedtech.com/package...4-linux.tar.gz
-
06-13-2010, 02:12 PM #23Web Hosting Master
- Join Date
- Mar 2008
- Posts
- 1,717
Good catch, if accurate. How do you know he's the owner of that site? To be fair, I also didn't see this exploit posted on milw0rm or anything like that when the OP's post was made, and it only hit FD sometime this morning AFAIK... but I honestly have been out of the game so long that I don't know where the cool cats are posting their exploits any more.
About the exploit, it wouldn't do much harm if your config files had the correct permissions. E.G If "others" had no read access to config.php of phpBB3.I used to run the oldest commercial Mumble host.
-
06-13-2010, 02:15 PM #24Web Hosting Industry Expert
- Join Date
- Dec 2007
- Location
- Indiana, USA
- Posts
- 19,196
If you're not going to run it as the owner of the file, or as some other central user (www, nobody, etc) how would you suggest running a file?
The thing you have to note about this exploit is that it is an exploit in LSWS itself - the PHP isn't even processed through LSAPI/PHP as the web server is just grabbing the file itself and then making the contents available. I didn't test, but I'd venture to say that even with 644 or 640 the exploit would still allow the grabbing of the file contents whether you're running suEXEC or not.
And yes, there is a fix out for LSWS, 4.0.15.
-
06-13-2010, 02:22 PM #25Disabled
- Join Date
- May 2006
- Posts
- 1,426
Sigh, here we go again. With the latest support fiascos I and others I have turned on to litespeed have had I doubt them to get this fixed quick IF they even check the bug email anymore
This was supposed to have been fixed LONG ago when some defaced group found a simlar exploit
Similar Threads
-
Paypal got Hacked or my paypal acct got hacked
By chefwong in forum Web Hosting LoungeReplies: 14Last Post: 09-23-2008, 02:48 PM -
Gmail has been hacked. Therefore Paypal and eBay have been hacked as well. HELP
By trexie in forum Web Hosting LoungeReplies: 77Last Post: 04-03-2007, 09:57 AM -
Think I've been hacked
By cfaice in forum Hosting Security and TechnologyReplies: 2Last Post: 12-02-2005, 11:12 PM -
Hacked or not?
By BooBoo in forum Dedicated ServerReplies: 1Last Post: 12-13-2002, 02:01 PM