Results 1 to 15 of 15

Hybrid View

  1. #1

    Lxadmin / Kloxo security: all hype, little substance

    Note to mods: no details are being given in this thread which could assist someone in gaining access to, escalating privileges from, or otherwise harming any server using Lxadmin / Kloxo. Something to please consider before prematurely mashing the "edit post" button.



    I like to seek truth in things, which is why I'm compelled to write this. What software someone chooses to use is of no concern to me, and influencing anyone's decision is not the point of this post. I have nothing to gain from posting this. However, someone else reading this might.

    Recently someone was plugging Lxadmin / Kloxo on WHT for its stellar reputation for security, presumably partly due to its lack of public history of security problems, and also because of claims made by the vendor on their website. As someone who enjoys looking for bugs in software, this prompted me to install OpenVZ and Kloxo (hostinabox575 on CentOS, specifically). What I found over the course of a few days were numerous issues, both local and remote, that directly contradict many statements made by the vendor on their website.

    To be very blunt: the security of Kloxo sucks. Let's start with the following quote from http://lxlabs.com/software/kloxo/security


    Kloxo itself runs as user 'lxlabs' which is simply yet another user in the system, who has absolutely no special permissions. All system executions are handled by another process that runs in the background and communicates with kloxo through a socket. This security model works on both Windows and Linux, and makes sure that even if kloxo itself is compromised, the attacker cannot have any access to the system.
    Let's take a closer look, shall we?

    PHP Code:
    [root@testing574 ~]# ps -u lxlabs
      
    PID TTY          TIME CMD
    10054 
    ?        00:00:00 kloxo.httpd 
    pid 10054, kloxo.httpd, the only process currently found running under the user "lxlabs". Let's strace that pid while executing the command "id" from the Command Center (this requires being logged in as admin). Here's the output:

    PHP Code:
    [pid 17662execve("/bin/sh", ["sh""-c""id 2>&1"], [/* 34 vars */]) = 
    and here's the output:

    PHP Code:
    uid=0(rootgid=0(root
    Sure looks like kloxo, in that instance, was running with some special permissions to me!

    Here's another quote from that site:

    User cannot perform any operation on any file other than the one's he own. Before every operation is carried out, it is determined to see if the user fully owns every file that are involved in the operation, and kloxo will fail otherwise. Any attempts by the user to read or copy the system files or any other's files will result in an exception being raised. (That is, IF he manages to break out of the jail).
    There are multiple ways append data to or change the permissions of files on the fs that do not belong to the user performing the operation. Imagine what could be done if you were able to take complete control over any file on the box, such as /etc/shadow. You could replace root's password hash with your own, or change your uid to 0, or add other accounts with elevated privileges, etc. There are multiple ways that this can be done via Kloxo as a client or a reseller. Kloxo does not fail when this happens, but freely and blindly allows it.

    All program executions are carried out only after the context is switched to that of the user who requested it. Thus even if the user manages to break out of the jail, the maximum privileges that he can achieve is that of the system user consigned to him.
    No.

    Complete Logging. Kloxo logs every single change that was made to the file system, and also every single execution of any external program. These logs will help you track down any kind of attempts to gain system privileges.
    Logs are useless when someone else has the ability to alter them.

    Other bugs that exist in this software include:

    - the ability for resellers to potentially hijack new accounts before they're even created (all software that offers reseller capabilities is vulnerable to this to some extent. cPanel is the only one I've seen so far that has actually done anything about it. DA might have as well, but I haven't checked. They were informed of this 9 months ago).

    - using unprivileged ports for services by default, and doing nothing if something else is binded to them (cPanel checks to make sure that it, and only it, is what's using the ports it listens on. I don't recall what DA does. Kloxo doesn't care). You can change at least 2 of the ports (7777 and 7778), and I would recommend doing so.

    - default passwords for root, for the admin user, and for the kloxo db (and for other services? Is this documented anywhere at all?).

    - local users (clients or resellers) can quite trivially execute commands as root. This has nothing to do with the Command Center as mentioned above while logged in as the admin user.

    - remote, unathenticated users can cause lxguard to block any IP address of their choice

    - remote, unathenticated users can cause Kloxo to consume all server memory

    - remote, unathenticated users can create directories of their choice anywhere on the filesystem

    - more

    Now, for those using Kloxo, I have emailed them about this a few days ago. Someone did respond a few days later saying they would look into the issues. As best as I can tell from my webserver logs, nothing yet has been investigated (although that is not the point of this message). I haven't shared the actual details of this information with anyone, nor do I plan to at this time. The fact that the bugs exist is not the point. The incredibly arrogant, egotistical, and belittling statements from the vendor about others is why you are reading this now. They are attempting to profit off of making others look bad, when in fact the ones they so often talk bad about are the ones that generally don't give up root nearly as easily, and nearly as often.

    Here is just 1 of a number of such statements posted by the vendor in their own forum, which I just came across earlier, and was the catalyst for making this post:

    We are not emulating [competitor panel] dev's lack of programming ability or their incapacity to understand security.
    I specifically removed the name of the vendor which they chose to attack, because it is not relevant. What is relevant, in my opinion, is informing people that vendors will be vendors. They spend weeks, months, years into a product for one reason only: to make money. Of course they're going to claim their product is secure and works as expected. That's what they're supposed to say. Making such claims is understandable, and many people fully know and understand this, of course. Intentionally spreading malice and attempting to damage the reputation of others for profit, however, is not something that I feel should let slide, given the knowledge I possess about the software on both sides.

    Bottom line: go ahead and use Kloxo. You will either get hacked, or you won't. That holds true for most software. But I'd recommend against buying into the hype and the vitriol from this vendor, at least until their software stops constantly giving up root, and letting people trash the filesystem, and letting people remotely crash the software, etc etc. Kloxo has some good ideas (many of which are just borrowed from actual implementations of other panels), but it is just a baby right now and, as such, has little to no defense against attacks.

  2. #2
    Join Date
    May 2009
    Posts
    150
    I haven't heard anything about lxadmin security issues or any hacking incident.
    lxadmin is not using by most of the webhosting companies. What I heard is that lxadmin is best for VPS servers. A Vps server can not host domains like a dedicated server.

    I do have a lxadmin vps and it is online since 7 months, no problem

  3. #3
    I have checked a few (now public available!!!) vulnerabilities of kloxo (lxadmin). And yes, there is many security issues.

    I think, nothning you can do about this if you use kloxo for shared hosting services with many users and etc.

    In my opinion, if you use kloxo only for your own sites, and no one else use this, then as minimum you shuld do this:

    1) Change default paswords for MySQL users: root, kloxo.
    Changing default password for MySQL user "kloxo":
    Code:
    # mysql -u root -p
    
    grant all on kloxo.* to kloxo@localhost identified by 'newpass';
    flush privileges;
    exit;
    After changing MySQL user "kloxo" password in phpMyAdmin, put new password in kloxo configuration file:
    Code:
    echo -n newpass > /usr/local/lxlabs/kloxo/etc/conf/kloxo.pass
    2. Block any access to port 7776 by iptables:
    Code:
    iptables -I INPUT -p tcp --dport 7776 -j DROP
    3. Disable lxguard (not sure if this helps, but you may try)

    4. Disable access to ports 7777 and 7778. Allow only connect to these ports from your ip:
    Code:
    iptables -I INPUT -p tcp --dport 7777 -j DROP
    iptables -I INPUT -p tcp --dport 7778 -j DROP
    iptables -I INPUT -s x.x.x.x -p tcp --dport 7777 -j ACCEPT
    iptables -I INPUT -s x.x.x.x -p tcp --dport 7778 -j ACCEPT
    Where x.x.x.x put your IP address from which you are connecting to server.
    Important! After rebooting your server, you need to setup iptables rules again.

    This will helps a little to be more secure.

    This will not help if someone you dont trust has local access to your server, or has user in your kloxo panel.
    If someone has local access to your system, then you nothing can do about this, because of kloxo big security issues.

    And one more thing about "Roundcube" installed with kloxo.
    I'm not sure, is this issue is fixed in the latest Roundcube version. But there has been serious security bug.
    I choose to disable Roundcube at all and use other Webmail programs.
    Last edited by infinityxxx; 06-06-2009 at 10:14 AM.

  4. #4
    Join Date
    Mar 2009
    Posts
    634
    Quote Originally Posted by John Mark View Post
    I haven't heard anything about lxadmin security issues or any hacking incident.
    lxadmin is not using by most of the webhosting companies. What I heard is that lxadmin is best for VPS servers. A Vps server can not host domains like a dedicated server.

    I do have a lxadmin vps and it is online since 7 months, no problem

    http://www.webhostingtalk.com/showthread.php?t=867100

    124 pages of exploit.

  5. #5
    Join Date
    May 2009
    Posts
    150
    Quote Originally Posted by cedricd View Post
    Well, I said about lxadmin.
    The vulnerabilities were detected after they changing lxadmin to kloxo and adding extra features

  6. #6
    Join Date
    Mar 2009
    Posts
    634
    Quote Originally Posted by John Mark View Post
    Well, I said about lxadmin.
    The vulnerabilities were detected after they changing lxadmin to kloxo and adding extra features
    The exploit documentation says that both are affected, though I might be wrong

  7. #7
    Join Date
    Jun 2008
    Posts
    31
    Quote Originally Posted by John Mark View Post
    I haven't heard anything about lxadmin security issues or any hacking incident.
    lxadmin is not using by most of the webhosting companies. What I heard is that lxadmin is best for VPS servers. A Vps server can not host domains like a dedicated server.

    I do have a lxadmin vps and it is online since 7 months, no problem
    My hosting provider was hacked and they told me that they were hacked because of hypervm and lxadmin

  8. #8
    Join Date
    Jun 2001
    Location
    Ljubljana, Slovenia
    Posts
    222
    Quote Originally Posted by t3od0r View Post
    My hosting provider was hacked and they told me that they were hacked because of hypervm and lxadmin
    Who is your provider? Can you provide additional information about how was this supposedly done?

    Any kind of proof, logs, etc.

    This information would greatly assist the HyperVM community.

  9. #9
    It's too bad the owner of lxadmin/kloxo didn't bother reading threads like this before killing himself over the fact that his software destroyed more then a few businesses that relied on it.



    At this point, anyone who is still using this *proven* insecure software is an idiot.

    We are eNom PLATINUM PLUS resellers!
    Sign up today for an eNom.com reseller account with lowest possible pricing.
    * We provide support and service to over 4275 happy eNom domain name and SSL certificate resellers!

  10. #10
    Join Date
    May 2009
    Posts
    150
    Quote Originally Posted by mrzippy View Post



    At this point, anyone who is still using this *proven* insecure software is an idiot.


    Might be. But you tell me a free control panel which has almost all features of lxadmin and tell me how to switch to your control panel easily. If you can't answer to this question, then you need to understand that those "idiot" peoples are waiting to get a right answer for this question.

  11. #11
    Join Date
    Mar 2009
    Posts
    634
    Quote Originally Posted by John Mark View Post
    Might be. But you tell me a free control panel which has almost all features of lxadmin and tell me how to switch to your control panel easily. If you can't answer to this question, then you need to understand that those "idiot" peoples are waiting to get a right answer for this question.
    The point is; if you use it you might eventually get hacked.

  12. #12
    Quote Originally Posted by John Mark View Post
    Might be. But you tell me a free control panel which has almost all features of lxadmin and tell me how to switch to your control panel easily. If you can't answer to this question, then you need to understand that those "idiot" peoples are waiting to get a right answer for this question.
    Really? So it's safe to use a control panel from a vendor with an owner who just killed himself rather then face the shame (and responsiblity) that comes with having his products hacked, even though he was told about the massive number of security exploits a long time before?

    I suppose those people who are waiting for something better to come along will be quite proud of themselves for waiting, after they discover their server is toasted.

    If there is nothing else out there as an alternative, then they have some choices.

    - Build their own.
    - Do it manually.

    Notice that one of the choices was not "continue using an insecure product".

    What this issue highlights is the fact that the vast majority of "hosting company's" are owned and operated by kiddie hosts, who know very little or nothing at all about how a server actually works. Instead, they are dependent on a control panel, and find they can't operate without it. When that control panel is discovered to be insecure.. they either fold up and disappear, continue using the insecure product, or can hire someone to take one of the two options I posted above.
    Last edited by mrzippy; 06-11-2009 at 02:19 PM.
    We are eNom PLATINUM PLUS resellers!
    Sign up today for an eNom.com reseller account with lowest possible pricing.
    * We provide support and service to over 4275 happy eNom domain name and SSL certificate resellers!

  13. #13
    Join Date
    Jun 2001
    Location
    Ljubljana, Slovenia
    Posts
    222
    Quote Originally Posted by mrzippy View Post
    Really? So it's safe to use a control panel from a vendor with an owner who just killed himself rather then face the shame (and responsiblity) that comes with having his products hacked, even though he was told about the massive number of security exploits a long time before?
    You have a very simplified view on this issues.

    First, you are jumping to conclusions about Ligesh's motives that lead to his suicide. Knowing a little bit more about his personality and family would tell you that there is much more behind the scenes.

    Second, major HyperVM and Kloxo vulnerabilities were addressed before he died. Thinking that he left all his clients at the mercy of the hackers is simply not true.

    Third, this VAServ breach is most likely not connected to Lxlabs products at all. There have been numerous reports (such as this) suggesting that it was a matter of sniffed passwords.

    It is sad that Ligesh has no one to speak for him with authority now. One more reason not to spread FUD.

    And man, there has been plenty of FUD on WHT, Lxlabs forums, etc. since all these events took place.

  14. #14
    Ya. So I guess all those exploits posted up to the milworm website are probably not accurate, right?

    And the fact he killed himself shortly after discovering his "successful" business that he bragged about to everyone was going to go down the toilet, is probably just coincidence.

    I have no doubt he had many things going on in his life. Based on his blog, he sounded like a rather "interesting" person.

    However.. I really don't care.

    But if you're going to try and say that his software was safe and secure.. that's just untrue. The fact is there are numerous proven exploits, the least of which would allow the hacker to execure the "rm -rf" command as root, which is exactly what happened.

    FUD? Not about the software security problems. Those are fact.

    Feel free to go to the milworm website and address the hundreds of proven/public exploits if you feel so sure.
    We are eNom PLATINUM PLUS resellers!
    Sign up today for an eNom.com reseller account with lowest possible pricing.
    * We provide support and service to over 4275 happy eNom domain name and SSL certificate resellers!

  15. #15
    Join Date
    Jun 2001
    Location
    Ljubljana, Slovenia
    Posts
    222
    Quote Originally Posted by mrzippy View Post
    Ya. So I guess all those exploits posted up to the milworm website are probably not accurate, right?

    And the fact he killed himself shortly after discovering his "successful" business that he bragged about to everyone was going to go down the toilet, is probably just coincidence.
    There was a single post about Kloxo there, containing 24 issues. Some of them were variants of the same problem. And they were accurate, but most of them were also fixed by Ligesh before he died.

    Fixes were distributed to clients and VAServ was running the latest version of HyperVM as far as I know. I'm sure we'll know more once this is over.

    If this VAServ incident is what tipped Ligesh into suicide, than it only makes it that much more sad.

    Btw, we have been evaluating HyperVM when all this happened and you can actually read my posts on Lxlabs forum from the day this all came out. Needles to say, we have also tested the exploits on our test servers before and after the fixes were issued.

    I apologise if I insulted you with the FUD comment but some of your statements are simply not true and, correct me if I'm wrong, you are talking about things without having any personal knowledge of the matter.

    Like I sad, there has been a lot of FUD since these events took place and it's spreading.

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •