Page 1 of 2 12 LastLast
Results 1 to 25 of 49
  1. #1
    Join Date
    Dec 2007
    Location
    Indiana, USA
    Posts
    19,196

    New WHMCS Exploit in version 5.2.12 and earlier - appears to affect /admin only

    I won't link to the source for obvious reasons - but I'm reporting a link with this post mods can confirm.

    Better safe than sorry IMHO.
    Last edited by Mike - MDDHosting; 11-02-2013 at 11:36 PM.
    Michael Denney - MDDHosting.com - Proudly hosting more than 37,700 websites since 2007.
    Ultra-Fast Cloud Shared and Pay-By-Use Reseller Hosting Powered by LiteSpeed!
    cPanel • Free SSL • 100% Uptime SLA • 24/7 Support
    Class-leading support that responds in minutes, not days.

  2. #2
    Join Date
    Mar 2003
    Location
    California USA
    Posts
    13,681
    Well, it appears to be admin accessible only. We are still investigating.
    Best case right now, at least lock down your admin folder if you have concerns.
    Last edited by Steven; 11-02-2013 at 11:32 PM.
    Steven Ciaburri | Industry's Best Server Management - Rack911.com
    Software Auditing - 400+ Vulnerabilities Found - Quote @ https://www.RACK911Labs.com
    Fully Managed Dedicated Servers (Las Vegas, New York City, & Amsterdam) (AS62710)
    FreeBSD & Linux Server Management, Security Auditing, Server Optimization, PCI Compliance

  3. #3
    Join Date
    Mar 2003
    Location
    Canada
    Posts
    9,072
    We have investigated this a while ago and from what we can tell, it's ONLY exploitable by authenticated admins. There doesn't appear to be any way for random users on the internet to exploit. Until further notice, no reason to panic.

    ... more details to come.
    RACK911 Labs | Penetration Testing | https://www.RACK911Labs.ca

    www.HostingSecList.com - Security Notices for the Hosting Community.

  4. #4
    Join Date
    Mar 2003
    Location
    California USA
    Posts
    13,681
    It does appear that there is some sanitation being done by WHMCS on the $_COOKIE variables from testing.
    Steven Ciaburri | Industry's Best Server Management - Rack911.com
    Software Auditing - 400+ Vulnerabilities Found - Quote @ https://www.RACK911Labs.com
    Fully Managed Dedicated Servers (Las Vegas, New York City, & Amsterdam) (AS62710)
    FreeBSD & Linux Server Management, Security Auditing, Server Optimization, PCI Compliance

  5. #5
    Join Date
    Dec 2007
    Location
    Indiana, USA
    Posts
    19,196
    That's good to hear. 100% sure it's admin only?
    Michael Denney - MDDHosting.com - Proudly hosting more than 37,700 websites since 2007.
    Ultra-Fast Cloud Shared and Pay-By-Use Reseller Hosting Powered by LiteSpeed!
    cPanel • Free SSL • 100% Uptime SLA • 24/7 Support
    Class-leading support that responds in minutes, not days.

  6. #6
    Well, our "admin" folder has been renamed and secured from access since day one, call it a "basic" security measure.

    Im more interested in what their security audit will find in the source.

  7. #7
    Join Date
    Mar 2003
    Location
    California USA
    Posts
    13,681
    Quote Originally Posted by MikeDVB View Post
    That's good to hear. 100% sure it's admin only?
    Well the class they are talking about is includes/classes/class.admin.php.
    If you run it through xdebug function trace you can't pick up any of of it through regular functions.

    Still looking at it, but at the same time there is some sanitation happening. They are calling the sanitation higher than that class.

    Can't give you a 100%, but from what I see it is what it is.
    Steven Ciaburri | Industry's Best Server Management - Rack911.com
    Software Auditing - 400+ Vulnerabilities Found - Quote @ https://www.RACK911Labs.com
    Fully Managed Dedicated Servers (Las Vegas, New York City, & Amsterdam) (AS62710)
    FreeBSD & Linux Server Management, Security Auditing, Server Optimization, PCI Compliance

  8. #8
    Join Date
    Mar 2003
    Location
    Canada
    Posts
    9,072
    Quote Originally Posted by MikeDVB View Post
    That's good to hear. 100% sure it's admin only?
    From what we can tell, yes.

    The function that is supposed to contain the bad code is only accessible under /admin/ files and some modules / addons that are also only accessible by the admin and/or not allowed to be called directly.
    RACK911 Labs | Penetration Testing | https://www.RACK911Labs.ca

    www.HostingSecList.com - Security Notices for the Hosting Community.

  9. #9
    Join Date
    Oct 2012
    Location
    Canada
    Posts
    3,064
    Thank You, HostingSecList for keeping me updated, just got the email, I advise everyone sing up to the mailing list.
    TrentaHost INC. || Fully Managed DDoS Protected Services Globally (NA - EU - Asia)
    Reseller Hosting- Pure SSD | Litespeed | Imunify360 | CloudLinux | 24x7 Support | Mailchannels
    Linux & Windows DDoS Protected SSD VPS - cPanel / WHM | DDoS Protection | Let's Encrypt | Pure-SSD
    DDoS Protected Locations : Portland, OR (North America) | Amsterdam, NL (Europe) | Singapore (Asia)

  10. #10
    Join Date
    Dec 2007
    Location
    Indiana, USA
    Posts
    19,196
    Glad to have the experts respond on the issue. I feel a little safer now.
    Michael Denney - MDDHosting.com - Proudly hosting more than 37,700 websites since 2007.
    Ultra-Fast Cloud Shared and Pay-By-Use Reseller Hosting Powered by LiteSpeed!
    cPanel • Free SSL • 100% Uptime SLA • 24/7 Support
    Class-leading support that responds in minutes, not days.

  11. #11
    Join Date
    Dec 2007
    Location
    Indiana, USA
    Posts
    19,196
    My fear was that due to the /includes/classes/class.admin.php being outside of the actual /admin folder that there could, possibly, be other vectors.

    If you're able to rule that out - that's awesome .
    Michael Denney - MDDHosting.com - Proudly hosting more than 37,700 websites since 2007.
    Ultra-Fast Cloud Shared and Pay-By-Use Reseller Hosting Powered by LiteSpeed!
    cPanel • Free SSL • 100% Uptime SLA • 24/7 Support
    Class-leading support that responds in minutes, not days.

  12. #12
    Join Date
    Mar 2003
    Location
    Canada
    Posts
    9,072
    Quote Originally Posted by MikeDVB View Post
    My fear was that due to the /includes/classes/class.admin.php being outside of the actual /admin folder that there could, possibly, be other vectors.

    If you're able to rule that out - that's awesome .
    I'm 99% confident there are no attack vectors outside of the admin directory and/or addons only accessible to the admin - all of which require an admin logged in. Seems like a rather silly exploit. Hopefully.

    (We debated sending out a notice, but since a lot of people are worried about WHMCS lately, decided to play it safe and send something out.)
    RACK911 Labs | Penetration Testing | https://www.RACK911Labs.ca

    www.HostingSecList.com - Security Notices for the Hosting Community.

  13. #13
    Join Date
    Dec 2007
    Location
    Indiana, USA
    Posts
    19,196
    I tend to err on the side of caution - make them aware and let them decide. I would hope that anybody running WHMCS would look for the POC and determine whether that was a good decision for them. I'd link to the POC to make the process easier but that's frowned upon so I didn't.

    Personally I'd rather know and choose not to act than not know and have no other choice .

    Sorry if I caused anybody any undue distress.
    Michael Denney - MDDHosting.com - Proudly hosting more than 37,700 websites since 2007.
    Ultra-Fast Cloud Shared and Pay-By-Use Reseller Hosting Powered by LiteSpeed!
    cPanel • Free SSL • 100% Uptime SLA • 24/7 Support
    Class-leading support that responds in minutes, not days.

  14. #14
    Join Date
    Sep 2008
    Posts
    87
    The HostingSecList is awesome! I got an email about this right away... Thanks, guys!

    Everyone should have their admin folder renamed, anyway. Following the further security steps, documented by WHMCS, is highly recommended:

    http://docs.whmcs.com/Further_Security_Steps
    Last edited by SeanCP; 11-03-2013 at 12:22 AM.

  15. #15
    Thanks Rack911 guys.
    RamNode - High Performance Cloud VPS
    SSD Cloud and Shared Hosting
    NYC - LA - ATL - SEA - NL - DDoS Protection - AS3842
    Deploy on our SSD cloud today! - www.ramnode.com

  16. #16
    Join Date
    Mar 2003
    Location
    California USA
    Posts
    13,681
    David@WHMCS got back to me:

    "It would only be a vector for an active admin session."
    So the extent of this exploit is somewhat limited.
    Last edited by Steven; 11-03-2013 at 12:53 AM.
    Steven Ciaburri | Industry's Best Server Management - Rack911.com
    Software Auditing - 400+ Vulnerabilities Found - Quote @ https://www.RACK911Labs.com
    Fully Managed Dedicated Servers (Las Vegas, New York City, & Amsterdam) (AS62710)
    FreeBSD & Linux Server Management, Security Auditing, Server Optimization, PCI Compliance

  17. #17
    Join Date
    Mar 2003
    Location
    California USA
    Posts
    13,681
    Offical Statement from WHMCS:


    Security Threat Notification


    We are aware of a post that is circulating in which the author proposes an exploit via a cookie variable. However the proposed vulnerability is only possible if the attacker has gained access to a valid admin login session already through other means. For this reason, we feel that the viability of the vulnerability is not immediate nor is of a critical risk to installations.

    We can confirm this vulnerability vector does exist as we have already identified and resolved it in our currently in progress internal security audit. We have in fact also prepared a refinement to the code that will negate the proposed attack vector and we anticipate publishing a new release of the software next week that will include this change along with others found during our internal audit.

    In the meantime however, you may download the hook file below and upload it to the /includes/hooks/ folder of your WHMCS installation to negate any potential attacks based on this - although please note this will also prevent admin list ordering from working fully in certain places.

    Cookie Override Hook - http://go.whmcs.com/262/cookie_override_hook
    http://blog.whmcs.com/?t=81138
    Steven Ciaburri | Industry's Best Server Management - Rack911.com
    Software Auditing - 400+ Vulnerabilities Found - Quote @ https://www.RACK911Labs.com
    Fully Managed Dedicated Servers (Las Vegas, New York City, & Amsterdam) (AS62710)
    FreeBSD & Linux Server Management, Security Auditing, Server Optimization, PCI Compliance

  18. #18
    Call me stupid... what is "admin list ordering"?

    Mike

  19. #19
    Join Date
    Nov 2002
    Location
    Portland, Oregon
    Posts
    2,992
    Better safe than sorry. Applying it as soon as the backup completes.

    Had a chance to examine class.admin, along with some other reading -- a bit of a popcorn fart compared to what we all saw in October. Considering the source (ugh..) and it's lack of popularity, combined with the work involved in order to fully exploit, I doubt anyone besides the @Stevens of this world would be successful.

    As for admin list ordering, looks like CookieOverrideHook unsets a variable/array in class.admin which looks to be defined in multiple places. In this case I believe they mean that listing orders from WHMCS admin menu may break in certain areas after applying CookieOverrideHook, at least until their updates are released.

    Keep in mind I'm more on the Systems Admin side of things than I am a programmer/developer -- always trying to learn for good, but I believe that's what they mean by Admin List Orders. Steven might be able to clarify or correct anything I messed up.

    This is why I'm waiting for my backup to finish.


    HostingSecList is paying for itself already. Well done R911!
    Last edited by Johnny Cache; 11-03-2013 at 03:13 AM.

  20. #20
    Join Date
    Nov 2000
    Location
    localhost
    Posts
    3,771
    Love how they downplay this.

    Without admin access, all it takes is for someone to find a place where they havent escaped the user input on output (wager shouldnt be too hard a find on this train wreck) e.g. say telephone number wasn't escaped or HTML email renders unescaped in helpdesk (note by render Im not taking about hijacking any server-side code, simply unescape user-input being push out to view layer), then just simply inject a small piece of javascript code that set the appriorate cookie, next time an admin views your details (possibly some social engineer here) he gets the sort cookie loaded (unknown to him/her) and the accompanying bad SQL payload. This can not be mitagated by CSRF tokens.

    In security industry this wouldnt be downplayed, but on WHT and the level of expectations set for WHMCS I guess this is "subtle" to them.

    tl;dr - find a place where user variable input isnt escaped in HTML template output then bingo no admin access required - and crsf token won't save your ass..
    Last edited by MattF; 11-03-2013 at 03:18 AM.
    MattF - Since the start..

  21. #21
    Join Date
    Jul 2007
    Posts
    351
    What is this hostingseclist you all speak of? And how do I join it?
    *StrongNode.net - Affordable Managed VPS Servers*
    *LOTS OF RAM IS WHAT WE DO*
    *CONTACT: sales[@]strongnode.net*

  22. #22
    Join Date
    Nov 2002
    Location
    Portland, Oregon
    Posts
    2,992
    http://hostingseclist.com security notices/mailing list, provided by the security researchers at Rack911.

  23. #23
    Join Date
    Jul 2007
    Posts
    351
    Quote Originally Posted by jfnllc View Post
    http://hostingseclist.com security notices/mailing list, provided by the security researchers at Rack911.
    Thanks for the link, subscribed to all the lists
    *StrongNode.net - Affordable Managed VPS Servers*
    *LOTS OF RAM IS WHAT WE DO*
    *CONTACT: sales[@]strongnode.net*

  24. #24
    Join Date
    Feb 2007
    Location
    Isle Of Anglesey, UK
    Posts
    1,468
    Quote Originally Posted by lifetalk View Post
    What is this hostingseclist you all speak of? And how do I join it?
    Look in Steven or Patrick's (Rack911) signatures the link is there.

    It's a mailing list that informs you of exploits/vulnerabilities in hosting related software.

  25. #25
    Join Date
    Nov 2000
    Location
    localhost
    Posts
    3,771
    This is a little worrying look at the patch, what is _REQUEST doing there?

    unset($_REQUEST['sortdata']);

    So presumably if we can get an active admin with a WHMCS session open all we have to do is trick him to make a GET (maybe - unconfirmed) request to..

    /admin/supporttickets.php?view=active&sortdata=<base64-malicious-sql-payload>

    Getting admin to make a request setup a page with that as an img src 1x1, or iframe, or ajax request...

    I notice when using filter= on a GET on supporttickets.php it works (and does not require a POST with token).. Still exploring..

    tl;dr - possible route to non-admin expolitation (pre-patch)..

    Does anyone have a pre-patch version on a test site or something to play with? Why they choose to downplay these expolits at such an early stage is beyond me..
    Last edited by MattF; 11-03-2013 at 04:54 AM.
    MattF - Since the start..

Page 1 of 2 12 LastLast

Similar Threads

  1. WHMCS Exploit? I'm on version 5.2.12
    By ClamHost in forum Hosting Software and Control Panels
    Replies: 34
    Last Post: 11-20-2013, 03:44 AM
  2. [FEATURED] New WHMCS Exploit
    By Aldryic C'boas in forum Hosting Software and Control Panels
    Replies: 399
    Last Post: 10-18-2013, 03:57 PM
  3. How to install a earlier version of kloxo
    By Bluz in forum Hosting Software and Control Panels
    Replies: 3
    Last Post: 08-27-2011, 08:55 AM
  4. Replies: 10
    Last Post: 03-03-2011, 06:29 PM
  5. ProFTPD REMOTE ROOT EXPLOIT Effects current Plesk version
    By nwilkens in forum Hosting Security and Technology
    Replies: 4
    Last Post: 11-08-2010, 10:00 PM

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •