Results 1 to 25 of 49
-
11-02-2013, 11:26 PM #1Web Hosting Industry Expert
- Join Date
- Dec 2007
- Location
- Indiana, USA
- Posts
- 19,196
New WHMCS Exploit in version 5.2.12 and earlier - appears to affect /admin only
I won't link to the source for obvious reasons - but I'm reporting a link with this post mods can confirm.
Better safe than sorry IMHO.Last edited by Mike - MDDHosting; 11-02-2013 at 11:36 PM.
█ Michael Denney - MDDHosting.com - Proudly hosting more than 37,700 websites since 2007.
█ Ultra-Fast Cloud Shared and Pay-By-Use Reseller Hosting Powered by LiteSpeed!
█ cPanel • Free SSL • 100% Uptime SLA • 24/7 Support
█ Class-leading support that responds in minutes, not days.
-
11-02-2013, 11:28 PM #2Problem Solver
- Join Date
- Mar 2003
- Location
- California USA
- Posts
- 13,681
Well, it appears to be admin accessible only. We are still investigating.
Best case right now, at least lock down your admin folder if you have concerns.Last edited by Steven; 11-02-2013 at 11:32 PM.
Steven Ciaburri | Industry's Best Server Management - Rack911.com
Software Auditing - 400+ Vulnerabilities Found - Quote @ https://www.RACK911Labs.com
Fully Managed Dedicated Servers (Las Vegas, New York City, & Amsterdam) (AS62710)
FreeBSD & Linux Server Management, Security Auditing, Server Optimization, PCI Compliance
-
11-02-2013, 11:30 PM #3Web Hosting Master
- Join Date
- Mar 2003
- Location
- Canada
- Posts
- 9,072
We have investigated this a while ago and from what we can tell, it's ONLY exploitable by authenticated admins. There doesn't appear to be any way for random users on the internet to exploit. Until further notice, no reason to panic.
... more details to come.RACK911 Labs | Penetration Testing | https://www.RACK911Labs.ca
www.HostingSecList.com - Security Notices for the Hosting Community.
-
11-02-2013, 11:34 PM #4Problem Solver
- Join Date
- Mar 2003
- Location
- California USA
- Posts
- 13,681
It does appear that there is some sanitation being done by WHMCS on the $_COOKIE variables from testing.
Steven Ciaburri | Industry's Best Server Management - Rack911.com
Software Auditing - 400+ Vulnerabilities Found - Quote @ https://www.RACK911Labs.com
Fully Managed Dedicated Servers (Las Vegas, New York City, & Amsterdam) (AS62710)
FreeBSD & Linux Server Management, Security Auditing, Server Optimization, PCI Compliance
-
11-02-2013, 11:35 PM #5Web Hosting Industry Expert
- Join Date
- Dec 2007
- Location
- Indiana, USA
- Posts
- 19,196
That's good to hear. 100% sure it's admin only?
█ Michael Denney - MDDHosting.com - Proudly hosting more than 37,700 websites since 2007.
█ Ultra-Fast Cloud Shared and Pay-By-Use Reseller Hosting Powered by LiteSpeed!
█ cPanel • Free SSL • 100% Uptime SLA • 24/7 Support
█ Class-leading support that responds in minutes, not days.
-
11-02-2013, 11:39 PM #6Disabled
- Join Date
- Mar 2007
- Posts
- 365
Well, our "admin" folder has been renamed and secured from access since day one, call it a "basic" security measure.
Im more interested in what their security audit will find in the source.
-
11-02-2013, 11:40 PM #7Problem Solver
- Join Date
- Mar 2003
- Location
- California USA
- Posts
- 13,681
Well the class they are talking about is includes/classes/class.admin.php.
If you run it through xdebug function trace you can't pick up any of of it through regular functions.
Still looking at it, but at the same time there is some sanitation happening. They are calling the sanitation higher than that class.
Can't give you a 100%, but from what I see it is what it is.Steven Ciaburri | Industry's Best Server Management - Rack911.com
Software Auditing - 400+ Vulnerabilities Found - Quote @ https://www.RACK911Labs.com
Fully Managed Dedicated Servers (Las Vegas, New York City, & Amsterdam) (AS62710)
FreeBSD & Linux Server Management, Security Auditing, Server Optimization, PCI Compliance
-
11-02-2013, 11:41 PM #8Web Hosting Master
- Join Date
- Mar 2003
- Location
- Canada
- Posts
- 9,072
RACK911 Labs | Penetration Testing | https://www.RACK911Labs.ca
www.HostingSecList.com - Security Notices for the Hosting Community.
-
11-02-2013, 11:44 PM #9Web Hosting Master
- Join Date
- Oct 2012
- Location
- Canada
- Posts
- 3,064
Thank You, HostingSecList for keeping me updated, just got the email, I advise everyone sing up to the mailing list.
█ TrentaHost INC. || Fully Managed DDoS Protected Services Globally (NA - EU - Asia)
█ Reseller Hosting- Pure SSD | Litespeed | Imunify360 | CloudLinux | 24x7 Support | Mailchannels
█ Linux & Windows DDoS Protected SSD VPS - cPanel / WHM | DDoS Protection | Let's Encrypt | Pure-SSD
█ DDoS Protected Locations : Portland, OR (North America) | Amsterdam, NL (Europe) | Singapore (Asia)
-
11-02-2013, 11:49 PM #10Web Hosting Industry Expert
- Join Date
- Dec 2007
- Location
- Indiana, USA
- Posts
- 19,196
Glad to have the experts respond on the issue. I feel a little safer now.
█ Michael Denney - MDDHosting.com - Proudly hosting more than 37,700 websites since 2007.
█ Ultra-Fast Cloud Shared and Pay-By-Use Reseller Hosting Powered by LiteSpeed!
█ cPanel • Free SSL • 100% Uptime SLA • 24/7 Support
█ Class-leading support that responds in minutes, not days.
-
11-03-2013, 12:00 AM #11Web Hosting Industry Expert
- Join Date
- Dec 2007
- Location
- Indiana, USA
- Posts
- 19,196
My fear was that due to the /includes/classes/class.admin.php being outside of the actual /admin folder that there could, possibly, be other vectors.
If you're able to rule that out - that's awesome .█ Michael Denney - MDDHosting.com - Proudly hosting more than 37,700 websites since 2007.
█ Ultra-Fast Cloud Shared and Pay-By-Use Reseller Hosting Powered by LiteSpeed!
█ cPanel • Free SSL • 100% Uptime SLA • 24/7 Support
█ Class-leading support that responds in minutes, not days.
-
11-03-2013, 12:03 AM #12Web Hosting Master
- Join Date
- Mar 2003
- Location
- Canada
- Posts
- 9,072
I'm 99% confident there are no attack vectors outside of the admin directory and/or addons only accessible to the admin - all of which require an admin logged in. Seems like a rather silly exploit. Hopefully.
(We debated sending out a notice, but since a lot of people are worried about WHMCS lately, decided to play it safe and send something out.)RACK911 Labs | Penetration Testing | https://www.RACK911Labs.ca
www.HostingSecList.com - Security Notices for the Hosting Community.
-
11-03-2013, 12:05 AM #13Web Hosting Industry Expert
- Join Date
- Dec 2007
- Location
- Indiana, USA
- Posts
- 19,196
I tend to err on the side of caution - make them aware and let them decide. I would hope that anybody running WHMCS would look for the POC and determine whether that was a good decision for them. I'd link to the POC to make the process easier but that's frowned upon so I didn't.
Personally I'd rather know and choose not to act than not know and have no other choice .
Sorry if I caused anybody any undue distress.█ Michael Denney - MDDHosting.com - Proudly hosting more than 37,700 websites since 2007.
█ Ultra-Fast Cloud Shared and Pay-By-Use Reseller Hosting Powered by LiteSpeed!
█ cPanel • Free SSL • 100% Uptime SLA • 24/7 Support
█ Class-leading support that responds in minutes, not days.
-
11-03-2013, 12:09 AM #14Junior Guru Wannabe
- Join Date
- Sep 2008
- Posts
- 87
The HostingSecList is awesome! I got an email about this right away... Thanks, guys!
Everyone should have their admin folder renamed, anyway. Following the further security steps, documented by WHMCS, is highly recommended:
http://docs.whmcs.com/Further_Security_StepsLast edited by SeanCP; 11-03-2013 at 12:22 AM.
-
11-03-2013, 12:09 AM #15Solid State
- Join Date
- Aug 2010
- Posts
- 1,687
Thanks Rack911 guys.
██ RamNode - High Performance Cloud VPS
██ SSD Cloud and Shared Hosting
██ NYC - LA - ATL - SEA - NL - DDoS Protection - AS3842
██ Deploy on our SSD cloud today! - www.ramnode.com
-
11-03-2013, 12:45 AM #16Problem Solver
- Join Date
- Mar 2003
- Location
- California USA
- Posts
- 13,681
David@WHMCS got back to me:
"It would only be a vector for an active admin session."Last edited by Steven; 11-03-2013 at 12:53 AM.
Steven Ciaburri | Industry's Best Server Management - Rack911.com
Software Auditing - 400+ Vulnerabilities Found - Quote @ https://www.RACK911Labs.com
Fully Managed Dedicated Servers (Las Vegas, New York City, & Amsterdam) (AS62710)
FreeBSD & Linux Server Management, Security Auditing, Server Optimization, PCI Compliance
-
11-03-2013, 01:52 AM #17Problem Solver
- Join Date
- Mar 2003
- Location
- California USA
- Posts
- 13,681
Offical Statement from WHMCS:
Security Threat Notification
We are aware of a post that is circulating in which the author proposes an exploit via a cookie variable. However the proposed vulnerability is only possible if the attacker has gained access to a valid admin login session already through other means. For this reason, we feel that the viability of the vulnerability is not immediate nor is of a critical risk to installations.
We can confirm this vulnerability vector does exist as we have already identified and resolved it in our currently in progress internal security audit. We have in fact also prepared a refinement to the code that will negate the proposed attack vector and we anticipate publishing a new release of the software next week that will include this change along with others found during our internal audit.
In the meantime however, you may download the hook file below and upload it to the /includes/hooks/ folder of your WHMCS installation to negate any potential attacks based on this - although please note this will also prevent admin list ordering from working fully in certain places.
Cookie Override Hook - http://go.whmcs.com/262/cookie_override_hookSteven Ciaburri | Industry's Best Server Management - Rack911.com
Software Auditing - 400+ Vulnerabilities Found - Quote @ https://www.RACK911Labs.com
Fully Managed Dedicated Servers (Las Vegas, New York City, & Amsterdam) (AS62710)
FreeBSD & Linux Server Management, Security Auditing, Server Optimization, PCI Compliance
-
11-03-2013, 02:14 AM #18Newbie
- Join Date
- Jul 2007
- Posts
- 11
Call me stupid... what is "admin list ordering"?
Mike
-
11-03-2013, 03:01 AM #19Mostly Retired!
- Join Date
- Nov 2002
- Location
- Portland, Oregon
- Posts
- 2,992
Better safe than sorry. Applying it as soon as the backup completes.
Had a chance to examine class.admin, along with some other reading -- a bit of a popcorn fart compared to what we all saw in October. Considering the source (ugh..) and it's lack of popularity, combined with the work involved in order to fully exploit, I doubt anyone besides the @Stevens of this world would be successful.
As for admin list ordering, looks like CookieOverrideHook unsets a variable/array in class.admin which looks to be defined in multiple places. In this case I believe they mean that listing orders from WHMCS admin menu may break in certain areas after applying CookieOverrideHook, at least until their updates are released.
Keep in mind I'm more on the Systems Admin side of things than I am a programmer/developer -- always trying to learn for good, but I believe that's what they mean by Admin List Orders. Steven might be able to clarify or correct anything I messed up.
This is why I'm waiting for my backup to finish.
HostingSecList is paying for itself already. Well done R911!Last edited by Johnny Cache; 11-03-2013 at 03:13 AM.
-
11-03-2013, 03:14 AM #20Web Hosting Master
- Join Date
- Nov 2000
- Location
- localhost
- Posts
- 3,771
Love how they downplay this.
Without admin access, all it takes is for someone to find a place where they havent escaped the user input on output (wager shouldnt be too hard a find on this train wreck) e.g. say telephone number wasn't escaped or HTML email renders unescaped in helpdesk (note by render Im not taking about hijacking any server-side code, simply unescape user-input being push out to view layer), then just simply inject a small piece of javascript code that set the appriorate cookie, next time an admin views your details (possibly some social engineer here) he gets the sort cookie loaded (unknown to him/her) and the accompanying bad SQL payload. This can not be mitagated by CSRF tokens.
In security industry this wouldnt be downplayed, but on WHT and the level of expectations set for WHMCS I guess this is "subtle" to them.
tl;dr - find a place where user variable input isnt escaped in HTML template output then bingo no admin access required - and crsf token won't save your ass..Last edited by MattF; 11-03-2013 at 03:18 AM.
MattF - Since the start..
-
11-03-2013, 04:22 AM #21Aspiring Evangelist
- Join Date
- Jul 2007
- Posts
- 351
What is this hostingseclist you all speak of? And how do I join it?
█ █ *StrongNode.net - Affordable Managed VPS Servers*
█ █ *LOTS OF RAM IS WHAT WE DO*
█ █ *CONTACT: sales[@]strongnode.net*
-
11-03-2013, 04:28 AM #22Mostly Retired!
- Join Date
- Nov 2002
- Location
- Portland, Oregon
- Posts
- 2,992
http://hostingseclist.com security notices/mailing list, provided by the security researchers at Rack911.
-
11-03-2013, 04:30 AM #23Aspiring Evangelist
- Join Date
- Jul 2007
- Posts
- 351
█ █ *StrongNode.net - Affordable Managed VPS Servers*
█ █ *LOTS OF RAM IS WHAT WE DO*
█ █ *CONTACT: sales[@]strongnode.net*
-
11-03-2013, 04:32 AM #24Best Customer Service..ALWAYS!
- Join Date
- Feb 2007
- Location
- Isle Of Anglesey, UK
- Posts
- 1,468
-
11-03-2013, 04:47 AM #25Web Hosting Master
- Join Date
- Nov 2000
- Location
- localhost
- Posts
- 3,771
This is a little worrying look at the patch, what is _REQUEST doing there?
unset($_REQUEST['sortdata']);
So presumably if we can get an active admin with a WHMCS session open all we have to do is trick him to make a GET (maybe - unconfirmed) request to..
/admin/supporttickets.php?view=active&sortdata=<base64-malicious-sql-payload>
Getting admin to make a request setup a page with that as an img src 1x1, or iframe, or ajax request...
I notice when using filter= on a GET on supporttickets.php it works (and does not require a POST with token).. Still exploring..
tl;dr - possible route to non-admin expolitation (pre-patch)..
Does anyone have a pre-patch version on a test site or something to play with? Why they choose to downplay these expolits at such an early stage is beyond me..Last edited by MattF; 11-03-2013 at 04:54 AM.
MattF - Since the start..
Similar Threads
-
WHMCS Exploit? I'm on version 5.2.12
By ClamHost in forum Hosting Software and Control PanelsReplies: 34Last Post: 11-20-2013, 03:44 AM -
[FEATURED] New WHMCS Exploit
By Aldryic C'boas in forum Hosting Software and Control PanelsReplies: 399Last Post: 10-18-2013, 03:57 PM -
How to install a earlier version of kloxo
By Bluz in forum Hosting Software and Control PanelsReplies: 3Last Post: 08-27-2011, 08:55 AM -
Any way to install an earlier version of PHP on my VM?
By wolfdogg in forum VPS HostingReplies: 10Last Post: 03-03-2011, 06:29 PM -
ProFTPD REMOTE ROOT EXPLOIT Effects current Plesk version
By nwilkens in forum Hosting Security and TechnologyReplies: 4Last Post: 11-08-2010, 10:00 PM