Results 1 to 11 of 11
  1. #1
    Join Date
    Sep 2008
    Location
    Dallas, TX
    Posts
    4,552

    HyperVM patch for milw0rm 9520 exploit

    HyperVM users:

    Please see thread http://forum.lxcenter.org/index.php?...12957&start=0&
    for more information and installation instructions.

    Regards,
    Danny (aka NetTuningGroup)
    Consortium

    Thank goodness I don't use HyperVM.
    Jacob Wall - GetCloak.com

  2. #2
    Join Date
    Nov 2007
    Posts
    246
    Well, its good people are actually working on these things now rather than being left un-resolved and the only way to find out is for something bad to happen.

  3. #3
    Join Date
    Sep 2008
    Location
    Dallas, TX
    Posts
    4,552
    Quote Originally Posted by w4Net View Post
    Well, its good people are actually working on these things now rather than being left un-resolved and the only way to find out is for something bad to happen.
    Very true.
    Jacob Wall - GetCloak.com

  4. #4
    Join Date
    Jan 2006
    Location
    Ontario, Canada
    Posts
    324
    For anyone who needs to apply the patch, do the following from shell as root:

    [[email protected]]# wget http://download.lxcenter.org/downloa...penvz_only.zip
    [[email protected]]# unzip hypervm-patch-milw0rm_9520_openvz_only.zip
    [[email protected]]# mv /usr/local/lxlabs/hypervm/httpdocs/htmllib/lib/lxbackuplib.php; rm -rf /usr/local/lxlabs/hypervm/httpdocs/htmllib/lib/lxbackuplib.php
    [[email protected]]# mv lxbackuplib.php /usr/local/lxlabs/hypervm/httpdocs/htmllib/lib/; chown lxlabs lxbackuplib.php
    Hope this helps.
    Shared Hosting / Reseller Hosting / Email Hosting
    Dedicated Servers / Unmetered Servers / Linux & Windows VPS
    DME Hosting, LLC [http://www.dmehosting.com]

  5. #5
    Join Date
    Feb 2005
    Location
    United Kingdom
    Posts
    3,103
    Quote Originally Posted by Jacob Wall View Post
    Thank goodness I don't use HyperVM.
    you are right, I am not negative person but the best patch for HyperVM is remove it from system completely.
    Low Cost Storage VPS plans at webprovps.com
    VPS Price Match Guarantee on: All our range of DDOS protected XEN HVM VPS
    == Contact us for any online solution development or managed / unmanaged vps hosting ==

  6. #6
    Join Date
    Aug 2004
    Location
    Shanghai
    Posts
    1,449
    Wow, I'm surprised about how bad is:

    - the proposed solution
    - the patch

    1/ The people working on the new HyperVM wont give a patch file to see what they changed, so it's impossible to see what work has been done (or not).
    2/ Some in the lx forum are saying that an rm would do: they don't even seem to understand what means a race condition.

    I can still see on the published code base:

    PHP Code:
    mkdir($vd);
    lxfile_generic_chmod($vd"0700"); 
    If this is how they patch, this is stupid, and it's still possible to hack (harder, but still possible, this is what we call a race codition). And if it was like that before, then they don't have eyes to see the obvious.

    Seeing that:
    - they don't even have a clue on what an umask is
    - what a race condition is and so on, and that
    - they still refuse to disclose the full source code

    I believe that it's prudent to stay away from HyperVM, even once they have published a new version with self-called security patches.

    Thomas
    GPLHost:>_ open source hosting worldwide (I'm founder, CEO & official Debian Developer)
    Servers & our leading control panel and our Xen VPS hosting, which are already included in Debian and Ubuntu
    Available in: Kuala Lumpur, Singapore, Sydney, Seattle, Atlanta, Paris, London, Barcelona, Zurich, Israel

  7. #7
    Join Date
    Jun 2008
    Posts
    323
    You have to give them some credit for trying rather than just bitching about a poor solution. The reality is they are doing this of free will and without anyone willing to pay them for their work. I say congrats on trying to continue the platform. For all those who hate hypervm, no one has forced you to continue to use it and most people already say they have moved away so just move on with life.

  8. #8
    Quote Originally Posted by gplhost View Post
    I believe that it's prudent to stay away from HyperVM, even once they have published a new version with self-called security patches.
    yup, the only way i can see hypervm even has half a chance of being taken seriously is if they opensource the code, so it can undergo peer-review, otherwise who is going to believe they've fixed things?

    and nice work with that mkdir, notice they didn't check for a success message before trying to chmod it, and to do that the process must be running as root too. i bet $vd was straight from $_POST['vd'] as well

  9. #9
    Join Date
    Aug 2004
    Location
    Shanghai
    Posts
    1,449
    Quote Originally Posted by sej7278 View Post
    and nice work with that mkdir, notice they didn't check for a success message before trying to chmod it, and to do that the process must be running as root too. i bet $vd was straight from $_POST['vd'] as well
    Well, the fact they didn't check the return of mkdir was not the (security) issue here. The issue is that the code does mkdir, THEN change the rights, which creates a race condition (you can actually chown the folder BEFORE the chmod ever takes place which gives you access to it after the chmod 700, if you are running for example chown MYUSER /tmp/backup* as fast as you can, and if you got a bit of luck).

    The other issue is the unlink just right before the mkdir. The author's maybe tried to clear any file out of the way, but clearly, this is not the way, and it can only create more issues to do so. The only way is to check the return of the mkdir.

    Note that no answer has been given to the mkdir post, and they don't seem to believe it's serious. In fact, I have the feeling they don't even understand why it's bad...

    Now, we can raise the following statement:
    - the "consortium" doesn't seem to see the obvious beginner issues
    - they don't seem to take seriously advices and patches and wont release when given a patch (or wait too long to do so, which hurts as much)
    - they don't understand that an encrypted PHP code is easy to decrypt and to search issues in it, which any hacker can do
    - they don't open the source code, so nobody can help in the task of cleaning up issues
    - they believe in security by obscurity (which is proven to never work), thinking that alone, trying to fix everything during MONTHS, is a better way than disclosing the source

    Now, I will let you make your own conclusion about the current state of the product, and its future if the development continues like right now.

    Thomas
    GPLHost:>_ open source hosting worldwide (I'm founder, CEO & official Debian Developer)
    Servers & our leading control panel and our Xen VPS hosting, which are already included in Debian and Ubuntu
    Available in: Kuala Lumpur, Singapore, Sydney, Seattle, Atlanta, Paris, London, Barcelona, Zurich, Israel

  10. #10
    Join Date
    Aug 2004
    Location
    Shanghai
    Posts
    1,449
    Quote Originally Posted by bigks View Post
    You have to give them some credit for trying rather than just bitching about a poor solution. The reality is they are doing this of free will and without anyone willing to pay them for their work. I say congrats on trying to continue the platform. For all those who hate hypervm, no one has forced you to continue to use it and most people already say they have moved away so just move on with life.
    I'm not giving any credit for not understanding the obvious about security, keeping the source code for themselves only whey they claimed it would be open, which left so many companies in the dark, or giving fake hope to people that were using HyperVM and still think that they will come with a solution.

    While I do agree the effort is nice, they are doing the wrong way and that is it.

    Thomas
    GPLHost:>_ open source hosting worldwide (I'm founder, CEO & official Debian Developer)
    Servers & our leading control panel and our Xen VPS hosting, which are already included in Debian and Ubuntu
    Available in: Kuala Lumpur, Singapore, Sydney, Seattle, Atlanta, Paris, London, Barcelona, Zurich, Israel

  11. #11
    nevermind.
    Last edited by jpetersen; 08-27-2009 at 04:04 PM.

Similar Threads

  1. New Patch
    By Angel78 in forum Dedicated Server
    Replies: 4
    Last Post: 11-11-2002, 11:36 AM
  2. New Patch
    By Angel78 in forum Dedicated Server
    Replies: 1
    Last Post: 10-17-2002, 10:28 AM
  3. ASP patch
    By oc3 in forum Hosting Security and Technology
    Replies: 4
    Last Post: 08-14-2002, 05:22 PM
  4. PHP 4.2.2 patch
    By SPaReK in forum Hosting Security and Technology
    Replies: 1
    Last Post: 07-24-2002, 01:40 PM

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •