Page 1 of 3 123 LastLast
Results 1 to 15 of 33
  1. #1
    Join Date
    Mar 2010
    Posts
    43

    litespeed hacked?

    this legit and real?

    frind showwd me it just now on msn

    http://************.org/forums/topic...-byte-exploit/

  2. #2
    Join Date
    Jun 2010
    Location
    Phoenix, AZ, USA
    Posts
    30
    This exploit is just a proof of concept for a file disclosure vulnerability. It would take quite a bit of effort on the part of an attacker to gain complete control of a system with it. Although this particular exploit would not allow an attacker to get remote root control of a web server, I would still upgrade as soon as possible.

  3. #3
    Join Date
    Mar 2008
    Posts
    1,715
    It's not really a "proof of concept" considering it's got an actual exploit code with it. I was unable to test it because I don't have a LSWS with an active license, and I couldn't get another trial license to work - it just fails to start.

    It looks legit to me though. Wait for LiteSpeed or mistwang here to confirm/deny it.
    Jamie @ Sabrienix
    Now with Mumble Hosting!

  4. #4
    Quote Originally Posted by fwaggle View Post
    It's not really a "proof of concept" considering it's got an actual exploit code with it.
    That's the definition of "proof of concept" as commonly understood in the security research community.
    edgedirector.com
    managed dns global failover and load balance (gslb)
    exactstate.com
    uptime report for webhostingtalk.com

  5. #5
    Join Date
    Jun 2004
    Location
    Oregon
    Posts
    1,272
    just tried with the latest Litespeed version and an older version, both doesn't work.
    anyone find the expoit works?

  6. #6
    Join Date
    Aug 2002
    Location
    Milton Keynes
    Posts
    352
    Yup, just confirmed this works

  7. #7
    Join Date
    Mar 2008
    Posts
    1,715
    Quote Originally Posted by plumsauce View Post
    That's the definition of "proof of concept" as commonly understood in the security research community.
    In my mind, a "proof of concept" would be a mostly harmless exploit, something without any payload - you can download the config.php of any webapp you desire (that's hosted on LSWS) with that script, that's hardly harmless.

    Meyu: Define "doesn't work"?
    Jamie @ Sabrienix
    Now with Mumble Hosting!

  8. #8
    Join Date
    Jun 2004
    Location
    Oregon
    Posts
    1,272
    it actually did work...hope they have it fixed soon.

  9. #9
    Join Date
    Mar 2008
    Posts
    1,715
    BTW if mod_security works on litespeed, I'd imagine it's probably trivial to write a rule to block this - not sure on that though.

    I'm guessing anything that includes %00 would work? Someone more familiar with mod_security than me could probably confirm it.
    Jamie @ Sabrienix
    Now with Mumble Hosting!

  10. #10
    Join Date
    Jun 2004
    Location
    Oregon
    Posts
    1,272
    maybe this
    Code:
    SecFilterCheckURLEncoding On
    SecFilterSelective THE_REQUEST "!^[\x0a\x0d\x20-\x7f]+$"

  11. #11
    Join Date
    Dec 2007
    Location
    Indianapolis, Indiana USA
    Posts
    15,176
    I tested this against 4.0.13 and 4.0.14 both x86 and x64 and the exploit doesn't appear to be affecting either of these builds.

    Perhaps it only affects older/outdated software (i.e. it should have been kept up to date).


    Quote Originally Posted by drspliff View Post
    Yup, just confirmed this works
    Quote Originally Posted by meyu View Post
    it actually did work...hope they have it fixed soon.
    What version and architecture?

  12. #12
    Join Date
    Apr 2007
    Location
    United Kingdom
    Posts
    1,666
    Out of interest, what version are you guys running?

    I just tried it on 4.0.14 and it didn't work.
    EZPZ Hosting - Dependable and Affordable UK and US Web Hosting
    LiteSpeed Powered cPanel Shared with R1Soft and Softaculous | Budget VPS, Managed VPS and Dedicated | Shoutcast
    Reseller Hosting Specialists | WHMCS-Based End User Support | Unlimited SSLs | CloudFlare
    99.9% Uptime Guarantee | 24/7 Support | 30 Day Money Back Guarantee |

  13. #13
    Join Date
    Jul 2009
    Posts
    69
    Nothing on 4.0.14 here, too.

  14. #14
    4.0.14 is vulnerable under my tests.
    bin/lshttpd.4.0.14: ELF 64-bit LSB executable, AMD x86-64, version 1 (GNU/Linux), statically linked, stripped
    However, the exploit linked here did *NOT* work. I had to write my own version to get reproducible effects.
    Here is the source: pastebin.ca/1882204 (can't directly link, I don't have 5 posts )


    -05:04:20- seraphic:~/test luna% ./litespeed.pl <censored> /test.php
    [.] webserver accepted the request
    [.] <censored>:80 is running LiteSpeed
    [+] file (test.php.txt) has been saved.
    -05:07:03- seraphic:~/test luna% cat <censored>\:80-test.php
    <?php
    $super_secure_password = "vulnerable";
    ?>

    Yes, I am aware the reported file it saves to is wrong, I wrote it at 4 in the morning. Cut me a little slack.

    Let everybody you know running LiteSpeed (especially in place of Apache on cPanel servers, like I'm doing) to either hotfix with mod_security (does this work?) or switch back to Apache until an upgrade is released.

  15. #15
    Join Date
    Mar 2009
    Location
    /home/khunj
    Posts
    407
    Just add this to 'Request Filter' at the server level:

    Name : NULLBYTE
    Action: deny,log
    Eabled: yes
    Rules Definition: SecRule REQUEST_URI "\x00"

    Restart LS.
    NinTechNet
    ★ NinjaFirewall : Web Application Firewall for PHP and WordPress.
    ★ NinjaMonitoring : Monitor your website for suspicious activities.

Page 1 of 3 123 LastLast

Similar Threads

  1. Paypal got Hacked or my paypal acct got hacked
    By chefwong in forum Web Hosting Lounge
    Replies: 14
    Last Post: 09-23-2008, 02:48 PM
  2. Replies: 77
    Last Post: 04-03-2007, 09:57 AM
  3. Think I've been hacked
    By cfaice in forum Hosting Security and Technology
    Replies: 2
    Last Post: 12-02-2005, 11:12 PM
  4. Hacked or not?
    By BooBoo in forum Dedicated Server
    Replies: 1
    Last Post: 12-13-2002, 02:01 PM

Related Posts from theWHIR.com

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •