Web Hosting Talk : Web Hosting Main Forums : Hosting Security and Technology : litespeed hacked?

[nukuki]

this legit and real?

frind showwd me it just now on msn

http://************.org/forums/topic...-byte-exploit/

[tegatai]

This exploit is just a proof of concept for a file disclosure vulnerability. It would take quite a bit of effort on the part of an attacker to gain complete control of a system with it. Although this particular exploit would not allow an attacker to get remote root control of a web server, I would still upgrade as soon as possible.

[fwaggle]

It's not really a "proof of concept" considering it's got an actual exploit code with it. I was unable to test it because I don't have a LSWS with an active license, and I couldn't get another trial license to work - it just fails to start.

It looks legit to me though. Wait for LiteSpeed or mistwang here to confirm/deny it.

[plumsauce]

Quote:

Originally Posted by fwaggle

It's not really a "proof of concept" considering it's got an actual exploit code with it.

That's the definition of "proof of concept" as commonly understood in the security research community.

[CNSERVERS]

just tried with the latest Litespeed version and an older version, both doesn't work.
anyone find the expoit works?

[drspliff]

Yup, just confirmed this works

[fwaggle]

Quote:

Originally Posted by plumsauce

That's the definition of "proof of concept" as commonly understood in the security research community.

In my mind, a "proof of concept" would be a mostly harmless exploit, something without any payload - you can download the config.php of any webapp you desire (that's hosted on LSWS) with that script, that's hardly harmless.

Meyu: Define "doesn't work"?

[CNSERVERS]

it actually did work...hope they have it fixed soon.

[fwaggle]

BTW if mod_security works on litespeed, I'd imagine it's probably trivial to write a rule to block this - not sure on that though.

I'm guessing anything that includes %00 would work? Someone more familiar with mod_security than me could probably confirm it.

[CNSERVERS]

maybe this

Code:

SecFilterCheckURLEncoding On
SecFilterSelective THE_REQUEST "!^[\x0a\x0d\x20-\x7f]+$"

[MikeDVB]

I tested this against 4.0.13 and 4.0.14 both x86 and x64 and the exploit doesn't appear to be affecting either of these builds.

Perhaps it only affects older/outdated software (i.e. it should have been kept up to date).

Quote:

Originally Posted by drspliff

Yup, just confirmed this works

Quote:

Originally Posted by meyu

it actually did work...hope they have it fixed soon.

What version and architecture?

[Dan_EZPZ]

Out of interest, what version are you guys running?

I just tried it on 4.0.14 and it didn't work.

[TimC]

Nothing on 4.0.14 here, too.

[Seraphic Luna]

4.0.14 is vulnerable under my tests.
bin/lshttpd.4.0.14: ELF 64-bit LSB executable, AMD x86-64, version 1 (GNU/Linux), statically linked, stripped
However, the exploit linked here did *NOT* work. I had to write my own version to get reproducible effects.
Here is the source: pastebin.ca/1882204 (can't directly link, I don't have 5 posts )


-05:04:20- seraphic:~/test luna% ./litespeed.pl <censored> /test.php
[.] webserver accepted the request
[.] <censored>:80 is running LiteSpeed
[+] file (test.php.txt) has been saved.
-05:07:03- seraphic:~/test luna% cat <censored>\:80-test.php
<?php
$super_secure_password = "vulnerable";
?>

Yes, I am aware the reported file it saves to is wrong, I wrote it at 4 in the morning. Cut me a little slack.

Let everybody you know running LiteSpeed (especially in place of Apache on cPanel servers, like I'm doing) to either hotfix with mod_security (does this work?) or switch back to Apache until an upgrade is released.

[khunj]

Just add this to 'Request Filter' at the server level:

Name : NULLBYTE
Action: deny,log
Eabled: yes
Rules Definition: SecRule REQUEST_URI "\x00"

Restart LS.