linux, säkerhet

104683 2003-06-13  21:16  /195 rader/ Lorenzo Hernandez Garcia-Hierro <novappc@novappc.com>
Importerad: 2003-06-13  21:16  av Brevbäraren
Extern mottagare: Bugtraq <bugtraq@securityfocus.com>
Externa svar till: novappc@novappc.com
Mottagare: Bugtraq (import) <5211>
Ärende: Sphera Hosting Director Control Panel Multiple Vulnerabilities: XSS-Session Hijacking-DoS/Buffer Overflow-Another User Accounts access
------------------------------------------------------------
--------------------
Product: SPHERA HostingDirector and Final User (VDS) Control Panel ( Hosting
Control Panel )
Vendor: SPHERA
Versions:
         VULNERABLE

         - 3.x
         - 2.x
         - 1.x

         NOT VULNERABLE

         - ?
---------------------

Description:

HostingDirector comprises three fundamental components that are
integrated to provide rich offerings, maximum control for resellers
and site owners, and easy, centralized administration of shared and
dedicated environments running on Linux and Microsoft Windows®.


-----------------------------------------
SECURITY HOLES FOUND and PROOFS OF CONCEPT:
-----------------------------------------
----------------
| XSS in LOGIN |
----------------

I encountered  XSS ( Cross Site Scripting ) vulnerabilities in the
SPHERA's product called Hositng Director , located in the vds ( user
of hosting plans ) control panel.  The problems , i think , are
related to form tag closing by url code injection and the input
validation system ( there aren`t any ). In addition the success_msg
variable ( in internal scripts ) is vulnerable to XSS too.  With this
you can insert html and script code by url command passing like this:
_______________________ XSS IN THE LOGIN FORM:
-----------------------

http://[TARGET]/[INSTALLATION
PATH]/login/sm_login_screen.php?uid=">[XSS ATTACK CODE]

http://[TARGET]/[INSTALLATION
PATH]/login/sm_login_screen.php?error=">[XSS ATTACK CODE]

http://[TARGET]/[INSTALLATION
PATH]/login/sm_login_screen.php?error=[XSS ATTACK CODE COMBINATED
WITH OTHER VARIABLE FOR EMULATE A REAL ERROR LIKE "EITHER PASSWORD OR
USER ARE INCORRECT , RE-FILL IN" FOR STEAL THE USER DATA]

http://[TARGET]/[INSTALLATION PATH]/login/login_screen.php?vds_ip=[VDS
DOMAIN OR IP]&uid=">[XSS ATTACK CODE]&tz=[TIMEZONE CODE , TRY
CEST]&vds_server_ip=">[XSS ATTACK CODE]

--------------
|   SAMPLES  |
--------------

https://[TARGET]/[INSTALLATION
PATH]/login/login_screen.php?vds_ip=[VDS DOMAIN OR
IP]&uid="></form>here%20comes%20your%20attack<h1>&tz=CEST&vds_server_ip=">He
re%20comes%20your%20XSS%20Attack&error=Either+user+or+password+are+incorrect
+,+please+re-fill+in+.

https://[TARGET]/[INSTALLATION
PATH]/login/sm_login_screen.php?uid="><h1>XSS%20!

------------------
| COMMUNICATIONS |
| ENCRYPTION     |
------------------

Sphera uses an "insecure" communications data encryption ( DES (16) ).
DES is a not very secure algorithm ( i think ).

In addition the control panel scripts don't check if you are using
the https protocol and allow you to use based http connections on
port 80 ( without SSL ).

----------------
|  SESSION     |
|  HIJACKING   |
----------------

This is a very interesting thing in Sphera Hosting Director VDS
Control Panel , if you don't close a session in the control panel ,
the session is saved all the time that you use the cookie and the
system don't close the session if you don't close with control panel
!.  This can be a big security problem if an attacker generates a
session id randomicing control.

I explain it:

if the first session id  that you received is this :

xx01xx01xxX

and the next session id is..

xx01xx02Xxx

The first session id only differs in two parts with the second
session , this indicates a poor session id randomicing...  the
attacker can generate  a profile analyzing the random session
generating and make an algorithm or script for make valid sessions ,
this can be used for enter the system only changing the USER ID value
and you have access to the system with the USER ID permissions ! ;-)

I think in another possibilty generating session id randomicing
profiles like monitoring the use of resources and the stack blocks
but this is very difficult for remote users.

The remote method is not very easy but very possible.

--------------------
|  BUFFER OVERFLOW |
|   AND DoS        |
-------------------

I found some possible buffer overflows and Denial of Service attacks
.  Some php files used by the vds control panel environment can
conduct denial of service attacks to the installation server.  Other
php files can conduct stack attacks by url-based variable hacking and
command injection.  You can enter some crafted urls spoofing th
variables and your referer for make actions in other user accounts.

-
Some Proof of Concepts
- http://[TARGET]/[INSTALLATION PATH]/dev/VDS/submitted.php <-- This
is a Sphera Control Panel global used php file

and this file can be used for conduct DoS and Buffer Overflow attacks
to the [TARGET] server with Sphera VDS Control Panel installed in
[INSTALLATION PATH] , i tell you some samples:

 Make a connection in POST mode and request this:

http://[TARGET]/[INSTALLATION PATH]/dev/VDS/submitted.php?[TARGET
USER]\activeservices\http||watchdog_running=[false]&restart_vds=on&success_m
sg=Remote USER VDS restarted trough this kind of attack

I think that the system checks your referer for authenticate the
request , but you can spoof it easier.

With this kinf of attacks you can make actions in other users hosting
accounts like password changing , virtual server restarting watch dog
deactivating and other features ;-) .


-------------------------
| CONCLUSIONS AND NOTES |
-------------------------

All the urls that use the xss affected variables (
uid,vds_ip_server,error,success_msg) input are affected by this hole.
User data and cookies can be stolen by this without permission.  In
some conditions we can pass server-based commands.  The server can
pick up sending specially crafted urls and input values with too long
buffers.  We can make a session hijacking.  We can revelate private
info and DES(16) encypted communications.  We can  spoof the USER ID
value in cookies and url values for make buffer overflow attacks and
take the target user id permissions.  on the system.  We can modify
other user accounts and make actions remotely with our valid account
sending spoofed requests.


-----------
| CONTACT |
-----------

Lorenzo Manuel Hernandez Garcia-Hierro
 --- Computer Security Analyzer ---
 --Nova Projects Professional Coding--
 PGP: Keyfingerprint
 B6D7 5FCC 78B4 97C1  4010 56BC 0E5F 2AB2
 ID: 0x9C38E1D7
 **********************************
 www.novappc.com
 security.novappc.com
 www.lorenzohgh.com
 ______________________
(104683) /Lorenzo Hernandez Garcia-Hierro <novappc@novappc.com>/(Ombruten)