lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list] 
Message-ID: <3EE9ECF6.7080603@snosoft.com>
From: dotslash at snosoft.com (KF)
Subject: Sphera Hosting Director Control Panel Multiple
 Vulnerabilities: XSS-Session Hijacking-DoS/Buffer Overflow-Another User Accounts
 access

There is one key piece of informatino you left out... did you notify 
Sphera? Do they have a fix? I am also currious about the buffer 
overflows you mention... are they in the local sphera suids or are they 
remotely exploitable as well?

-KF


Lorenzo Hernandez Garcia-Hierro wrote:
> --------------------
> Product: SPHERA HostingDirector and Final User (VDS) Control Panel ( Hosting
> Control Panel )
> Vendor: SPHERA
> Versions:
>          VULNERABLE
> 
>          - 3.x
>          - 2.x
>          - 1.x
> 
>          NOT VULNERABLE
> 
>          - ?
> ---------------------
> 
> Description:
> 
> HostingDirector comprises three fundamental components that are integrated
> to provide rich offerings, maximum control for resellers and site owners,
> and easy, centralized administration of shared and dedicated environments
> running on Linux and Microsoft Windows?.
> 
> 
> -----------------------------------------
> SECURITY HOLES FOUND and PROOFS OF CONCEPT:
> -----------------------------------------
> ----------------
> | XSS in LOGIN |
> ----------------
> 
> I encountered  XSS ( Cross Site Scripting ) vulnerabilities in the
> SPHERA's product called Hositng Director , located in the vds ( user of
> hosting plans ) control panel.
> The problems , i think , are related to form tag closing by url code
> injection and the input validation system
> ( there aren`t any ). In addition the success_msg variable ( in internal
> scripts ) is vulnerable to XSS too.
> With this you can insert html and script code by url command passing like
> this:
> _______________________
> XSS IN THE LOGIN FORM:
> -----------------------
> 
> http://[TARGET]/[INSTALLATION PATH]/login/sm_login_screen.php?uid=">[XSS
> ATTACK CODE]
> 
> http://[TARGET]/[INSTALLATION PATH]/login/sm_login_screen.php?error=">[XSS
> ATTACK CODE]
> 
> http://[TARGET]/[INSTALLATION PATH]/login/sm_login_screen.php?error=[XSS
> ATTACK CODE COMBINATED WITH OTHER VARIABLE FOR EMULATE A REAL ERROR LIKE
> "EITHER PASSWORD OR USER ARE INCORRECT , RE-FILL IN" FOR STEAL THE USER
> DATA]
> 
> http://[TARGET]/[INSTALLATION PATH]/login/login_screen.php?vds_ip=[VDS
> DOMAIN OR IP]&uid=">[XSS ATTACK CODE]&tz=[TIMEZONE CODE , TRY
> CEST]&vds_server_ip=">[XSS ATTACK CODE]
> 
> --------------
> |   SAMPLES  |
> --------------
> 
> https://[TARGET]/[INSTALLATION PATH]/login/login_screen.php?vds_ip=[VDS
> DOMAIN OR
> IP]&uid="></form>here%20comes%20your%20attack<h1>&tz=CEST&vds_server_ip=">He
> re%20comes%20your%20XSS%20Attack&error=Either+user+or+password+are+incorrect
> +,+please+re-fill+in+.
> 
> https://[TARGET]/[INSTALLATION
> PATH]/login/sm_login_screen.php?uid="><h1>XSS%20!
> 
> ------------------
> | COMMUNICATIONS |
> | ENCRYPTION     |
> ------------------
> 
> Sphera uses an "insecure" communications data encryption ( DES (16) ).
> DES is a not very secure algorithm ( i think ).
> 
> In addition the control panel scripts don't check if you are using the https
> protocol and allow you to use based http connections on port 80 ( without
> SSL ).
> 
> ----------------
> |  SESSION     |
> |  HIJACKING   |
> ----------------
> 
> This is a very interesting thing in Sphera Hosting Director VDS Control
> Panel ,
> if you don't close a session in the control panel , the session is saved all
> the time that you use the cookie and the system
> don't close the session if you don't close with control panel !.
> This can be a big security problem if an attacker generates a session id
> randomicing control.
> 
> I explain it:
> 
> if the first session id  that you received is this :
> 
> xx01xx01xxX
> 
> and the next session id is..
> 
> xx01xx02Xxx
> 
> The first session id only differs in two parts with the second session ,
> this indicates a poor session id randomicing...
> the attacker can generate  a profile analyzing the random session generating
> and make an algorithm or script for make valid
> sessions , this can be used for enter the system only changing the USER ID
> value and you have access to the system with
> the USER ID permissions ! ;-)
> 
> I think in another possibilty generating session id randomicing profiles
> like monitoring the use of resources and the stack
> blocks but this is very difficult for remote users.
> 
> The remote method is not very easy but very possible.
> 
> --------------------
> |  BUFFER OVERFLOW |
> |   AND DoS        |
> -------------------
> 
> I found some possible buffer overflows and Denial of Service attacks .
> Some php files used by the vds control panel environment can conduct denial
> of service attacks to the installation server.
> Other php files can conduct stack attacks by url-based variable hacking and
> command injection.
> You can enter some crafted urls spoofing th variables and your referer for
> make actions in other user accounts.
> 
> -
> Some Proof of Concepts
> -
> http://[TARGET]/[INSTALLATION PATH]/dev/VDS/submitted.php <-- This is a
> Sphera Control Panel global used php file
> 
> and this file can be used for conduct DoS and Buffer Overflow attacks to the
> [TARGET] server with Sphera VDS Control Panel installed in
> [INSTALLATION PATH] , i tell you some samples:
> 
>  Make a connection in POST mode and request this:
> 
> http://[TARGET]/[INSTALLATION PATH]/dev/VDS/submitted.php?[TARGET
> USER]\activeservices\http||watchdog_running=[false]&restart_vds=on&success_m
> sg=Remote USER VDS restarted trough this kind of attack
> 
> I think that the system checks your referer for authenticate the request ,
> but you can spoof it easier.
> 
> With this kinf of attacks you can make actions in other users hosting
> accounts like password changing , virtual server restarting watch dog
> deactivating and other features ;-) .
> 
> 
> -------------------------
> | CONCLUSIONS AND NOTES |
> -------------------------
> 
> All the urls that use the xss affected variables (
> uid,vds_ip_server,error,success_msg) input are affected by this hole.
> User data and cookies can be stolen by this without permission.
> In some conditions we can pass server-based commands.
> The server can pick up sending specially crafted urls and input values with
> too long buffers.
> We can make a session hijacking.
> We can revelate private info and DES(16) encypted communications.
> We can  spoof the USER ID value in cookies and url values for make buffer
> overflow attacks and take the target user id permissions.
> on the system.
> We can modify other user accounts and make actions remotely with our valid
> account sending spoofed requests.
> 
> 
> -----------
> | CONTACT |
> -----------
> 
> Lorenzo Manuel Hernandez Garcia-Hierro
>  --- Computer Security Analyzer ---
>  --Nova Projects Professional Coding--
>  PGP: Keyfingerprint
>  B6D7 5FCC 78B4 97C1  4010 56BC 0E5F 2AB2
>  ID: 0x9C38E1D7
>  **********************************
>  www.novappc.com
>  security.novappc.com
>  www.lorenzohgh.com
>  ______________________
> 
> 
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.netsys.com/full-disclosure-charter.html
>

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ