--------------------
Product: SPHERA HostingDirector and Final User (VDS) Control Panel ( Hosting
Control Panel )
Vendor: SPHERA
Versions:
VULNERABLE
- 3.x
- 2.x
- 1.x
NOT VULNERABLE
- ?
---------------------
Description:
HostingDirector comprises three fundamental components that are integrated
to provide rich offerings, maximum control for resellers and site owners,
and easy, centralized administration of shared and dedicated environments
running on Linux and Microsoft Windows®.
-----------------------------------------
SECURITY HOLES FOUND and PROOFS OF CONCEPT:
-----------------------------------------
----------------
| XSS in LOGIN |
----------------
I encountered XSS ( Cross Site Scripting ) vulnerabilities in the
SPHERA's product called Hositng Director , located in the vds ( user of
hosting plans ) control panel.
The problems , i think , are related to form tag closing by url code
injection and the input validation system
( there aren`t any ). In addition the success_msg variable ( in internal
scripts ) is vulnerable to XSS too.
With this you can insert html and script code by url command passing like
this:
_______________________
XSS IN THE LOGIN FORM:
-----------------------
http://[TARGET]/[INSTALLATION PATH]/login/sm_login_screen.php?uid=">[XSS
ATTACK CODE]
http://[TARGET]/[INSTALLATION PATH]/login/sm_login_screen.php?error=">[XSS
ATTACK CODE]
http://[TARGET]/[INSTALLATION PATH]/login/sm_login_screen.php?error=[XSS
ATTACK CODE COMBINATED WITH OTHER VARIABLE FOR EMULATE A REAL ERROR LIKE
"EITHER PASSWORD OR USER ARE INCORRECT , RE-FILL IN" FOR STEAL THE USER
DATA]
http://[TARGET]/[INSTALLATION PATH]/login/login_screen.php?vds_ip=[VDS
DOMAIN OR IP]&uid=">[XSS ATTACK CODE]&tz=[TIMEZONE CODE , TRY
CEST]&vds_server_ip=">[XSS ATTACK CODE]
--------------
| SAMPLES |
--------------
https://[TARGET]/[INSTALLATION PATH]/login/login_screen.php?vds_ip=[VDS
DOMAIN OR
IP]&uid="></form>here%20comes%20your%20attack<h1>&tz=CEST&vds_server_ip=">He
re%20comes%20your%20XSS%20Attack&error=Either+user+or+password+are+incorrect
+,+please+re-fill+in+.
https://[TARGET]/[INSTALLATION
PATH]/login/sm_login_screen.php?uid="><h1>XSS%20!
------------------
| COMMUNICATIONS |
| ENCRYPTION |
------------------
Sphera uses an "insecure" communications data encryption ( DES (16) ).
DES is a not very secure algorithm ( i think ).
In addition the control panel scripts don't check if you are using the https
protocol and allow you to use based http connections on port 80 ( without
SSL ).
----------------
| SESSION |
| HIJACKING |
----------------
This is a very interesting thing in Sphera Hosting Director VDS Control
Panel ,
if you don't close a session in the control panel , the session is saved all
the time that you use the cookie and the system
don't close the session if you don't close with control panel !.
This can be a big security problem if an attacker generates a session id
randomicing control.
I explain it:
if the first session id that you received is this :
xx01xx01xxX
and the next session id is..
xx01xx02Xxx
The first session id only differs in two parts with the second session ,
this indicates a poor session id randomicing...
the attacker can generate a profile analyzing the random session generating
and make an algorithm or script for make valid
sessions , this can be used for enter the system only changing the USER ID
value and you have access to the system with
the USER ID permissions ! ;-)
I think in another possibilty generating session id randomicing profiles
like monitoring the use of resources and the stack
blocks but this is very difficult for remote users.
The remote method is not very easy but very possible.
--------------------
| BUFFER OVERFLOW |
| AND DoS |
-------------------
I found some possible buffer overflows and Denial of Service attacks .
Some php files used by the vds control panel environment can conduct denial
of service attacks to the installation server.
Other php files can conduct stack attacks by url-based variable hacking and
command injection.
You can enter some crafted urls spoofing th variables and your referer for
make actions in other user accounts.
-
Some Proof of Concepts
-
http://[TARGET]/[INSTALLATION PATH]/dev/VDS/submitted.php <-- This is a
Sphera Control Panel global used php file
and this file can be used for conduct DoS and Buffer Overflow attacks to the
[TARGET] server with Sphera VDS Control Panel installed in
[INSTALLATION PATH] , i tell you some samples:
Make a connection in POST mode and request this:
http://[TARGET]/[INSTALLATION PATH]/dev/VDS/submitted.php?[TARGET
USER]\activeservices\http||watchdog_running=[false]&restart_vds=on&success_m
sg=Remote USER VDS restarted trough this kind of attack
I think that the system checks your referer for authenticate the request ,
but you can spoof it easier.
With this kinf of attacks you can make actions in other users hosting
accounts like password changing , virtual server restarting watch dog
deactivating and other features ;-) .
-------------------------
| CONCLUSIONS AND NOTES |
-------------------------
All the urls that use the xss affected variables (
uid,vds_ip_server,error,success_msg) input are affected by this hole.
User data and cookies can be stolen by this without permission.
In some conditions we can pass server-based commands.
The server can pick up sending specially crafted urls and input values with
too long buffers.
We can make a session hijacking.
We can revelate private info and DES(16) encypted communications.
We can spoof the USER ID value in cookies and url values for make buffer
overflow attacks and take the target user id permissions.
on the system.
We can modify other user accounts and make actions remotely with our valid
account sending spoofed requests.
-----------
| CONTACT |
-----------
Lorenzo Manuel Hernandez Garcia-Hierro
--- Computer Security Analyzer ---
--Nova Projects Professional Coding--
PGP: Keyfingerprint
B6D7 5FCC 78B4 97C1 4010 56BC 0E5F 2AB2
ID: 0x9C38E1D7
**********************************
www.novappc.com
security.novappc.com
www.lorenzohgh.com
______________________
This archive was generated by hypermail 2b30 : Fri Jun 13 2003 - 12:17:09 PDT