LxCenter Forum: Fixed Bugs, Security Issues and Implemented Features » Lets just break down the milw0rm report

HyperVM & Kloxo Support

Forum

Members

Search

Help

Login

Home » Archive » Fixed Bugs, Security Issues and Implemented Features » Lets just break down the milw0rm report

Show: Today's Messages :: Show Polls :: Message Navigator

Switch to threaded view of this topic

Create a new topic

Lets just break down the milw0rm report [message #68606]

Sat, 27 June 2009 18:20

dj-m

Messages: 88
Registered: May 2009

Valuable Member

I'm not going to sit here and say don't frantically move to a new openvz/xen panel... might be a good idea, but if you're like me, you've found the available options and the coming options inadequate (give those new beta panels 6-12 months unless you balls enough to wind up in this position again).

What I've failed to see, is any "kloxo/lxadmin" replacements, everyone is targeting hypervm as if it is the primary target. At the moment it is unsupported, but I think a lot of us are keeping our fingers crossed and hoping they make good on opensourcing the project.

Anyhow, lets break this down;

Quote:

############################################################ #########
# ISSUE #1 - uid/gid reuse
############################################################ #########

Requires kloxo. Don't use kloxo, not a hypervm issue.

Quote:

############################################################ #########
# ISSUE #2 - unprivileged port use
############################################################ #########

This is a little bit nitpicky, still a kloxo issue, does not affect hypervm.

Quote:

############################################################ #########
# ISSUE #3 - default passwords
############################################################ #########

Another kloxo issue, make sure you filter through and change any default passwords.

To make sure, change your DB passwords in hypervm, if anyone knows of anything else part of hypervm that has a default password besides the master and slave...post up.

Quote:

############################################################ #########
# ISSUE #4 - useradd string in the process list
############################################################ #########

Kloxo issue.

Quote:

############################################################ #########
# ISSUE #5 - XSS
############################################################ #########

Directed at Kloxo, perhaps plausible with hypervm. But we've marked this as having either been fixed, or straight up not possible with hypervm on the current version.

Quote:

############################################################ #########
# ISSUE #6 - remotely create partially user controlled file names
# and directories. Locally append uncontrolled data to
# any file
############################################################ #########

This has either been fixed, the logging has been disabled, or is a non issue with hypervm. Take your pick.

Quote:

############################################################ #########
# ISSUE #7 - local users can take control of any file or directory
############################################################ #########

Not relevent to hypervm. Only kloxo.

Quote:

############################################################ #########
# ISSUE #8 - local users can take control of any file or directory
############################################################ #########

Requires kloxo, not relevent to hypervm.

Quote:

############################################################ #########
# ISSUE #9 - local users can overwrite any file on the box
############################################################ #########

Requires kloxo, not a hypervm issue.

Quote:

############################################################ #########
# ISSUE #10 - yet another symlink attack for local users
############################################################ #########

Requires kloxo, not a hypervm issue.

Quote:

############################################################ #########
# ISSUE #11 - metachar injection, local command execution as root
############################################################ #########

Requires kloxo, not a hypervm issue

Quote:

############################################################ #########
# ISSUE #12 - web stats world readable password hashes
############################################################ #########

Requires kloxo, not a hypervm issue

Quote:

############################################################ #########
# ISSUE #13 - local users can overwrite any file on the box
############################################################ #########

Requires kloxo, not a hypervm issue

Quote:

############################################################ #########
# ISSUE #14 - metachar injection, local command execution as root
############################################################ #########

This has either been fixed or is a non issue with hypervm. Take your pick.

Quote:

############################################################ #########
# ISSUE #15 - remotely block any - or every - IP addr in hosts.deny
############################################################ #########

This is either a non issue for hypervm or has been fixed, or lxguard simply doesn't work anymore or never did (I don't think it works). Simply disable password based login to ssh and use keys.

Quote:

############################################################ #########
# ISSUE #16 - remote CPU and mem usage DoS
############################################################ #########

Kloxo issue only.

Quote:

############################################################ #########
# ISSUE #17 - local users can truncate and control any file
############################################################ #########

Kloxo issue only

Quote:

############################################################ #########
# ISSUE #18 - just 2 more symlinks to own any file on the box
############################################################ #########

Clearly this also requires kloxo

Quote:

############################################################ #########
# ISSUE #19 - file manager, view and edit any file
############################################################ #########

Requires kloxo

Quote:

############################################################ #########
# ISSUE #20 - file manager PT II
############################################################ #########

Requires kloxo

Quote:

############################################################ #########
# ISSUE #21 - file manager PT III
############################################################ #########

Kloxo only again

Quote:

############################################################ #########
# ISSUE #22 - local user symlink attack
############################################################ #########

It's pointless to continue to documenting symlink attacks in this
software. The software appears to use root for nearly everything,
and does not use proper file locking, amongst other things.

I couldn't agree more, though I would like some clarification- as I believe these root level exploits are VM LEVEL ONLY and are only accessing root to the VM, and NOT the hardware node. Since this isn't clear, I'm going to assume VM only.

Quote:

############################################################ #########
# ISSUE #23 - local user symlink attack (last one)
############################################################ #########

Kloxo only

Quote:

############################################################ #########
# ISSUE #24 - sql injection in the "Forgot Password" form
############################################################ #########

Ok, now this one I shall contribute a solution to the board for hypervm...however, I sincerely to believe that this is limited to a kloxo bug as noted. To be safe, and because I hate forgot password forms being on this type of software, please copy the code in the next post, and replace your /login/index.php file to disable the lost password form.

Report message to a moderator

Send a private message to this user

Re: Lets just break down the milw0rm report [message #68607 is a reply to message #68606]

Sat, 27 June 2009 18:21

dj-m

Messages: 88
Registered: May 2009

Valuable Member

Here is your replacement login page;

<?php

function index_print_header( )
{
    echo " \n<table width=100%  height=\" 64\" border=\"0\" valign=\"top\" align=\"center\" cellpadding=\"0\" cellspacing=\"0\">\n\n<tr>
<td width=100% style='background:url(/img/skin/hypervm/default/default/background.gif)'> </td>
<td width=326 style='background:url(/img/skin/hypervm/default/default/background.gif);background-repeat:repeat'><table width=326>
<tr align=right><td width=200> &nbsp; &nbsp; </td>
<td align=right> <img id=main_logo width=84 height=23 src=\"/img/hypervm-logo.gif\"></td>
<td width=10%> &nbsp; &nbsp; </td></tr></table> </td> </tr>\n
<tr><td width=\"100%\" colspan=5 bgcolor=\"#003366\" width=\"10\" height=\"2\"></td></tr>\n</table>\n\n";
}

chdir( ".." );
include_once( "htmllib/lib/displayinclude.php" );
init_language( );
$cgi_clientname = $ghtml->frm_clientname;
$cgi_class = $ghtml->frm_class;
$cgi_password = $ghtml->frm_password;
//$cgi_forgotpwd = $ghtml->frm_forgotpwd;
//$cgi_email = $ghtml->frm_email;
$cgi_classname = "client";
if ( $cgi_class )
{
    $cgi_classname = $cgi_classname;
}
ob_start( );
include_once( "htmllib/lib/indexcontent.php" );
?>

That should about do it until someone posts up some vulns for hypervm in the current version and newer.

Digg it.

Report message to a moderator

Send a private message to this user

Re: Lets just break down the milw0rm report [message #68608 is a reply to message #68606]

Sat, 27 June 2009 18:28

dj-m

Messages: 88
Registered: May 2009

Valuable Member

If the bug reporter that posted to milw0rm ever finds this and can clarify about the root level exploit being VPS root level or hardware node root level, we could secure a decision on whether Vaserv was neglectful, or exploited through lxlabs product immediately.

[Updated on: Sat, 27 June 2009 18:34]

Report message to a moderator

Send a private message to this user

Re: Lets just break down the milw0rm report [message #68619 is a reply to message #68606]

Sat, 27 June 2009 21:40

LxCenter_Danny is currently offline

Messages: 2068
Registered: July 2007
Location: Netherlands

Grandmaster
LxCenter Core Team Member
LxCenter Representative

nettuninggroup@gmail.com

Wrong forum section.
I requested a topic move.

Besides, i did not worry at all about HyperVM after that report was published. I also read that 99,9% was LxAdmin/Kloxo related.
The last 1% i can live with, and you showed a patch.

As i dont have a good dezend tool, it was a hell of a job to use a online decode system. So after 3 files i stopped decoding and just wait for final news from LxLabs.
I just want a work arround patch if the license server where go down so we have some more space to set up Plan B if needed Smile

Smile

So in mean time i still on the road for a (batch)dezend tool.

LxCenter - System Operations

Report message to a moderator

Send a private message to this user

Re: Lets just break down the milw0rm report [message #68620 is a reply to message #68619]

Sat, 27 June 2009 21:51

dj-m

Messages: 88
Registered: May 2009

Valuable Member

NetTuningGroup wrote on Sat, 27 June 2009 18:40

Wrong forum section.
I requested a topic move.

This is directly related to hypervm, directly related to technical support with the product which is otherwise non existent. Where else should it be? :shrug:

Quote:

Besides, i did not worry at all about HyperVM after that report was published. I also read that 99,9% was LxAdmin/Kloxo related.
The last 1% i can live with, and you showed a patch.

As i dont have a good dezend tool, it was a hell of a job to use a online decode system. So after 3 files i stopped decoding and just wait for final news from LxLabs.
I just want a work arround patch if the license server where go down so we have some more space to set up Plan B if needed Smile

Smile

So in mean time i still on the road for a (batch)dezend tool.

The trouble only starts there. Barring any civil solutions from lxlabs, when it becomes time I believe there are already a couple of patches for the license system but its not hard either way. We took a moment to mirror the lxrepo as well in case we need to deploy hardware in the meantime and the repo is down.

*I would recommend patching that login page for sure, there is no way to validate the rest of the code, but a whiz may be able to point out a way to sanitize the data right there in index.php, I don't want the lost password thing either way and wish I could remove the text for it, but nuking the link is a start.

[Updated on: Sat, 27 June 2009 22:49]

Report message to a moderator

Send a private message to this user

Re: Lets just break down the milw0rm report [message #68638 is a reply to message #68620]

Sun, 28 June 2009 06:56

LxCenter_Danny is currently offline

Messages: 2068
Registered: July 2007
Location: Netherlands

Grandmaster
LxCenter Core Team Member
LxCenter Representative

nettuninggroup@gmail.com

dj-m wrote on Sun, 28 June 2009 03:51

NetTuningGroup wrote on Sat, 27 June 2009 18:40

Wrong forum section.
I requested a topic move.

This is directly related to hypervm, directly related to technical support with the product which is otherwise non existent. Where else should it be? :shrug:

Section Security.

LxCenter - System Operations

Report message to a moderator

Send a private message to this user

Re: Lets just break down the milw0rm report [message #68639 is a reply to message #68638]

Sun, 28 June 2009 07:04

dj-m

Messages: 88
Registered: May 2009

Valuable Member

NetTuningGroup wrote on Sun, 28 June 2009 03:56

dj-m wrote on Sun, 28 June 2009 03:51

NetTuningGroup wrote on Sat, 27 June 2009 18:40

Wrong forum section.
I requested a topic move.

This is directly related to hypervm, directly related to technical support with the product which is otherwise non existent. Where else should it be? :shrug:

Section Security.

Well, you guys feel free to shuffle things around however you want. The area down there is to confusing since it doesn't address the different products appropriately. This post is specific to hypervm and I didn't want people to get any further confused.

*Of course, a good poster follows instructions lol

Quote:

This is announcement only forum. Members please post in the hyperVM/Lxadmin sections Above

[Updated on: Sun, 28 June 2009 07:07]

Report message to a moderator

Send a private message to this user

Switch to threaded view of this topic

Create a new topic

Previous Topic:	Multiple Security Issues in hyperVM/Kloxo
Next Topic:	Heads up

Goto Forum:

-=] Back to Top [=-

[ Syndicate this forum (XML) ] [

] [

PDF

]

Current Time: Sat May 25 23:37:18 EDT 2013

Total time taken to generate the page: 0.01165 seconds

.:: Contact :: Home :: Privacy ::.

Click here to lend your support to: LxCenter and make a donation at www.pledgie.com !

Powered by: FUDforum 3.0.2.
Copyright ©2001-2010 FUDforum Bulletin Board Software