Sphera Hosting Director Control Panel Multiple Vulnerabilities: XSS-Session Hijacking-DoS/Buffer Overflow-Another User Accounts access

From: Lorenzo Manuel Hernandez Garcia-Hierro <security(at)lorenzohgh.com>
Date: Fri Jun 13 2003 - 10:56:50 EDT

('binary' encoding is not supported, stored as-is)

---

Product: SPHERA HostingDirector and Final User (VDS) Control Panel ( Hosting Control Panel )
Vendor: SPHERA
Versions:

         VULNERABLE
         
         - 3.x
         - 2.x
         - 1.x
        
         NOT VULNERABLE
        
         - ?
---------------------

Description:

HostingDirector comprises three fundamental components that are integrated to provide rich offerings, maximum control for resellers and site owners, and easy, centralized administration of shared and dedicated environments running on Linux and Microsoft Windows®.

---

SECURITY HOLES FOUND and PROOFS OF CONCEPT:

---

---

| XSS in LOGIN |

---

I encountered XSS ( Cross Site Scripting ) vulnerabilities in the SPHERA's product called Hositng Director , located in the vds ( user of hosting plans ) control panel.
The problems , i think , are related to form tag closing by url code injection and the input validation system ( there aren`t any ). In addition the success_msg variable ( in internal scripts ) is vulnerable to XSS too.
With this you can insert html and script code by url command passing like this:

---

XSS IN THE LOGIN FORM:

---

http://[TARGET]/[INSTALLATION PATH]/login/sm_login_screen.php?uid=">[XSS ATTACK CODE] http://[TARGET]/[INSTALLATION PATH]/login/sm_login_screen.php?error="> [XSS ATTACK CODE] http://[TARGET]/[INSTALLATION PATH]/login/sm_login_screen.php?error=[XSS ATTACK CODE COMBINATED WITH OTHER VARIABLE FOR EMULATE A REAL ERROR LIKE "EITHER PASSWORD OR USER ARE INCORRECT , RE-FILL IN" FOR STEAL THE USER DATA] http://[TARGET]/[INSTALLATION PATH]/login/login_screen.php?vds_ip=[VDS DOMAIN OR IP]&uid=">[XSS ATTACK CODE]&tz=[TIMEZONE CODE , TRY CEST] &vds_server_ip=">[XSS ATTACK CODE]

---

| SAMPLES |

---

https://[TARGET]/[INSTALLATION PATH]/login/login_screen.php?vds_ip=[VDS DOMAIN OR IP]&uid="></form>here%20comes%20your% 20attack<h1>&tz=CEST&vds_server_ip=">Here%20comes%20your%20XSS% 20Attack&error=Either+user+or+password+are+incorrect+,+please+re-fill+in+.

https://[TARGET]/[INSTALLATION PATH]/login/sm_login_screen.php? uid="><h1>XSS%20!

---

| COMMUNICATIONS |
| ENCRYPTION |

---

Sphera uses an "insecure" communications data encryption ( DES (16) ). DES is a not very secure algorithm ( i think ).

In addition the control panel scripts don't check if you are using the https protocol and allow you to use based http connections on port 80 ( without SSL ).

---

| SESSION |
| HIJACKING |

---

This is a very interesting thing in Sphera Hosting Director VDS Control Panel ,
if you don't close a session in the control panel , the session is saved all the time that you use the cookie and the system don't close the session if you don't close with control panel !. This can be a big security problem if an attacker generates a session id randomicing control.

I explain it:

if the first session id that you received is this :

xx01xx01xxX

and the next session id is..

xx01xx02Xxx

The first session id only differs in two parts with the second session , this indicates a poor session id randomicing... the attacker can generate a profile analyzing the random session generating and make an algorithm or script for make valid sessions , this can be used for enter the system only changing the USER ID value and you have access to the system with the USER ID permissions ! ;-)

I think in another possibilty generating session id randomicing profiles like monitoring the use of resources and the stack blocks but this is very difficult for remote users.  

The remote method is not very easy but very possible.

---

| BUFFER OVERFLOW |
| AND DoS |

---

I found some possible buffer overflows and Denial of Service attacks . Some php files used by the vds control panel environment can conduct denial of service attacks to the installation server. Other php files can conduct stack attacks by url-based variable hacking and command injection.
You can enter some crafted urls spoofing th variables and your referer for make actions in other user accounts.

-
Some Proof of Concepts
-
http://[TARGET]/[INSTALLATION PATH]/dev/VDS/submitted.php <-- This is a Sphera Control Panel global used php file

and this file can be used for conduct DoS and Buffer Overflow attacks to the [TARGET] server with Sphera VDS Control Panel installed in [INSTALLATION PATH] , i tell you some samples:

 Make a connection in POST mode and request this:

http://[TARGET]/[INSTALLATION PATH]/dev/VDS/submitted.php?[TARGET USER] \activeservices\http||watchdog_running=[false] &restart_vds=on&success_msg=Remote USER VDS restarted trough this kind of attack

I think that the system checks your referer for authenticate the request , but you can spoof it easier.

With this kinf of attacks you can make actions in other users hosting accounts like password changing , virtual server restarting watch dog deactivating and other features ;-) .

---

| CONCLUSIONS AND NOTES |

---

All the urls that use the xss affected variables ( uid,vds_ip_server,error,success_msg) input are affected by this hole. User data and cookies can be stolen by this without permission. In some conditions we can pass server-based commands. The server can pick up sending specially crafted urls and input values with too long buffers.
We can make a session hijacking.
We can revelate private info and DES(16) encypted communications. We can spoof the USER ID value in cookies and url values for make buffer overflow attacks and take the target user id permissions. on the system.
We can modify other user accounts and make actions remotely with our valid account sending spoofed requests.

---

| CONTACT |

---

Lorenzo Hernandez Garcia-Hierro

• Computer Security Analyzer --- --Nova Projects Professional Coding-- PGP: Keyfingerprint B6D7 5FCC 78B4 97C1 4010 56BC 0E5F 2AB2 ID: 0x9C38E1D7

  ---

  www.novappc.com security.novappc.com www.lorenzohgh.com

  ---

Received on Mon Jun 16 12:06:10 2003