New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Fix code injection vulnerability in delivery limitations #91

Merged
merged 1 commit into from Sep 11, 2013

Conversation

Projects
None yet
4 participants
@florian-sander
Contributor

florian-sander commented Sep 11, 2013

There is a a code injection vulnerability in the handling of delivery limitations which allows arbitrary code execution for a subset of registered users. This vulnerability is already being actively exploited (I discovered it upon investigating an intrusion into an ad server). This change fixes it.

Not surprisingly, OpenX 2.8.11 is affected by this vulnerability as well. The fix can be easily adapted for OpenX (see http://www.kreativrauschen.com/blog/2013/09/11/zero-day-vulnerability-in-openx-2-8-11/ for the OpenX code).

I do not want to publish an explicit proof-of-concept exploit (even though it is already being exploited we do not need to make it too easy for the bad guys ^_^), but maintainers of the master repository can contact me privately if they need more information about how to exploit the vulnerability.

@andrewatfornax

This comment has been minimized.

Show comment
Hide comment
@andrewatfornax

andrewatfornax Sep 11, 2013

Contributor

Can you please email reproduction steps to me? revive at revive-adserver dot com. Thank you, and will look at this for the 3.0.0 release.

Contributor

andrewatfornax commented Sep 11, 2013

Can you please email reproduction steps to me? revive at revive-adserver dot com. Thank you, and will look at this for the 3.0.0 release.

@ghost ghost assigned andrewatfornax Sep 11, 2013

@florian-sander

This comment has been minimized.

Show comment
Hide comment
@florian-sander

florian-sander Sep 11, 2013

Contributor

Sent.

Contributor

florian-sander commented Sep 11, 2013

Sent.

@andrewatfornax

This comment has been minimized.

Show comment
Hide comment
@andrewatfornax

andrewatfornax Sep 11, 2013

Contributor

Thanks, investigating.

Contributor

andrewatfornax commented Sep 11, 2013

Thanks, investigating.

@andrewatfornax

This comment has been minimized.

Show comment
Hide comment
@andrewatfornax

andrewatfornax Sep 11, 2013

Contributor

Confirmed. Note that this exploit can only be used by someone who has access to the Revive Adserver UI with an account - it does not allow access to Revive Adserver or the underlying system for external users without an account.

Fix verified and will merge. Will also add an additional fix that prevents previously created exploits already in place from being executed.

Contributor

andrewatfornax commented Sep 11, 2013

Confirmed. Note that this exploit can only be used by someone who has access to the Revive Adserver UI with an account - it does not allow access to Revive Adserver or the underlying system for external users without an account.

Fix verified and will merge. Will also add an additional fix that prevents previously created exploits already in place from being executed.

andrewatfornax added a commit that referenced this pull request Sep 11, 2013

Merge pull request #91 from florian-sander/delivery_limitations_vulne…
…rability

Fix code injection vulnerability in delivery limitations

@andrewatfornax andrewatfornax merged commit 633b51d into revive-adserver:master Sep 11, 2013

@andrewatfornax

This comment has been minimized.

Show comment
Hide comment
@andrewatfornax

andrewatfornax Sep 11, 2013

Contributor

Thank you @florian-sander for the report & the fix.

Contributor

andrewatfornax commented Sep 11, 2013

Thank you @florian-sander for the report & the fix.

@florian-sander

This comment has been minimized.

Show comment
Hide comment
@florian-sander

florian-sander Sep 11, 2013

Contributor

You're welcome. Thanks for the quick reaction, it has been a pleasure.

Contributor

florian-sander commented Sep 11, 2013

You're welcome. Thanks for the quick reaction, it has been a pleasure.

andrewatfornax added a commit that referenced this pull request Sep 11, 2013

@florian-sander florian-sander deleted the florian-sander:delivery_limitations_vulnerability branch Sep 12, 2013

andrewatfornax added a commit that referenced this pull request Sep 13, 2013

Reverted delivery engine changes re: delivery limitation injection at…
…tack, due to performance and accuracy concerns - possible breaches will be addressed separately. #91
@tt1551239

This comment has been minimized.

Show comment
Hide comment
@tt1551239

tt1551239 Feb 23, 2015

Hi.
My organization has exposed that our openx server has been compromised using similar vectors to what has been described here: we have detected 2 php web shells that have been somehow uploaded to the server, in addition to modification of oxCacheFile.delivery.php in a way that tampers with contents of cache causing users to be presented with malicious content instead of legitimate ads.
We use version 2.8.7 of OPENX. We have no idea how the attacker was able to create these shells and modify the cache file content, but we are investigating this right now.
Considering your familiarity with OPENX vulnerabilities, Is there any information you can provide that may help us with forensics and making sure that the risk has been eliminated?
In the long term we plan to upgrade to a newer version but as part of our incident response we need some solutions for the long run.
Any help/reference you can provide will be greatly appreciate it.
Of course if you will be able to help I will be more than happy to provide any information required regarding my organization's openx usage and what we've found so far as part of our forensics efforts.
Thanks,

tt1551239 commented Feb 23, 2015

Hi.
My organization has exposed that our openx server has been compromised using similar vectors to what has been described here: we have detected 2 php web shells that have been somehow uploaded to the server, in addition to modification of oxCacheFile.delivery.php in a way that tampers with contents of cache causing users to be presented with malicious content instead of legitimate ads.
We use version 2.8.7 of OPENX. We have no idea how the attacker was able to create these shells and modify the cache file content, but we are investigating this right now.
Considering your familiarity with OPENX vulnerabilities, Is there any information you can provide that may help us with forensics and making sure that the risk has been eliminated?
In the long term we plan to upgrade to a newer version but as part of our incident response we need some solutions for the long run.
Any help/reference you can provide will be greatly appreciate it.
Of course if you will be able to help I will be more than happy to provide any information required regarding my organization's openx usage and what we've found so far as part of our forensics efforts.
Thanks,

@erikgeurts erikgeurts added the Question label Feb 24, 2015

@erikgeurts

This comment has been minimized.

Show comment
Hide comment
@erikgeurts

erikgeurts Feb 24, 2015

Contributor

The fact that you have found this code on your server doesn't necessarily mean that there is a vulnerability in the current version. Unfortunately, many hacks that have been investigated, turn out to originate from a vulnerability in a much older version.

Please study http://www.revive-adserver.com/security/ .

I would like to strongly recommend upgrading to Revive Adserver v3.1, the version of the software you are using has multiple known security vulnerabilities.

In addition, I would like to recommend changing all passwords for all users on the server involved, especially the one used by the system administrator. I also recommend that you protect your www/admin and www/api folder using a .htaccess file.

Contributor

erikgeurts commented Feb 24, 2015

The fact that you have found this code on your server doesn't necessarily mean that there is a vulnerability in the current version. Unfortunately, many hacks that have been investigated, turn out to originate from a vulnerability in a much older version.

Please study http://www.revive-adserver.com/security/ .

I would like to strongly recommend upgrading to Revive Adserver v3.1, the version of the software you are using has multiple known security vulnerabilities.

In addition, I would like to recommend changing all passwords for all users on the server involved, especially the one used by the system administrator. I also recommend that you protect your www/admin and www/api folder using a .htaccess file.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment