Fix code injection vulnerability in delivery limitations #91

Merged
merged 1 commit into from Sep 11, 2013

Projects

None yet

4 participants

@florian-sander
Contributor

There is a a code injection vulnerability in the handling of delivery limitations which allows arbitrary code execution for a subset of registered users. This vulnerability is already being actively exploited (I discovered it upon investigating an intrusion into an ad server). This change fixes it.

Not surprisingly, OpenX 2.8.11 is affected by this vulnerability as well. The fix can be easily adapted for OpenX (see http://www.kreativrauschen.com/blog/2013/09/11/zero-day-vulnerability-in-openx-2-8-11/ for the OpenX code).

I do not want to publish an explicit proof-of-concept exploit (even though it is already being exploited we do not need to make it too easy for the bad guys ^_^), but maintainers of the master repository can contact me privately if they need more information about how to exploit the vulnerability.

@andrewatfornax
Contributor

Can you please email reproduction steps to me? revive at revive-adserver dot com. Thank you, and will look at this for the 3.0.0 release.

@florian-sander
Contributor

Sent.

@andrewatfornax
Contributor

Thanks, investigating.

@andrewatfornax
Contributor

Confirmed. Note that this exploit can only be used by someone who has access to the Revive Adserver UI with an account - it does not allow access to Revive Adserver or the underlying system for external users without an account.

Fix verified and will merge. Will also add an additional fix that prevents previously created exploits already in place from being executed.

@andrewatfornax andrewatfornax merged commit 633b51d into revive-adserver:master Sep 11, 2013
@andrewatfornax
Contributor

Thank you @florian-sander for the report & the fix.

@florian-sander
Contributor

You're welcome. Thanks for the quick reaction, it has been a pleasure.

@andrewatfornax andrewatfornax added a commit that referenced this pull request Sep 11, 2013
@andrewatfornax andrewatfornax Additional security fix related to PR #91 that will prevent execution…
… of any injected code.
098a0c3
@florian-sander florian-sander deleted the florian-sander:delivery_limitations_vulnerability branch Sep 12, 2013
@andrewatfornax andrewatfornax added a commit that referenced this pull request Sep 13, 2013
@andrewatfornax andrewatfornax Reverted delivery engine changes re: delivery limitation injection at…
…tack, due to performance and accuracy concerns - possible breaches will be addressed separately. #91
1a1304c
@tt1551239

Hi.
My organization has exposed that our openx server has been compromised using similar vectors to what has been described here: we have detected 2 php web shells that have been somehow uploaded to the server, in addition to modification of oxCacheFile.delivery.php in a way that tampers with contents of cache causing users to be presented with malicious content instead of legitimate ads.
We use version 2.8.7 of OPENX. We have no idea how the attacker was able to create these shells and modify the cache file content, but we are investigating this right now.
Considering your familiarity with OPENX vulnerabilities, Is there any information you can provide that may help us with forensics and making sure that the risk has been eliminated?
In the long term we plan to upgrade to a newer version but as part of our incident response we need some solutions for the long run.
Any help/reference you can provide will be greatly appreciate it.
Of course if you will be able to help I will be more than happy to provide any information required regarding my organization's openx usage and what we've found so far as part of our forensics efforts.
Thanks,

@erikgeurts erikgeurts added the question label Feb 24, 2015
@erikgeurts
Contributor

The fact that you have found this code on your server doesn't necessarily mean that there is a vulnerability in the current version. Unfortunately, many hacks that have been investigated, turn out to originate from a vulnerability in a much older version.

Please study http://www.revive-adserver.com/security/ .

I would like to strongly recommend upgrading to Revive Adserver v3.1, the version of the software you are using has multiple known security vulnerabilities.

In addition, I would like to recommend changing all passwords for all users on the server involved, especially the one used by the system administrator. I also recommend that you protect your www/admin and www/api folder using a .htaccess file.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment