The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Your Interchange is vulnerable

Discussion in 'General Discussion' started by itf, Aug 10, 2002.

  1. itf

    itf Well-Known Member

    Joined:
    May 9, 2002
    Messages:
    624
    Likes Received:
    0
    Trophy Points:
    16
    [b:4bb2c5ff18]Attention: The provided hack by Kevin Walsh, (SH)Saeed and JackDcrack for Interchange are all vulnerable:[/b:4bb2c5ff18]

    This hack just protects you against this attack:

    http://domain.com:7786/../../../../../../etc/passwd

    but not these ones:

    http://domain.com:7786/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/etc/passwd

    http://domain.com:7786/%2E%2E/%2E%2E/%2E%2E/%2E%2E/%2E%2E/%2E%2E/etc/passwd


    I wrote a complete hack to protect you against all kinds of these attacks:

    In a Root SSH session: (press CTRL-C in pico to view your position)

    1- chmod 644 /usr/local/cpanel/3rdparty/interchange/lib/Vend/Server.pm
    2- pico /usr/local/cpanel/3rdparty/interchange/lib/Vend/Server.pm
    3- After the line 754, add the bold text (do not enter line numbers)

    754: #::logDebug(&exiting loop& ) ;

    755: [b:4bb2c5ff18]+ 0 while $request =~ s|/[(\.)(%2E)]*/|/|ig; [/b:4bb2c5ff18]

    756: my $url = new URI::URL $request;
    757: @{$argv} = $url-&keywords();


    4- chmod 444 /usr/local/cpanel/3rdparty/interchange/lib/Vend/Server.pm
     
  2. feanor

    feanor Well-Known Member

    Joined:
    Aug 13, 2001
    Messages:
    836
    Likes Received:
    0
    Trophy Points:
    16
    I honestly hope you are sending such details to RedHat as well.................. they should be getting the information FIRST, before exploits are posted publically, to begin with.
     
  3. itf

    itf Well-Known Member

    Joined:
    May 9, 2002
    Messages:
    624
    Likes Received:
    0
    Trophy Points:
    16
    [quote:484ec73632][i:484ec73632]Originally posted by feanor[/i:484ec73632]



    I honestly hope you are sending such details to RedHat as well.................. they should be getting the information FIRST, before exploits are posted publically, to begin with.

    [/quote:484ec73632]

    I found 3 other kinds of exploits and reported them with above exploits to RedHat also directly talked to Redhat's Engineers too.

    And don't publicly post them for our ptotection. ;)
     
  4. Diatone

    Diatone Well-Known Member

    Joined:
    Aug 22, 2001
    Messages:
    111
    Likes Received:
    0
    Trophy Points:
    16
    I did exactly what you said, and my passwd file is still vulnerable.
     
  5. itf

    itf Well-Known Member

    Joined:
    May 9, 2002
    Messages:
    624
    Likes Received:
    0
    Trophy Points:
    16
    [quote:e079c43d53][i:e079c43d53]Originally posted by Diatone[/i:e079c43d53]

    I did exactly what you said, and my passwd file is still vulnerable.[/quote:e079c43d53]

    restart interchange
    after that modifications

    in WHM -& restart services -& Ecommerce Server (interchange)
     
  6. Diatone

    Diatone Well-Known Member

    Joined:
    Aug 22, 2001
    Messages:
    111
    Likes Received:
    0
    Trophy Points:
    16
    i did.. now i get an internal server error when trying to access the cart. lol
     
  7. Diatone

    Diatone Well-Known Member

    Joined:
    Aug 22, 2001
    Messages:
    111
    Likes Received:
    0
    Trophy Points:
    16
    what was the original chmod on that file? So i can change it back and get interchange working again..
     
  8. itf

    itf Well-Known Member

    Joined:
    May 9, 2002
    Messages:
    624
    Likes Received:
    0
    Trophy Points:
    16
    [quote:5e7fc0b563][i:5e7fc0b563]Originally posted by Diatone[/i:5e7fc0b563]

    i did.. now i get an internal server error when trying to access the cart. lol[/quote:5e7fc0b563]
    let me a while to check that
     
  9. itf

    itf Well-Known Member

    Joined:
    May 9, 2002
    Messages:
    624
    Likes Received:
    0
    Trophy Points:
    16
    [quote:e2aa954d0f][i:e2aa954d0f]Originally posted by Diatone[/i:e2aa954d0f]

    what was the original chmod on that file? So i can change it back and get interchange working again..
    [/quote:e2aa954d0f]

    chmod 444
     
  10. itf

    itf Well-Known Member

    Joined:
    May 9, 2002
    Messages:
    624
    Likes Received:
    0
    Trophy Points:
    16
    [quote:3b07e97e49][i:3b07e97e49]Originally posted by Diatone[/i:3b07e97e49]

    i did.. now i get an internal server error when trying to access the cart. lol[/quote:3b07e97e49]

    I tested Interchange after my hack and it's OK working fine

    It seems you've done something wrong
    I checked out your server and you are still vulnerable
     
  11. mikerayner

    mikerayner Well-Known Member

    Joined:
    Apr 10, 2002
    Messages:
    192
    Likes Received:
    0
    Trophy Points:
    16
    Thanks --ITF it works for me.

    Thanks again ;)
     
  12. myros

    myros Active Member

    Joined:
    Dec 16, 2001
    Messages:
    42
    Likes Received:
    0
    Trophy Points:
    6
    Im asumming if Ive never had interchange running or have disabled it that this vulnerability doesnt apply?

    Myros
     
  13. feanor

    feanor Well-Known Member

    Joined:
    Aug 13, 2001
    Messages:
    836
    Likes Received:
    0
    Trophy Points:
    16
    Yes that is accurate.
    you would definitely want to verify this via a process list, trusting WHManager to fully halt processes forever is a bit of a stretch at this point.


    (ps auxw | grep interchange)
     
  14. SH-Matt

    SH-Matt Registered

    Joined:
    Jul 25, 2002
    Messages:
    4
    Likes Received:
    0
    Trophy Points:
    1
    I assume a 404 error is a sign of it working?
     
  15. itf

    itf Well-Known Member

    Joined:
    May 9, 2002
    Messages:
    624
    Likes Received:
    0
    Trophy Points:
    16
    [quote:042e22a930][i:042e22a930]Originally posted by SH-Matt[/i:042e22a930]

    I assume a 404 error is a sign of it working?[/quote:042e22a930]

    YES, it means it's working
     
  16. TRAIN YARD SOFTWARE

    TRAIN YARD SOFTWARE Well-Known Member

    Joined:
    Dec 20, 2001
    Messages:
    224
    Likes Received:
    0
    Trophy Points:
    16
    http://domain.com:7786/../../../../../../etc/passwd
    This is what I get now, is this correct?

    /etc/passwd not a Interchange catalog or help file.



    [quote:bb74e6f997][i:bb74e6f997]Originally posted by itf[/i:bb74e6f997]

    [b:bb74e6f997]Attention: The provided hack by Kevin Walsh, (SH)Saeed and JackDcrack for Interchange are all vulnerable:[/b:bb74e6f997]

    This hack just protects you against this attack:

    http://domain.com:7786/../../../../../../etc/passwd

    but not these ones:

    http://domain.com:7786/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/etc/passwd

    http://domain.com:7786/%2E%2E/%2E%2E/%2E%2E/%2E%2E/%2E%2E/%2E%2E/etc/passwd


    I wrote a complete hack to protect you against all kinds of these attacks:

    In a Root SSH session: (press CTRL-C in pico to view your position)

    1- chmod 644 /usr/local/cpanel/3rdparty/interchange/lib/Vend/Server.pm
    2- pico /usr/local/cpanel/3rdparty/interchange/lib/Vend/Server.pm
    3- After the line 754, add the bold text (do not enter line numbers)

    754: #::logDebug(&exiting loop& ) ;

    755: [b:bb74e6f997]+ 0 while $request =~ s|/[(\.)(%2E)]*/|/|ig; [/b:bb74e6f997]

    756: my $url = new URI::URL $request;
    757: @{$argv} = $url-&keywords();


    4- chmod 444 /usr/local/cpanel/3rdparty/interchange/lib/Vend/Server.pm
    [/quote:bb74e6f997]
     
  17. itf

    itf Well-Known Member

    Joined:
    May 9, 2002
    Messages:
    624
    Likes Received:
    0
    Trophy Points:
    16
    apply the hack
    restart interchange (in WHM -& Restart Services -& Ecommerce server )
    then you will get 404 not found page for those exploits
     
  18. TRAIN YARD SOFTWARE

    TRAIN YARD SOFTWARE Well-Known Member

    Joined:
    Dec 20, 2001
    Messages:
    224
    Likes Received:
    0
    Trophy Points:
    16
    Thats what I did

    [quote:5cdbe139fe][i:5cdbe139fe]Originally posted by itf[/i:5cdbe139fe]

    in WHM -& Restart Services -& Ecommerce server
    apply the hack
    restart interchange
    then you will get 404 not found page for those exploits[/quote:5cdbe139fe]
     
  19. itf

    itf Well-Known Member

    Joined:
    May 9, 2002
    Messages:
    624
    Likes Received:
    0
    Trophy Points:
    16
    [quote:294d3d380d][i:294d3d380d]Originally posted by TRAIN YARD SOFTWARE[/i:294d3d380d]

    Thats what I did

    [quote:294d3d380d][i:294d3d380d]Originally posted by itf[/i:294d3d380d]

    in WHM -& Restart Services -& Ecommerce server
    apply the hack
    restart interchange
    then you will get 404 not found page for those exploits[/quote:294d3d380d][/quote:294d3d380d]

    I checked out your site you are still vulnerable
    It seems that you did something wrong, copy and paste that line and if you would like I can set it up for you now
     
  20. Radio_Head

    Radio_Head Well-Known Member

    Joined:
    Feb 15, 2002
    Messages:
    2,051
    Likes Received:
    1
    Trophy Points:
    38
    THANK YOU ITF !
     

Share This Page