SOLUSVM Zero Day

cloudhopping · June 16, 2013, 03:25:42 PM

Steve from Rack911 is always on top of things - and he sent us the following warning.

http://localhost.re/p/solusvm-11303-vulnerabilities

The Easy Fix is to simply remove /usr/local/solusvm/www/centralbackup.php as that will clear the vulnerability.
of course you could simply run

chmod 000 for /usr/local/solusvm/www/centralbackup.php if you want to keep that file around - my understanding however is that file is no longer needed.

Cloudrck · June 16, 2013, 03:30:13 PM

Rack911 didn't find the issue, localhost.re did.

Danny · June 16, 2013, 03:38:47 PM

i post this here: http://www.hostbillforums.com/index.php/topic,232.0.html at 09:56:47 AM ;-)

cloudhopping · June 16, 2013, 03:42:10 PM

woops - I missed it.

:-)

and the other comment about who found it - yes your right.
On the other hand Steve is getting the word out to folks - which means a lot.

tallship · June 24, 2013, 10:07:40 AM

I like SolusVM, but we don't use it because it is not an owned solution.

psybox · June 24, 2013, 10:56:53 AM

for those that may also have an existing whmcs install with solus - make sure you disable the plugin in whmcs too

tallship · June 24, 2013, 11:04:44 AM

The vulnerability is still there almost 10 days later?

psybox · June 24, 2013, 11:09:27 AM

yes it is and very kindly localhost.re decided to post the whmcs hack on the module also, so even if you have disable the file there are other thing they can do to your installs ..

http://localhost.re/p/solusvm-whmcs-module-316-vulnerability

tallship · June 24, 2013, 12:46:17 PM

Full disclosure policies have their pros and cons. I tend to usually lean toward supporting the idea, but not always, and especially not when it's an open source project.

Many developers of commercial software won't bother fixing their bugs unless security companies adhere to a "full disclosure policy" -- mACROsf0t being one of them, with only the overwhelming pressure to bear of full disclosure companies and the resulting alarmed/terrified licensees of their back office and desktop/office products to force them to fix holes and release services packs.

With open source software (FOSS, especially), I like to see these security companies first try to contact the development teams confidentially and try to encourage a resolution, but with this SolusVM issue so old now.... Well, it might hurt bad but what else is going to get them to fix it?

If they haven't done it yet, and there wasn't full disclosure, then they would have even less inclination to do so if it wasn't publicly announced.

Not that this sort of policy will actually make the vendor fix it faster, but it will kill their client base if such irresponsible behavior continues.

Quote from: localhost.re
Bad news: our little trick won't work if PHP is running in fcgi mode (unless you can guess the time the web server was started, try /status/index.php or try getting the target to restart the webserver process/PHP proceses)

Good news: cPanel comes by default with suPHP activated, which spawns a new PHP process for every request. This exploit will work on anything similary configured

What can you do? Everything that the Solus Admin API can do. You know, like, delete all the containers, all the clients, stuff like that...

Download exploit

Everyone here knows that I consider kbkp to be a major A.S.S.H.A.T.... But having said that, I like to think that I give credit where due and he does indeed seem to immediately put down his crackpipe and fix security issues almost immediately when they appear - that's one thing positive that I can say about him.

It might even be one of the most important things any developer can be regarded for too.

But other than that, he is an A.ss.Hat

LOL!

psybox · June 24, 2013, 02:19:02 PM

lol I tend to agree with you there, Kris does seem to patch securities quickly (and I also discovered ipam in my HB today, so two reasons to like Kris today!).

I'm actively looking to replace our cpanel and DA setups with a different control panel, hopefully opensource and also considering moving to a less automated setup across all brands.Too much automation seems to bring a heavy cost towards security. However I havent found any such CP to consider - most tend to be pretty dire.

tallship · June 24, 2013, 02:49:02 PM

Quote from: psybox on June 24, 2013, 02:19:02 PM
lol I tend to agree with you there, Kris does seem to patch securities quickly (and I also discovered ipam in my HB today, so two reasons to like Kris today!).

You mean iPAM was included in the 4.6.8 d/l package you picked up?

I don't understand. I thought that all d/l's were identical for each respective week, so just to clarify, you're saying that in your particular download of 4.6.8, IPAM was actually part of that download?

Quote from: psybox on June 24, 2013, 02:19:02 PMI'm actively looking to replace our cpanel and DA setups with a different control panel, hopefully opensource and also considering moving to a less automated setup across all brands.Too much automation seems to bring a heavy cost towards security. However I havent found any such CP to consider - most tend to be pretty dire.

I'm interested in investigating the purchase of DirectAdmin. Some people really like it, so if you have an owned license, I might be interested in taking it off your hands at some point down the road. I think the current price from them for an owned, unbranded copy, is about $200 bucks, IIRC.

I'm not going to give attribution to the author of the quote below, for reasons of privacy, but here's a Control panel that's in production with a little bit of background on it.

Quote
i-MSCP http://www.i-mscp.net

It's a fork of ispCP. It's heavily developed by only a few folks (mostly european), but good folks. And of course being completely open source, we all make tweaks and mods, give and discuss direction/features, etc. And free, so it scales nicely Always happy to have more help developing it!

I will say, however, that there is expected to be a forthcoming integration w/HostBill coming for it soon

I hope that helps you out there psybox

kindest regards,

psybox · June 24, 2013, 03:01:36 PM

well Ive never upgraded past 4.6.0 - and discovered today an IPAM tab which I can record all sorts of data. I presumed I never had it so never looked before now.

I'm a reseller of DA - if you wanted to spin up a VPS I can give you a license for a month or two to play with

Ive never heard of i-mscp, although I have discounted ispcp before. Ill give it a check out though thanks

cloudhopping · June 24, 2013, 03:09:15 PM

If your shopping - I would suggest checking out interworx.
If you are looking for high availability - check out interworx

DirectAdmin - not bad - but I found interworx to offer a lot more.
Also - in cost - Interworx if you buy the lifetime license it is $300/server

Not bad in the long run - just about the same as directadmin.

I will admit however the DirectAdmin pricing if your a reseller of dedicated hardware is really nice if you go over 20 units

If you got IPAM for free - then what the heck did I pay for it for ?

psybox · June 24, 2013, 03:13:58 PM

interworx is on my radar - but I feel like Im subsituting cpanel for a lesser CP for similiar cash if that makes sense. We offer DA free with all our cloud and vps stuff - A) its really cheap and B) there is a market for cpanel haters!

I found the IPAM tab in a client whos order page was set to dedicated - along with another tab for addons for which I am not sure what it does. Maybe its not the full ipam module??

tallship · June 25, 2013, 08:41:47 PM

Landed in my inbox less than an hour ago...

Quote from: WHMCS Security
========================================
SolusVM WHMCS Module Security Advisory
http://blog.whmcs.com/?t=75031
========================================

*** Advisory Notice for SolusVM Users ***

We are writing today to notify clients of a critical security vulnerability in
the SolusVM WHMCS Module Version 3.16. While SolusVM's WHMCS Module is not part
of the default WHMCS release package, we know that many of our users use WHMCS
in conjunction with SolusVM and therefore we are posting/emailing everyone as a
precaution.

== How to Check If You Are Affected ==

The SolusVM Module is not shipped with, or by WHMCS. Thus, only if you've
installed this module yourself would you be at risk. You can verify by checking
if the directory /path/to/whmcs/modules/servers/solusvmpro/ exists. If it does
not, you are not vulnerable, and require no further action.

== How to Protect Yourself ==

The update to the SolusVM module can be found in the following blog post from
SolusVM on their own website:
http://blog.soluslabs.com/2013/06/24/whmcs-module-update-security/

Be sure to also check the blog homepage @ http://blog.soluslabs.com/ for details
of the latest security related updates to the core SolusVM application.

========================================

WHMCS Limited
www.whmcs.com

- Support: http://support.whmcs.com/
- Documentation: http://docs.whmcs.com/
- Members Area: http://www.whmcs.com/members/