|
Message-ID: <52018C26.5050706@redhat.com> Date: Tue, 06 Aug 2013 17:52:06 -0600 From: Kurt Seifried <kseifried@...hat.com> To: Open Source Security <oss-security@...ts.openwall.com>, Assign a CVE Identifier <cve-assign@...re.org>, "Steven M. Christey" <coley@...re.org> Subject: OpenX Ad Server Backdoor CVE? -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 I assume this needs a CVE? Mitre have you guys seen a request for one? https://isc.sans.edu/diary/OpenX+Ad+Server+Backdoor/16303 According to a post by Heise Security, a backdoor has been spotted in the popular open source ad software OpenX [1][2]. Appearantly the backdoor has been present since at least November 2012. I tried to download the source to verify the information, but it appears the files have been removed. The backdoor is disguised as php code that appears to create a jQuery javascript snippet: this.each(function(){l=flashembed(this,k,j)}<!--?php /*if(e) {jQuery.tools=jQuery.tools||{version: {}};jQuery.tools.version.flashembed='1.0.2'; */$j='ex'./**/'plode'; /* if(this.className ... Heise recommends to search the ".js" files of OpenX for php code to find out if your version of OpenX is the backdoored version. find . -name \*.js -exec grep -l '<?php' {} \; The backdoor can then be used by an attacker to upload a shell to www/images/debugs.php . We have seen in the past several web sites that delivered malicious ads served by compromissed ad servers. This could be the reason for some of these compromisses. If you run OpenX: verify the above information (and let us know) if you can find the backdoor, disable/ininstall OpenX make sure you remove the "debug.php" file best: rebuild the server if you can Heise investigated a version 2.8.10 of OpenX with a data of December 9th and an md5 of 6b3459f16238aa717f379565650cb0cf for the openXVideoAds.zip file. [1] http://www.heise.de/newsticker/meldung/Achtung-Anzeigen-Server-OpenX-enthaelt-eine-Hintertuer-1929769.html (only in German at this point) [2] http://www.openx.com - -- Kurt Seifried Red Hat Security Response Team (SRT) PGP: 0x5E267993 A90B F995 7350 148F 66BF 7554 160D 4553 5E26 7993 -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.13 (GNU/Linux) iQIcBAEBAgAGBQJSAYwlAAoJEBYNRVNeJnmTA1QP/iLg3bTRGfpPHLRLiXgbc+wK CqiqK9tiqMHnzPj2eNR+qP6xLGquLdaqG7AXnD7X8IZk1IYAwV0X2AMaKyLMbc3K sMy48cLQ6r+VIi48zWuDz5A0twYjfDnFdjr6660lvI6zgR4wA5dGhz5U8jBeoqF3 RV0DdjRI2raZqc3i/93LN6gA8worgp9LNYxRuMXazYHaRPZRlSllJ5jxfTIAAJJh 3Fu3ersiMER5ENG/LIwDmnH2g+Lk0H225QXgVd5G7YydC84uOtqjzoafAwZLyyof vv46mdWLGFy0SFpUYQphrkZW3eL09KS7EvkU4yaQYE21txJ7qA1qcxIXGFyHSoeL DmfMvx14DmDubCuUtPAgDCHfsu/cP77zvtPppXXlxK8Bw8MiE0htMgKwLXv/PiJe RBK5BUnRVw8P/LWdyTQ9szm0xW57aD7JNdE5jfMQlnVQnDVurGAvDh1VPFZrx4sg MNde8ThUQgvh1JAx29cYB8JrRlUaTgpVdVKis4fuVdFNFI3/fKRBz7T//WDt6ihW LCxVxQwJiTBs/PLKn/7EzTTvmQM5m4G7c0wsKbgPwPq9vvii9ub8vGANXDVEMGeU pEoLDkvXB0BI8MnyrY161OO31tGmli+y+mh5mNzR6U5TQU3pGxlkvyKR+SjGs7nE 2PP+qonzo/8fnbykvSJp =xfps -----END PGP SIGNATURE-----
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.