Critical Update for ISPManager4 4.4.10.25

Critical Update for ISPManager4 4.4.10.25

A few days ago, a critical update for ISPManager4 was released for both Lite and Pro versions. This new revision is version 4.4.10.25, and its release was necessitated by a serious bug in the ISPManager’s algorithm for working with local users.

The official announcement of this version does not provide insights into the problem:

> 4.4.10.25 — 18.08.2015
> bugfix

Fixed a security issue. More details in the documentation: DenyAuthUIDRanges parameter**. We recommend that you update to this version.

Meanwhile, several partners and colleagues have shared information obtained during the investigation of successful exploitations of this vulnerability. This allows us to hypothesize a rough algorithm of the attacker’s actions.

Using the pingback mechanism in CMS (for example, in WordPress), a false call is made to the local ISPManager panel with a specially crafted URL. This URL employs the ISPManager4 API functions to change the user’s password.

Example from the ISPManager4 log file:

Aug 20 17:01:11 [ 5308:1469] INFO Request [IP.ADD.RE.SS][apache] 'sok=ok&elid=www%2Ddata&func=usrparam&confirm=*&passwd=*&name=www%2Ddata&out=json'
Aug 20 17:01:14 [ 5308:1471] INFO Request [IP.ADD.RE.SS][apache] 'sok=ok&elid=nginx&func=usrparam&confirm=*&passwd=*&name=nginx&out=json'
Aug 20 17:01:16 [ 5308:1473] INFO Request [IP.ADD.RE.SS][apache] 'sok=ok&elid=www&func=usrparam&confirm=*&passwd=*&name=www&out=json'
Aug 20 17:01:19 [ 5308:1475] INFO Request [IP.ADD.RE.SS][apache] 'sok=ok&elid=apache&func=usrparam&confirm=*&passwd=*&name=apache&out=json'

The IP.ADD.RE.SS is the address of the node under attack. It is evident that a brute force attack is performed on “standard” usernames from which web server components might operate—password changes are attempted for these users.

From the web server’s perspective, the request appears as follows:

domain.tld "GET /manager/ispmgr?out=json&name=user&passwd=XXXXXXXXXX&confirm=XXXXXXXXXX&func=usrparam&elid=user&sok=ok HTTP/1.0" 200 35 "-" "WordPress/3.8.9; http://www.domain.tld; verifying pingback from IP"

Our assumption regarding the error is as follows. As known, ISPManager4 is usually run as an Apache module—this is evident in the include file:

# head -1 /usr/local/ispmgr/etc/ispmgr.inc
LoadModule ispmgr_module /usr/local/ispmgr/lib/apache/mod_ispmgr.so

This module handles URLs of the format IP.ADD.RE.SS/manager/, with the user from the panel being that uid from which Apache is started (apache, www, www-data—depending on the operating system). Apparently, when a password change request is made, ISPManager4 does not perform additional checks and allows this system user to set a password.

From there, everything depends on the imagination of the attacker—having gained access to the system, one can use ssh, exploit other vulnerabilities to gain root access, and so on.

If you are using ISPManager4 Lite or Pro, we recommend that you immediately update the control panel and check the system for possible traces of compromise. Pay attention to any “extra” users in the control panel, any abnormal behavior of the OS, and of course, check the relevance of versions of WordPress and other CMS.