Open source projects with anywhere between 100,000 and 1 million downloads are pretty sizable endeavors, and with the code open for scrutiny, you would think bugs would be found and some sort of disclosure process would be in place.
If a spate of recently discovered issues in seven popular software packages hosted on Sourceforge is any indication, the answer might be no on both counts.
Metasploit exploit modules were released recently for post-authentication command execution and arbitrary file-read vulnerabilities in enterprise applications such as Moodle, vTiger CRM and Openbravo ERP, as well as network monitoring software Zabbix, Linux-based hosting control panel program ISPConfig, and consumer software such as OpenMediaVault and NAS4Free. In total, these packages have been downloaded more than 16 million times with Moodle leading the way at nearly 4.8 million downloads.
“It’s not Apache, it’s not Linux, but that’s still a lot of downloads. If I run software with four million downloads, that’s a lot I think,” said Tod Beardsley, Metasploit engineering manager. “If you assume, with the 16 million number, that 1% to 2% are installed and running today, that’s still north of a quarter-million installs.”
These bugs were found by former Rapid7 engineer Brandon Perry, who after DEF CON this summer decided to look for low-hanging fruit on Sourceforge–vulnerabilities in smaller packages that would likely show up in a pen-test, for example.
“Sixteen million downloads over the lifetime of those projects is a pretty decent install base,” Beardsley said. “Coupled with the adventures I had in vulnerability disclosure with these guys indicated to me that they are not very well-practiced at receiving vulnerability notification, which makes me think we may have been the first or among the first that have ever contacted them about security vulnerabilities. There was weirdness in the reporting you don’t run into with Apache or Microsoft, for example.”
Researchers, exploit developers and code auditors would likely target smaller packages, especially in penetration testing engagements, yet some of the software projects listed here did not acknowledge these were even security issues; five of the seven have not been patched, for example. Since all require a username and password to carry out an exploit, the severity of the issue is lessened somewhat. But hackers have proven that it’s not difficult to garner information that could help them learn or guess credentials.
“In Moodle’s case, they don’t believe it’s a bug, which is fine. They can believe that. I talked to them, and they have reasonable arguments why it’s not a bug and normal. But in the end, pen testers don’t care if a vendor calls it a bug or not. If they can get a shell off of it, it’s good for the bad guys and it’s good for penetration testers.”
The Moodle issue, for example, can be exploited to steal an administrator’s session via cross-site scripting, allowing an attacker to log in with credentials and then provide a session key for an admin, Perry said in a blogpost describing the problem. This would allow the lesser-privileged user to get a shell on a web application, which obviously can lead to much more serious problems such as session hijacking or cookie stealing.
“In our opinion, it’s an extension of control that the developers and the users are probably not expecting,” Beardsley said. “I don’t expect to be able to get a shell over port 80. That’s generally not a design feature.”
Now that the modules have been released, Beardsley said they can be used by organizations running the respective software packages to use and evaluate their respective risk profiles.
“All of these [issues] are post-authentication, meaning at a minimum you need a username and password, so maybe that’s good enough,” Beardsley said. “Having the module out allows you as an IT admin to audit for passwords; maybe the passwords [stink]. If the passwords are good, everything’s fine. And if there are no other cross-site scripting vulnerabilities that allow session hijacking, everything’s fine.”