TheCopyright

Security
24/7
1.
INTRODUCTION
information
RealAdvisory
MediaÕs
andinDisclaimer
CVE
Open
this2010-1582
AdStream
advisoryv.5.7
is Copyright 2010 Conviso IT Security and provi
ded so that the society can understand the risk they may be facing by running af
fected software, hardware or other components used on their systems. In case you
wish to copy information from this advisory, you must either copy all of it or
refer to this document (including our URL). No guarantee is provided for the acc
uracy Conviso
About
Founded ofonthis
2008IT
information,
bySecurity
a team oforprofessionals
damage you mayworking
cause the
yourITsystems
Security
in market
testing.since
1997, Conviso IT Security is a consulting company specialized on network and app
lication security services. Our values are based on the allocation of the adequa
te competencies on the field, a clear and direct speech with the market, collabo
ration and partnership with our customers and business partners and constant inv
estments
This advisory
on methodology
has been discovered
and researchas part
improvement.
of a general investigation into the se
curity of software used in the IT environments of our customers. For more inform
ation about our company and services provided, please check our website at www.c
3. The Security
onviso.com.br.
Conviso IT SecurityResearch
maintains a virtual team dedicated to explore our customerÕs
environments in order to identify technical vulnerabilities in software and har
dware, developing real-world mitigation solutions and processes to maintain more
secure environments. Leaded by Wagner Elias, our R&D Manager, this team is name
d Conviso Security Labs and also contribute to important world-class organizatio
ns projects
The vulnerability
and organizations.
described in this security advisory was discovered by Wagner E
liasIssue
SECURITY
1.
This on January
advisory
ADVISORY
Description
describes
14th 2010a vulnerability
during a malware in the
investigation
permissionproject.
of the directory RealM
edia created as default during the installation of Open AdStream, an ad campaign
management platform provided by 24/7 Real Media, which exposes directly to the
Internet the configuration files, including .sql which contains access credentia
ls. As a result, a cracker can use this flaw to install a backdoor or take the o
wnership of the affected component as he/she had access to all configuration fil
es Affected
2.
The and
vulnerability
accessComponents
credentials.
was identified on the deployment of Open AdStream Version 5.7
in several large Brazilian Internet portals and media delivery websites. The pro
ductÕs webpage is located at http://www.247realmedia.com/EN-US/us/open-ad-stream
.html. This version of the product can be used only with MySQL 3.23 and Apache
1.36.x, versions which are outdated and vulnerable to several exploits as descri
bed on the security advisories posted on the Internet at http://www.securityfocu
s.com/bid/11357
3.
The Finding
vulnerability
Affected
anddescribed
http://httpd.apache.org/security/vulnerabilities_13.html.
Sites with
in this
This advisory
Issue can easily be found by Òscript kidd
yÓ style hackers, making non-targeted attacks, by searching Google using ÒGoogle
4.HackingÓ
The Details
deployment
techniques.
process performed by 24/7 Real Media keeps the default configurat
ion on Open AdStream which publishes the configuration files of the host exposed
to the Internet on a format such as http://admXX.customername.com.br/RealMedia.
ads
bcrypt
Classes
ConvertNotification.ini
hash.txt
index.html
ini
install.sh
libstdc++.so.2.10
license.txt
license.txt.bfe
oasis_apache.layout
oasis.cfg
oasis_cfg_apache.sh
oasis_cfg_cron.sh
oasis_cfg_distrib.sh
oasis_cfg_mysql.sh
oasis_cfg_ns.sh
oasis_copysofiles.sh
oasis_errorlog.sh
oasis_example.cfg
oasis_find_apache.sh
oasis_finish_upgrade.sh
oasis_install.ini
oasis_install_oas.sh
oasis.log
oasis_mysql_createdb.sql
The
oasis_mysql_createdb.sql.template
As database
a result
oasis_mysql_insertdb.sql
oasis_mysql_uninstalldb.sql
oasis_mysql_insertuser.sql
theoasis_upgrade_de.sh
server
oasis_mysql_insertdb.sql.template
oasis_mysql_testdb.sql
oasis_params.cfg
oasis_mysql_testdb.sql.template
oasis_mysql_uninstalldb.sql.template
oasis_mysql_uninstallOAS.sql.template
oasis_ReportFormat.awk
oasis_wsusr_nightly.cron
following
location
oasis_mysql_insertuser.sql.template
oasis_wsusr_apache.cron
oasis.sh
oasis_upgrade_ns.cfg
oasis_validate_config.sh
oasis_wsusr_bean.cron.template
oasis_mysql_uninstallOAS.sql
oasis_path_substitution.sh
oasis_ReportFormat_mapping.5.1.1
oasis_ReportFormat_mapping.5.1.2
oasis_upgrade_apache.cfg
oasis_upgrade_ns.sh
oasis_util.sh
oasis_wsusr_bean.cron
example
as well
oasis_wsusr_nightly.cron.template
files
as access
can becredentials
fully accessed:
of administrative acc
ounts can be found within the files oasis_mysql_insertuser.sql and oasis_params.
cfg. With this information, an attacker could gain access to the database and pe
rform any malicious activity. Other files such as oasis_install.ini and install.
sh discloses the directory organization of Open AdStream server, which could be
usefulproblem
Other in combination
we foundwith is related
anothertoattack.
the old versions of Apache HTTP server and
MySQL that
Apache Foundation
must bereleased
installedthetofinal
use the
release
affected
of version
software.
1.3 of the Apache HTTP S
erver on February 3rd 2010, stating that no more full releases will be produced,
although critical security updates may be made available as described on their
mailing lists archives at http://mail-archives.apache.org/mod_mbox/httpd-announc
e/201002.mbox/%3C20100203000334.GA19021@infiltrator.stdlib.net%3E. They recommen
d that
5.
The Issue
permission
users
Mitigation
update
of thetodirectory
the currentRealMedia
2.2 version.
should be changed in order to deny acc
essAdditional
6.
The to the Vulnerabilities
Common configuration
Informationfiles. and Exposures (CVE) project has assigned the name CVE
-2010-1582 to this issue. This is a candidate for inclusion in the CVE list (htt
p://cve.mitre.org),
ISSUE
Conviso SEVERITY
IT Security
SCOREScalculated
which standardizes
the scoresnames
of this
for security
vulnerability
problems.CVSS
using the online
CVSS calculator found at http://www.patchadvisor.com/PatchAdvisor/CVSSCalculat
or.aspx
Base
Temporal
Environmental
Metrics
and
Metrics
described
|Metrics
Value:
| Value:
|9atValue:
http://www.first.org/cvss/cvss-guide.pdf.
9 7