# SolusVM WHMCS Module Vulnerability



## weservit (Jun 23, 2013)

http://localhost.re/p/solusvm-whmcs-module-316-vulnerability

...

We are running everything in FCGI mode, but just to warn people who aren't.


----------



## john (Jun 23, 2013)

great...


----------



## drmike (Jun 23, 2013)

Wow.  That's a total hack job... Full access.

Wish this info would have waited until after their "audit"


----------



## SkylarM (Jun 23, 2013)

and so it begins.


----------



## blergh (Jun 23, 2013)

Shit happens.


----------



## Chronic (Jun 23, 2013)

Hopefully providers act fast. I've got my popcorn ready.


----------



## Patrick (Jun 23, 2013)

You can still be hacked even if your running in FCGI, just need to crash your php and guess time it restarts etc.


----------



## kaniini (Jun 23, 2013)

I have to say that is actually a pretty brilliant exploit, owning the fact that it's a multi-part POST to Solus is amazing.

I am seriously impressed.


----------



## ShardHost (Jun 23, 2013)

Lockdown just turned into shutdown.


----------



## Steven (Jun 23, 2013)

As I said on webhostingtalk, something to make a note of, running fastcgi does not mean you are immune. All someone needs to do is crash your fastcgi processes or webserver. Furthermore, if you run whmcs on a cpanel server with default log processing times and fastcgi, your webserver will restart itself every two hours which makes it predictable.


----------



## George_Fusioned (Jun 23, 2013)

Steven nice to have you here, welcome


----------



## SeriesN (Jun 23, 2013)

Disabled Api aceess for now. Back to caveman days. Doing everything manually.


----------



## upsetcvps (Jun 23, 2013)

chicago vps PLEASE TELL ME YOU'VE SEEN THIS.  PLEASE RESTORE MY FAITH.


----------



## SkylarM (Jun 23, 2013)

upsetcvps said:


> chicago vps PLEASE TELL ME YOU'VE SEEN THIS.  PLEASE RESTORE MY FAITH.


God i'd hope so... THAT would be a mess.


----------



## ShardHost (Jun 23, 2013)

Steven said:


> As I said on webhostingtalk, something to make a note of, running fastcgi does not mean you are immune. All someone needs to do is crash your fastcgi processes or webserver. Furthermore, if you run whmcs on a cpanel server with default log processing times and fastcgi, your webserver will restart itself every two hours which makes it predictable.


Good advice and welcome.

Some different ways to resolve this:

1) Shutdown Solus

2) Disable API Access

3) Disable access from WHMCS install to Solus

4) Remove the rootpassword.php file

I think this is the tip of the iceberg.  This person at localhost.re is obviously very talented and this latest exploit is very elegant.  This is likely to get a whole lot messier before it gets better.


----------



## Steven (Jun 23, 2013)

ShardHost said:


> 4) Remove the rootpassword.php file


I wanted to mention, this is not the only file that is vulnerable as confirmed by sources on IRC.


----------



## ShardHost (Jun 23, 2013)

Steven said:


> I wanted to mention, this is not the only file that is vulnerable as confirmed by sources on IRC.



We had already removed the entirety of the SolusVM module.


----------



## D. Strout (Jun 23, 2013)

What fun. What will be next? I'm still waiting for the vulnerability in OpenVZ and/or KVM themselves. The main software of this industry is going to shit, anytime now it will be the actual technologies it is based on. $7/mo dedis or bust!


----------



## Marc M. (Jun 23, 2013)

*@**D. Strout* KVM vulnerabilities are less likely to occur, just because of the way it functions.


----------



## kaniini (Jun 23, 2013)

D. Strout said:


> What fun. What will be next? I'm still waiting for the vulnerability in OpenVZ and/or KVM themselves. The main software of this industry is going to shit, anytime now it will be the actual technologies it is based on. $7/mo dedis or bust!


The underlying technologies are okay.  The problem is that SolusVM, WHMCS etc are crapware written by incompetent people who have no business writing software, but get away with it because hosting is now the new kind of lemonade stand.  Don't believe me?  Look at that shovenose kid -- he launched a KVM VPS company without even knowing how to use KVM.

Quite frankly, if you don't understand your virtualization stack and enough about writing code to at least take a critical look at the software you are deploying, you don't need to be playing in this industry.

To be frank: let the incompetent providers burn.  It will be a huge win for consumers.


----------



## concerto49 (Jun 23, 2013)

Reported the issue to Solus. Their "audits" aren't very encouraging though.


----------



## D. Strout (Jun 23, 2013)

Marc M. said:


> *@D. Strout* KVM vulnerabilities are less likely to occur, just because of the way it functions.


I hope you're right. Selling VPSes is getting to be enough of a headache without vulnerabilities in the underlying bits. I do come off a bit pessimistic there, really I'm excited to see some of the (hopefully better) software that will come out of these fiascoes.


----------



## D. Strout (Jun 23, 2013)

concerto49 said:


> Reported the issue to Solus. Their "audits" aren't very encouraging though.


...To put it mildly. Really whether real change comes at this point depends on if SVM realizes that people are willing to ditch their product due to these issues and the utter lack of transparency. (They are, aren't they?) If there's any chance that sales will continue despite this, nothing will happen.


----------



## weservit (Jun 23, 2013)

Received from Solus:


Yes, We are working on this. Patch will be ready within couple of minutes


I would suggest to disable the API from solusvm until our senior admin confirmation about the patch.


----------



## kaniini (Jun 23, 2013)

D. Strout said:


> I hope you're right. Selling VPSes is getting to be enough of a headache without vulnerabilities in the underlying bits. I do come off a bit pessimistic there, really I'm excited to see some of the (hopefully better) software that will come out of these fiascoes.


Unfortunately not.  Capisso VMPanel, for example, is making the same exact security mistakes.  And any software that is good, like Stallion or Cloudware is not likely to be handed out like candy.


----------



## rsk (Jun 23, 2013)

So does this mean module's garden solusvm/whmcs module is safer than the original solusvm produced whmcs addon? XD

Sheesh...


----------



## kaniini (Jun 23, 2013)

D. Strout said:


> ...To put it mildly. Really whether real change comes at this point depends on if SVM realizes that people are willing to ditch their product due to these issues and the utter lack of transparency. (They are, aren't they?) If there's any chance that sales will continue despite this, nothing will happen.


No change will come because ultimately, the children running SolusVM (and let me assure you, 90% of SolusVM customers are children) will continue to run it, because _the software enables them_.

The serious players in this industry either gave up on Solus a long time ago (BuyVM, for example) or never ran it in the first place (Linode, Rackspace, etc).

Capisso etc. with or without the same security vulnerabilities won't ship either, because nobody will care.  SolusVM will forgive a few months of licensing fees and that will be the end of it, I assure you.

The only way change will happen is if the customers stop paying for substandard products run by the substandard companies that provide them.  If people refuse to buy VPSes managed by Solus, then you will have their attention.


----------



## lulzsecurity (Jun 23, 2013)

pff.... so many lulz, where do I begin....


----------



## D. Strout (Jun 23, 2013)

kaniini said:


> No change will come because ultimately, the children running SolusVM (and let me assure you, 90% of SolusVM customers are children) will continue to run it, because the software enables them.


I hope you're wrong. Take the LET > VPSB move. I never thought there would be any major move away from LET due to inertia. But there was. Hopefully someone will come through with a really good product and people will wake up, take notice, and switch.


----------



## rsk (Jun 23, 2013)

D. Strout said:


> Hopefully someone will come through with a really good product and people will wake up, take notice, and switch.


Agreed.


----------



## kaniini (Jun 23, 2013)

D. Strout said:


> I hope you're wrong. Take the LET > VPSB move. I never thought there would be any major move away from LET due to inertia. But there was. Hopefully someone will come through with a really good product and people will wake up, take notice, and switch.


The problem with your theory is that switching from LET to VPSB is easy: you just go to a new site.

Switching to a new panel is a much more complex proposition.  Beyond that, the people delivering these panels (again I use Capisso VMPanel as an example here) are likely incapable of providing a migration tool _if_ they even ship any code to begin with.

So, for migration, you're probably on your own.  Now, if you're a typical host on here, meaning that you don't have the sufficient skills to run the business to begin with, but are able to fake it because SolusVM is good enough 75% of the time, are you really going to take the gamble with your livelyhood?


----------



## mikho (Jun 23, 2013)

D. Strout said:


> I hope you're wrong. Take the LET > VPSB move. I never thought there would be any major move away from LET due to inertia. But there was. Hopefully someone will come through with a really good product and people will wake up, take notice, and switch.


It was timing that made it possible, something that had been created before the hack of LET. Not after or because of it. 
And it was something that was created by a member of LET who was well respected.


And come to think about it, it was actually a small change compared that a provider is about to change their backbone of their setup.


I guess that would be harder.


----------



## kaniini (Jun 23, 2013)

Missed this one:



rsk said:


> So does this mean module's garden solusvm/whmcs module is safer than the original solusvm produced whmcs addon? XD
> 
> Sheesh...


The vulnerability is in the fact that the "Solusvmpro" module does not filter form parameters and uses libcurl to POST to the SolusVM master.

Whether or not the ModulesGarden module is safer has to do with whether or not the same behaviour is used.  But, it probably safer to assume that the exact same method of POSTing to the SolusVM master is used, due to the nature of PHP coders to cut-and-paste code.

So, I'd say both modules are probably vulnerable in the same way... _but_ I do not have access to the source of the ModulesGarden one to confirm that.


----------



## weservit (Jun 23, 2013)

SolusVM should hire that localhost.re guy to check their codes before a release


----------



## Francisco (Jun 23, 2013)

weservit said:


> SolusVM should hire that localhost.re guy to check their codes before a release


Fairly sure he already said he'd turn them down, even if offered 6 figures.

Best of luck to everyone,

Francisco


----------



## drmike (Jun 23, 2013)

upsetcvps said:


> chicago vps PLEASE TELL ME YOU'VE SEEN THIS.  PLEASE RESTORE MY FAITH.


 

Restore your faith ehh?  A little late for that.


----------



## Jack (Jun 23, 2013)

buffalooed said:


> Restore your faith ehh?  A little late for that.


Chris knows, I messaged him as I figured he'd be first to get hit by it considering all he has posted about is restricting access to WHMCS only.


----------



## drmike (Jun 23, 2013)

Jack said:


> Chris knows, I messaged him as I figured he'd be first to get hit by it


 

I don't know why he's such a big target.  It could be because he's the biggest.... mouth...?

Nice of you to give him a heads up though 

Solus Labs give me an uneasy feeling in general.   I am not in the industry, but do unfortunately end up using their product(s).  Well, until sensible hosts took their software offline.



> The destiny of HyperVM was pretty sad - despite the personal problems that Ligesh had, he had still managed to create a good product on his own. Here is a little bit about us:
> 
> *Phillip Bandelow *(Lead Developer / Co Founder):
> 
> ...


----------



## concerto49 (Jun 23, 2013)

Francisco said:


> Fairly sure he already said he'd turn them down, even if offered 6 figures.
> 
> 
> Best of luck to everyone,
> ...


Solus can afford a 6 figure salary?


----------



## Jack (Jun 23, 2013)

concerto49 said:


> Solus can afford a 6 figure salary?


Probably.


----------



## Jack (Jun 23, 2013)

buffalooed said:


> I don't know why he's such a big target.  It could be because he's the biggest.... mouth...?
> 
> Nice of you to give him a heads up though
> 
> Solus Labs give me an uneasy feeling in general.   I am not in the industry, but do unfortunately end up using their product(s).  Well, until sensible hosts took their software offline.


He seems to of calmed down abit now on forums.


----------



## Francisco (Jun 23, 2013)

concerto49 said:


> Solus can afford a 6 figure salary?


I don't know 

Remember, solus makes a lot of money. They aren't some operation making a few thousand a month. 99%+ of the current VPS market is "powered" by SolusVM. Chris alone was coughing them for 200 104 nodes, so $1000/m+ from him alone, Ramnode is another $500/m+, hostigation is likely the same. BurstNET uses it for their KVM offers to they're coughing at least a few hundred to them too. That's not counting the countless other VPS hosts around here that are adding smaller amounts.

I figure solus is likely in the half mill a year range.

Francisco


----------



## Francisco (Jun 23, 2013)

Jack said:


> He seems to of calmed down abit now on forums.


Happened last time as well. Every time he gets pants'd he calms down and becomes very down to earth.

Give it a few months, he'll forget that this all happened and be back to his usual.

Francisco


----------



## jeff_lfcvps (Jun 23, 2013)

Isn't this really more of a curl security bug than a SolusVM one?


----------



## Aldryic C'boas (Jun 23, 2013)

kaniini said:


> Now, if you're a typical host on here, meaning that you don't have the sufficient skills to run the business to begin with, but are able to fake it because SolusVM is good enough 75% of the time


 

It amuses me to no end how many people just walked right past that with their heads bowed, desperately trying not to make eye contact.


----------



## clone1018 (Jun 23, 2013)

kaniini said:


> Unfortunately not.  Capisso VMPanel, for example, is making the same exact security mistakes.  And any software that is good, like Stallion or Cloudware is not likely to be handed out like candy.


Which mistakes are those?

-- Actually if you'd like to PM me so we don't clutter this thread, that would be great.


----------



## D. Strout (Jun 23, 2013)

Aldryic C said:


> It amuses me to no end how many people just walked right past that with their heads bowed, desperately trying not to make eye contact.


#reasonsimnotaprovider number 158


----------



## kaniini (Jun 23, 2013)

clone1018 said:


> Which mistakes are those?
> 
> -- Actually if you'd like to PM me so we don't clutter this thread, that would be great.


Your demo that you showed earlier shows the output of raw commands being run on nodes.  If you are designing things properly, you wouldn't even be thinking about running raw commands in the API layer, as I have said now ad infinitum.

From the node perspective you should assume that your controller is just as hostile as any other box on the net and force them to speak a proper API to you.


----------



## GVH-Jon (Jun 23, 2013)

The line has been crossed, I'm tired of this. We're switching to Virtualizor.


----------



## D. Strout (Jun 23, 2013)

GVH-Jon said:


> Virtualizor


How have I not heard about this, and if it's a good, workable panel, why isn't everyone using/switching to it?


----------



## Steven (Jun 23, 2013)

GVH-Jon said:


> The line has been crossed, I'm tired of this. We're switching to Virtualizor.


As you are switching to Virtualizor, are you sure similar security holes do not exist there?

It is very important to note that on virtualizor, most of the web facing php runs as *ROOT*.


----------



## kaniini (Jun 23, 2013)

D. Strout said:


> How have I not heard about this, and if it's a good, workable panel, why isn't everyone using/switching to it?


Because it is somehow even more of a disaster than SolusVM.  Which is amazing, because SolusVM is pretty bad...


----------



## D. Strout (Jun 23, 2013)

kaniini said:


> Because it is somehow even more of a disaster than SolusVM.  Which is amazing, because SolusVM is pretty bad...


That explains it. It's not



D. Strout said:


> a good, workable panel


----------



## GVH-Jon (Jun 23, 2013)

Okay, no Virtualizor then. OnApp.


----------



## GVH-Jon (Jun 23, 2013)

UPDATE FROM SOLUSVM: A PATCH FOR THE SOLUSVM WHMCS MODULE WILL BE AVAILABLE WITHIN A FEW MINUTES.

Direct Quote:



> Hi,
> 
> Yes, We are aware of this and working on this. Patch will be ready within a few minutes.
> 
> ...


----------



## perennate (Jun 23, 2013)

@GVH-Jon someone got the exact same response two hours ago, so I wouldn't count on it


----------



## concerto49 (Jun 23, 2013)

perennate said:


> @GVH-Jon someone got the exact same response two hours ago, so I wouldn't count on it


Yes, we did too. Now they say shortly.


----------



## drmike (Jun 23, 2013)

What I posted earlier was from SolusLab's own support site/forum.  At that point (2009?)  SolusLabs seemed microscopic.  Two nerds and a secretary.

Does anyone know how big or small SolusLabs these days is?  I suspect, not very big.

Asking the founders/authors to audit their own work is like getting two parents to admit they have an ugly child.   Internal audits are notoriously laughable when it comes to security and software.

Totally possible the authors are unaware of these hack methods/not their cup of tea. Nothing wrong with that per se.  But they should get to offering bounty money and bring in a PHP person with more advanced knowledge/proficiency in PHP security.


----------



## perennate (Jun 23, 2013)

> Does anyone know how big or small SolusLabs these days is?


Probably they dropped the secretary.


----------



## DaringHost (Jun 23, 2013)

It looks like shortly is taking longer than expected  opcorn:


----------



## concerto49 (Jun 23, 2013)

DaringHost said:


> It looks like shortly is taking longer than expected  opcorn:


Shortly in Solus time is like 2 years....


----------



## D. Strout (Jun 23, 2013)

Too true, that. Once a company gets big enough, they figure they don't actually have to do anything any more. Customers are guaranteed no matter what.


----------



## wlanboy (Jun 23, 2013)

This time the timing wasn't perfect.

He should have wait until SolusVM posted that the security review is done, everything is fixed and a new secure version can be downloaded.


----------



## blergh (Jun 24, 2013)

kaniini said:


> Quite frankly, if you don't understand your virtualization stack and enough about writing code to at least take a critical look at the software you are deploying, you don't need to be playing in this industry.


lol'd

It sounds like you have completely forgotten where you posted this.


----------



## Jack (Jun 24, 2013)

They're annoying me now, GRRR.


----------



## Shados (Jun 24, 2013)

jeff_lfcvps said:


> Isn't this really more of a curl security bug than a SolusVM one?


That's like saying SQL injections are an SQL security bug (hint: They're not, they're an input sanitization/validation bug). Curl could use a stronger randomization/uniqueness guarantee method for it, sure, but Solus needs to be authenticating the origin of incoming requests and confirming that they do actually have enough authority to do what they're requesting. If they were, you _wouldn't be able to use this to do anything more than you could already do_.

In other words:



kaniini said:


> From the node perspective you should assume that your controller is just as hostile as any other box on the net and force them to speak a proper API to you.








kaniini said:


> Unfortunately not.  Capisso VMPanel, for example, is making the same exact security mistakes.  And any software that is good, like Stallion or Cloudware is not likely to be handed out like candy.


What? I thought you _were_ handing out Cloudware like candy. _Free_ candy!

Also, I've been reading through TortoiseLabs various repositories and related stuff, and I'm a little bit in love with you guys for your use of Xen, Python and sanity.


----------



## kaniini (Jun 24, 2013)

Shados said:


> What? I thought you were handing out Cloudware like candy. Free candy!


Technically we are, as in, you can download the code, set it up and use it.  But to put it all together, at least, for now, you need to have an inquisitive mind and be able to put everything together yourself.

We may do more than that in the future, who knows.  On the other hand, why would I want to give an industry advantage to someone who hasn't earned it?


----------



## AnthonySmith (Jun 24, 2013)

Pissed off ? .... YES

Surprised ? ... Sadly ... no

My perspective as a host on all of this is as follows:

Solusvm is very hated, I have been guilty of much hate myself in the past, not of the people but the business, does that mean people should be trying to attack and destroy the business? No absolutely not.

No offence to anyone who is running their own panel but frankly I believe yours is probably much worse, this includes Stallion and Cloudware and any other one you want to name, that is being used, maintained and designed by a single host. Now let me qualify that.. everyone will jump on SolusVM for being insecure, poor support, things are broken, but the absolute undeniable truth is 99.9% of the time it is perfect for the job as the industry currently stands and it does make advances in functionality all the time.

As has been quoted SolusVM most probably pulls in half a million a year in pure profit, this is not pocket change, this is many many many times more money than even some of the bigger hosts in this scene, if anyone had a better product they would be going after this market share... in fact if anyone could do better we would not be having this conversation because someone would have already and solusvm would be thought of in the same way some of the more obscure panels are now.

This has nothing to do with "Giving and advantage" unless your company makes more than half a million profit per year with almost zero overhead in man hours or financial outlay then frankly I call BS on the legitimacy of the quality of your own product, you simply keep it secure by not allowing others to see it, writing a solusvm migration script is so simple it should not even be considered as a blocker in any panel, I have almost no coding experience but I can figure out how to nullify solusvm on any node and import the OVZ/Xen/KVM services in to other panels (Tired and tested on cloudmin) in less than an hour, I could shell script it in less than 2 hours)

I completely believe in people poking things with sticks to find holes, however I don't agree for one second with the way this is being done i.e. releasing the  details of the hole with exploit code on a public blog while showing no effort to inform the vendor, this is an attack, it is an attempt to destroy solusvm simple as that.

As much as you all seem to enjoy kicking them when they are down... let me put this to some of you,... what are you going to do if this guy wins and destroys solusvm... switch to hypervm?? haha, this guy is not just attacking solusvm, he is attacking me, he is attacking Tim, Joe, Jarland, Ash, Jack etc etc and he is attacking everyone else too that is using solusvm, and guess what... that means you too as an end user of any host that also uses solusvm, he is giving away access to your VPS and all your data.

So anyone that supports the actions of the person releasing these exploits supports the attack on my company and every other company here that uses solusvm and my advice would be gtfo of here and go and offer to keep watch for some burgers instead, I don't see you any as any different, I have said it one and I I will say it again, this sort of thing deserves 2 years in jail minimum.

What do you do when you see a shop door that has been left in an insecure state?... do you report it to the store or authorities or do you assume that this gives you the right to enter the store and fuck everything up inside it then walk away laughing because fuck them for leaving the door like that, and then do you think you will be able to blame them for what you did later?

Think about it.


----------



## RiotSecurity (Jun 24, 2013)

Ei bine, se pare ca SolusVM ar trebui să fie trimiterea echipelor de criză ...software în sine acum modulul ... Eu nu pot să aștept pentru a găsi un post spunând site-ul lor a fost spart viitor ...


----------



## peterw (Jun 24, 2013)

AnthonySmith said:


> I completely believe in people poking things with sticks to find holes, however I don't agree for one second with the way this is being done i.e. releasing the details of the hole with exploit code on a public blog while showing no effort to inform the vendor, this is an attack, it is an attempt to destroy solusvm simple as that.


True words.  I hope someday the leakers will have something of worth that someone else is destroying because he is able to destory it. But I don't think that the leakers will ever build up something even worth mentioning it.


----------



## vld (Jun 24, 2013)

Patch: http://docs.solusvm.com/v2/Default.htm#Modules/Billing/WHMCS/Installation.htm


----------



## acd (Jun 24, 2013)

Shados said:


> That's like saying SQL injections are an SQL security bug (hint: They're not, they're an input sanitization/validation bug). Curl could use a stronger randomization/uniqueness guarantee method for it, sure, but Solus needs to be authenticating the origin of incoming requests and confirming that they do actually have enough authority to do what they're requesting.


Per RFC 2046 Part 5.1. Multipart Media Type



> As stated previously, each body part is preceded by a boundary
> delimiter line that contains the boundary delimiter. *The boundary*
> 
> 
> ...


So yes, as libcurl is the composing agent and the calling program has no knowledge of or capability to select the boundary delimiter, it is a curl bug.

Some nice bloke filed it in the curl bug list before I had the chance this morning.

That's not to say you are wrong, I wholeheartedly agree that this could and should be solved with proper input sanitization (which it seems is how they patched it).


----------

