Friday, July 8, 2011
GoDaddy Server Side Vulnerability Exposed
July 8, 2011
Hacker Leaks received the following anonymous submission:
"Not only did Go Daddy have a XSS security vulnerability on their their control panel (https://www.hushmail.com/hushmail/showHelpFile.php?PHPSESSID=D4B1B044D9C6BBC75792BC1640384926&file=popupHyperlinkHelp.html#http://www.offensive-security.com/offsec/godaddy-xss-exploit/), Go Daddy has additional server side weaknesses (and easter eggs) that could result in a compromise of your Go Daddy website data and functionality. At the time of this writing, I have a shared hosting account with Go Daddy, because their service was cheap and my website does not host any complex functionality or important data. For the first couple months I used the control panel to build my site directly in HTML. Then, I noticed that I had the option of enabling ssh on my account as an included feature! Other hosting services such as Aplus.net require a copy of your drivers license to allow ssh access to their shared-hosted server. Go Daddy requires a click of a button. Once I enabled the service and logged into my account, the first command I issued was “ls -la -R / > directoryDump.txt”, which produced a file over 1
7 MB in size! This command allowed me to see the entire directory structure for the server in the areas where I had read permissions. Upon further inspection, I noticed that all shared hosting users are placed into a group (inetuser) and all are assigned to the same chrooted environment. By being part of the same group, all the users have access to all shared hosting user ftp/ssh usernames on the server! My account was given a limited path by default, not including /sbin/, but I added that by using PATH=/sbin/:restOfYourPath.. Go Daddy does limit the default tools and programs you can run, such as no ssh use from their server going outbound. So I added a couple of my tools from Ubuntu: ifconfig, netcat, and some python and perl scripts.
The permissions for some user directories are interesting. One thing I noticed, is that for each user’s directory that I had access to, they had an implementation of Joomla. My guess is the default Joomla settings that the Go daddy's Control Panel applies upon install makes changes to their directory permissions. That gives inetuser group members access to their Joomla configuration.php files. If you know something about Joomla, you know that’s not good. Also, each user has access to the chrooted /etc/shadow file showing the password hash of the user whose permissions protect the mail/spool process for the chrooted part of the server. In addition, each user can access the /etc/group file that contains administrator usernames for the server.
Running ifconfig helped me discover that the server was dual homed with two public ip addresses on interfaces bond0 and dummy0. The dummy0 interface is the ip address that all shared hosting website names resolve to. The bond0 interface is what the server uses for outbound communications, but it also supports inbound ssh/ftp connections.
Localhost has some interesting ports open:
$ netstat -antup |grep 127.0.0.1
(Not all processes could be identified, non-owned process info
will not be shown, you would have to be root to see it all.)
tcp 0 0 127.0.0.1:199 0.0.0.0:* LISTEN - SMUX
tcp 0 0 127.0.0.1:25 0.0.0.0:* LISTEN - SMTP
Brute force attack::
Having extracted over 7000 user names from the directory listing file, I decided to see if my user account could be brute forced. So, I ran the following command with THC-hydra using a dictionary file with my password at about line 200.
hydra -l username -P wordlist.txt serverIPaddress ftp -V
After about 200 tries and 90 seconds my password was cracked-confirming that Go Daddy does not lockout users after a reasonable number of attempts. I’m assuming the administrator accounts found in the shadow and group files can be attacked this way also, just over ssh.
Go-Go Daddy Anonymous Email!
“Anonymous” email through an open smtp server.
Using netcat or telnet, connect to port 25:
./nc -v localhost 25
localhost.localdomain [127.0.0.1] 25 (smtp) open
220 XX.XX.XX.XX.server.net ESMTP Sendmail 8.13.8/8.12.11; Fri, 1 Apr 2011 20:10:30 -0700
250 XX.XX.XX.XX.server.net Hello XX.XX.XX.server.net [XX.XX.XX.XX], pleased to meet you
MAIL FROM: meh@localhost
250 2.1.0 meh@localhost... Sender ok
RCPT TO: email@example.com
250 2.1.5 firstname.lastname@example.org... Recipient ok
354 Enter mail, end with "." on a line by itself
250 2.0.0 XXXXXXXX Message accepted for delivery
Anyone with ssh access can send anonymous email from the Go Daddy sever, as the case with open smtp services. After more research, I discovered that you can assume any host name that is being hosted on that server and send email from it without Go Daddy requiring authentication as that user, such as the case is with gmail and other secure services. For example, if xyz.com is a domain hosted on the server, then I could send any email from either email@example.com or firstname.lastname@example.org whether or not their account exists with no issues whatsoever. Not only does this have SPAM use written all over it, one could social-engineer your way to more access in people’s directories, web-sites, or wallets.
Read emails from other sites!
By running the following command: ps ax | grep sendmail, you will see the email files that are in queue.
66466 ? S 0:00 sendmail: ./b777fsxt066666 from queue
Further more, you will see if you navigate to /var/spool/clientmqueue all of the queue messages from cron jobs. Some of these messages are issued to users that sign up to new sites and may be used for password reset functionality. Discover for yourself. :)
Go Daddy provides cheap hosting with significant security vulnerabilities. I leave it to you the consumer to make the choice of whether you want to host your data using their shared hosting services or look for more secure hosting. Either way, Go Daddy could easily address these weaknesses to protect its customers data. But will they?"
The analysis of the Hacker Leaks team is that the above information is on the mark, and reveals a serious security hole in the GoDaddy hosting service.