Friday, July 8, 2011
GoDaddy Server Side Vulnerability Exposed
July 8, 2011
Hacker Leaks received the following anonymous submission:
"Not only did Go Daddy have a XSS security vulnerability on their their control panel (https://www.hushmail.com/hushmail/showHelpFile.php?PHPSESSID=D4B1B044D9C6BBC75792BC1640384926&file=popupHyperlinkHelp.html#http://www.offensive-security.com/offsec/godaddy-xss-exploit/), Go Daddy has additional server side weaknesses (and easter eggs) that could result in a compromise of your Go Daddy website data and functionality. At the time of this writing, I have a shared hosting account with Go Daddy, because their service was cheap and my website does not host any complex functionality or important data. For the first couple months I used the control panel to build my site directly in HTML. Then, I noticed that I had the option of enabling ssh on my account as an included feature! Other hosting services such as Aplus.net require a copy of your drivers license to allow ssh access to their shared-hosted server. Go Daddy requires a click of a button. Once I enabled the service and logged into my account, the first command I issued was “ls -la -R / > directoryDump.txt”, which produced a file over 1
7 MB in size! This command allowed me to see the entire directory structure for the server in the areas where I had read permissions. Upon further inspection, I noticed that all shared hosting users are placed into a group (inetuser) and all are assigned to the same chrooted environment. By being part of the same group, all the users have access to all shared hosting user ftp/ssh usernames on the server! My account was given a limited path by default, not including /sbin/, but I added that by using PATH=/sbin/:restOfYourPath.. Go Daddy does limit the default tools and programs you can run, such as no ssh use from their server going outbound. So I added a couple of my tools from Ubuntu: ifconfig, netcat, and some python and perl scripts.
Permissions:
The permissions for some user directories are interesting. One thing I noticed, is that for each user’s directory that I had access to, they had an implementation of Joomla. My guess is the default Joomla settings that the Go daddy's Control Panel applies upon install makes changes to their directory permissions. That gives inetuser group members access to their Joomla configuration.php files. If you know something about Joomla, you know that’s not good. Also, each user has access to the chrooted /etc/shadow file showing the password hash of the user whose permissions protect the mail/spool process for the chrooted part of the server. In addition, each user can access the /etc/group file that contains administrator usernames for the server.
Network:
Running ifconfig helped me discover that the server was dual homed with two public ip addresses on interfaces bond0 and dummy0. The dummy0 interface is the ip address that all shared hosting website names resolve to. The bond0 interface is what the server uses for outbound communications, but it also supports inbound ssh/ftp connections.
Localhost has some interesting ports open:
$ netstat -antup |grep 127.0.0.1
(Not all processes could be identified, non-owned process info
will not be shown, you would have to be root to see it all.)
tcp 0 0 127.0.0.1:199 0.0.0.0:* LISTEN - SMUX
tcp 0 0 127.0.0.1:25 0.0.0.0:* LISTEN - SMTP
Brute force attack::
Having extracted over 7000 user names from the directory listing file, I decided to see if my user account could be brute forced. So, I ran the following command with THC-hydra using a dictionary file with my password at about line 200.
hydra -l username -P wordlist.txt serverIPaddress ftp -V
After about 200 tries and 90 seconds my password was cracked-confirming that Go Daddy does not lockout users after a reasonable number of attempts. I’m assuming the administrator accounts found in the shadow and group files can be attacked this way also, just over ssh.
Easter Eggs:
Go-Go Daddy Anonymous Email!
“Anonymous” email through an open smtp server.
Using netcat or telnet, connect to port 25:
./nc -v localhost 25
localhost.localdomain [127.0.0.1] 25 (smtp) open
220 XX.XX.XX.XX.server.net ESMTP Sendmail 8.13.8/8.12.11; Fri, 1 Apr 2011 20:10:30 -0700
HELO localhost
250 XX.XX.XX.XX.server.net Hello XX.XX.XX.server.net [XX.XX.XX.XX], pleased to meet you
MAIL FROM: meh@localhost
250 2.1.0 meh@localhost... Sender ok
RCPT TO: meow@gmail.com
250 2.1.5 meow@gmail.com... Recipient ok
DATA
354 Enter mail, end with "." on a line by itself
hello!
.
250 2.0.0 XXXXXXXX Message accepted for delivery
…
Anyone with ssh access can send anonymous email from the Go Daddy sever, as the case with open smtp services. After more research, I discovered that you can assume any host name that is being hosted on that server and send email from it without Go Daddy requiring authentication as that user, such as the case is with gmail and other secure services. For example, if xyz.com is a domain hosted on the server, then I could send any email from either bob@xyz.com or alice@xyz.com whether or not their account exists with no issues whatsoever. Not only does this have SPAM use written all over it, one could social-engineer your way to more access in people’s directories, web-sites, or wallets.
Read emails from other sites!
By running the following command: ps ax | grep sendmail, you will see the email files that are in queue.
66466 ? S 0:00 sendmail: ./b777fsxt066666 from queue
Further more, you will see if you navigate to /var/spool/clientmqueue all of the queue messages from cron jobs. Some of these messages are issued to users that sign up to new sites and may be used for password reset functionality. Discover for yourself. :)
In Conclusion:
Go Daddy provides cheap hosting with significant security vulnerabilities. I leave it to you the consumer to make the choice of whether you want to host your data using their shared hosting services or look for more secure hosting. Either way, Go Daddy could easily address these weaknesses to protect its customers data. But will they?"
The analysis of the Hacker Leaks team is that the above information is on the mark, and reveals a serious security hole in the GoDaddy hosting service.
Subscribe to:
Post Comments (Atom)
Buying a domain name is not enough to make you own a website. After you have designed and developed your website it is now time to host your plan; and there are really few plans that can rival the GoDaddy economy hosting.
ReplyDeletego daddy promo code
Hello this is very good article, by the way, here i have written an
ReplyDeletearticle about bluehost web hosting, Bluehost is the leading hosting
company in the industry, want to read the read the full review so read
the bluehost woocommerce review thanks
Exclusive Discount: BlueHost At $3.45/Mo
ReplyDeleteBlueHost Basic Plan Discount – $3.45/mo* for first contract
No coupon or promotion code needed – Just purchase via our promo link (see below) and you’ll get an extra 55% discount from your first BlueHost bill.
[URL="http://blue-web-host.blogspot.com/"]BlueHost WEb Hosting[/URL]
This is a great blog thanks for such a good information,check best deals on web hosting black friday sales on web hosting
ReplyDeleteBlog is very informative, keep update your services with us
ReplyDeleteWeb Design Company in Bangalore | web Development Company in Bangalore | Website Design Company in Bangalore | Website Designers in Bangalore
Hello readers, Click here to know more about us.
ReplyDeleteWeb Hosting India |
Domain Name Registration India
Reseller Web Hosting in India
Hello All
ReplyDeleteI'm offering following hacking services
..Western union Trf
..wire bank trf
..credit / debit cards
..Perfect Money / Bintcoing adders
..email hacking /tracing
..Mobile hacking / mobile spam
..hacking Tools
..Spamming Tools
..Scam pages
..spam tools scanners make your own tools
..Keyloggers+fud+xploits
Fake peoples have just words to scam peoples
they just cover their self that they are hacker
but when you ask them a questions they don't have answer
they don't have even knowledge what is hacking
am dealing with real peoples who interested and honest
also teaching hacking subjects in reasonable price
with private tools and proof.
Availability 24/7 contact only given below addresses
salvrosti@gmail.com
Icq: 718684828
Skype: live:Salvrosti
Nice post....Thanks for sharing the post.....
ReplyDeleteWe are providing the best master data services around the world....visit our site for more information....
Master Data in sap
eSPIR
Security & Compliance
Master Data Management
Inventory Analysis
SAP Master Data Governance
data management services
master data management in sap
I think this is among the most important info for me. And i’m glad reading your article.
ReplyDeletewebcare360
i am a fan of most us tv shows like Oprah and Ellen, i really enjoy watching tv shows
ReplyDeleteoffshoreservers.net
mmorpg
ReplyDeleteinstagram takipçi satın al
Tiktok jeton hilesi
tiktok jeton hilesi
antalya saç ekimi
instagram takipçi satın al
Instagram takipçi satın al
metin2 pvp serverlar
instagram takipçi satın al
TÜL PERDE MODELLERİ
ReplyDeleteNumara Onay
MOBİL ÖDEME BOZDURMA
nft nasıl alınır
ankara evden eve nakliyat
Trafik sigortası
dedektör
web sitesi kurma
aşk kitapları
smm panel
ReplyDeletesmm panel
iş ilanları
İNSTAGRAM TAKİPÇİ SATIN AL
hirdavatciburada.com
https://www.beyazesyateknikservisi.com.tr
servis
JETON HİLESİ
Selling Legit Stuff
ReplyDeleteContact Details
{ 752-8220-40 > I C Q }
{ @leadsupplier > Tel.Gram }
{ peeterhacks > Skype/Wickr }
Tools With Tutorials
FULLZ (CC Fullz, SSN Fullz, HIGH CS FULLZ)
Genuine Tools With Complete Tutorial Guides
Hac-king Stuff
Spa-mming Tools & Tutorials
Carding Methods & Phishing
BTC Cracker/Flasher
Kali Linux Master Class
D-ee-p/Da-rk Web Complete Course
Key-loggers
Smtp's/Rdp's/c-panels/Shells
Vir-uses/RAT's/Brutes
Combos
FULLZ/Pros/Leads Available in Bulk
SSN DOB
SSN DOB DL
CC FULLZ
HIGH CS FULLZ 700+
Dumps With Pin Codes
Fullz with complete Info
DL Front/Back Photo
Premium Fullz
Contact Below
{ 752-8220-40 > I C Q }
{ @killhacks > Tel.Gram }
{ peeterhacks > Skype/Wickr }
No refund/Replacement Only
Sampling is just for bulk order
Invalid Info will be replace instantly
THANKS