Hosting Controller - Multiple Vulnerabilities
Hosting Controller is an all-in-one administrative hosting tool for Windows. It automates a wide range of hosting tasks and provides control of each hosted site to the respective owners.
Hosting Controller is now widely used by hosting providers and can be found at: http://www.hostingcontroller.com
E-ECQUIRY discovers multiple vulnerabilities in the software that allow an attacker to browse directories that are not intended to be publicly accessible and upload scripts to manipulate files and control administration of sites using Hosting Controller.
Arbitrary Directory Browsing,
Create new domain and Gain administrator's control,
Upload and Execute Arbitrary Code.
[Vulnerability #1] Browsing Non-public Directories Allowed
Hosting Controller has a security flaw which allows outside attackers to browse any file and any directory without authentication. files can't be read, however the second vulnerability (explained below) would allow you to compromise the whole server.
[Vulnerability #2] Dns Dos Slash bug and auto/signup/dao_newaddomain.asp
The URL auto/signup/dao_newaddomain.asp script from Hosting Controller can be executed by using: eg.
http://victim.com/hc/scripts/asp_name&domain=any.asp
this allows an attacker to create a new domain name and a new account without logging in as administrator. The attacker can then log into Hosting Controller after the creation of the domain name by using the form (Hosting Controller will automatically create a domain for him):
Once logged in, the attacker can use all HostingController menu options, as owner of the new account. The new domain name you just created, cannot yet be accessed through the normal login URL, hence, the attacker needs to go through the auto/signup/dao_newaddomain.asp script.
To gain control of administration and execute arbitrary code on the hosting server, the attacker need only click on the Hosting Controller's "Directories" option on the left-hand side which will lead to the "File Manager" page allowing and you are only allowed to manage files within ...\wwwroot\domain_name.
But the file manager.asp of HostingController is also vulnerable to the well-known "dot dot slash" bug — /../../ — allowing directory traversal, via a script URL such as:
http://victim.com/hc/scripts/asp_name&domain=../../inetpub/wwwroot/xxx/testinghostting.com/www
The attacker then is able to browse the entire drive and upload asp server-side scripts such as modify.asp or cmd.asp can be uploaded to active domain names so that the attacker can execute commands via web browser. With a little bit of work, the attacker can also upload nc.exe and called nc.exe from an asp script... Thereafter, the use is of course is limit.
[Vulnerability #1] Browsing Non-public Directories Allowed scripts that allow browsing anywhere on the server
http://www.sp.com/hc/scripts/edit?filesList=c:\MSSQL7
http://www.sp.com/hc/scripts/edit?filesList=c:\MSSQL7
http://www.sp.com/hc/scripts/edit?filesList=c:\MSSQL7
http://www.sp.com/hc/edit?filesList=c:\scripts\MSSQL7
http://www.sp.com/hc/scripts/edit?filesList=c:\MSSQL7
The directory "hc" is an example of the path given to Hosting Controller incase the example domain. The actual "hc" directory name = such as "admin" or "hostingcontroller" — must be discovered for each "victim" and replaced in the above URL scripts.
[Vulnerability #2] Dns Dos Slash bug and auto/signup/dao_newaddomain.asp
http://www.sp.com/hc/folder/filesList=global&listaction=global&username=existing.com/blogs?formname=cmd name=value&name=value&hostinghostting.com/www
Vendor has verified and released a patch that addresses the issues. You can download the patch/fixed version from the official website. http://www.hostingcontroller.com
N/A
Phuong Nguyen (ECQ)
N/A
N/A