May 2, 2012

Hackers are actively exploiting a dangerous security vulnerability in OpenX — an online ad-serving solution for Web sites — to run booby-trapped ads that serve malware and browser exploits across countless Web sites that depend on the solution.

Security experts have been warning for months about mysterious attacks on OpenX installations in which the site owners discovered new rogue administrator accounts. That access allows miscreants to load tainted ads on sites that rely on the software. The bad ads usually try to foist malware on visitors, or frighten them into paying for bogus security software.

OpenX is only now just starting to acknowledge the attacks, as more users are coming forward with unanswered questions about the mysteriously added administrator accounts.

This problem first came to my attention after I read a blog post by infosec researcher Mark Baldwin, who wrote late last month about finding an unauthorized administrative account called “openx-manager” on one of his clients’ OpenX 2.8.8 installations, the latest version. After much investigation, Baldwin found that the rogue admin account was created virtually at the same instant that he’d last logged in to the customer’s OpenX installation.

Based on these and other findings documented in his blog, Baldwin concluded that OpenX 2.8.8 contains an unpatched flaw known as a cross-site request forgery (CSRF) vulnerability. These types of flaws can be especially sneaky because they are used to trick the victim into loading a page that contains a malicious request. CSRF attacks are most often used to force an end user to execute unwanted actions on a Web application in which he/she is currently authenticated, such as purchasing an item, or adding/deleting account information.

Baldwin told me he believes the attackers were able to add the rogue admin account to his client’s OpenX installation because OpenX contains a CSRF vulnerability that allows such actions.

“When you login to the OpenX application, an ad loads via an iframe on the right side of the dashboard,” Baldwin said in an interview with KrebsOnSecurity. “OpenX uses this to promote different products of theirs (currently OpenX Market). This iframe makes calls to d1.openx.org and most importantly, loads some Javascript. This is important because the only way the CSRF attack would be able to create a new user is via javascript, since that action uses the POST method. The IP address of d1.openx.org is 173.241.250.2 and the address of adserver.openx.org is 173.241.250.3. For all I know these may be the same servers. My belief is that these systems were compromised and the Javascript was modified to inject the rogue admin account via the iframe in the dashboard. So when an administrator logs in, the account would be created without any interaction from him.”

I confronted OpenX officials about this on Monday. In a very brief phone call today, company executives declined to discuss the attacks in detail, but acknowledged the existence of a CSRF vulnerability in the software that powers both their free and enterprise advertising platforms. OpenX Chief Technology Officer Michael Todd said the company would soon be publishing instructions on its blog outlining steps that users can take to prevent attackers from taking advantage of this flaw, and that it hoped to roll out an official fix for its OpenX Source product, which is the free version of the platform offered to anyone who wishes to host their own digital advertising services.

“What we’re going to do early next week — on Monday or Tuesday — is release a new version of OpenX for people to download as soon as possible,” Todd said. “We’re taking an extra few days to make sure that this gets done correctly and that we’re doing all the testing we need to do before we push that out. But first, we’ll publish a mitigation post that will tell people how they can change their systems,” to mitigate the threat, he said.

OpenX’s head of communications, Al Duncan, inexplicably cut the interview short after I’d asked just two questions, so I was unable to gain clarity on other aspects of this attack, such as whether OpenX’s internal systems may have been abused in the compromises, and how long the company has been aware of the problem. I also wanted to know more about how this vulnerability differed from a similar CSRF flaw in OpenX v. 2.8.7 that was disclosed in June 2011 by researcher Narendra Shinde.

It’s unclear whether the CSRF flaw detailed by Shinde is effectively the same bug that exists in this latest version. But the attackers targeting these flaws appear to have used the same name for the rogue admin account that Baldwin discovered on his client’s OpenX installation: “openx-manager.”

Until OpenX publishes its blog post, users and customers of this product should consider reviewing the mitigation advice offered at Baldwin’s blog.

For more background on this subject, see OpenX forum posts from Nov. 2011, January 2012March 2012, and April 2012. Internet security firms Armorize and Sophos also have been sounding the alarm about these attacks.


10 thoughts on “OpenX Promises Fix for Rogue Ads Bug

  1. Tin

    The OpenX source install has historically been known for its security holes and their slow speed in fixing them. They have a newsletter that they are supposed to use to alert users to new exploits, but I have never received a notification from them. I am still subscribed, and surprise, no email from them alerting us about the latest security vulnerability. I was using their locally hosted source install for about 6 years and just got fed up with them and switched to DFP.

    Personally, I have felt that since they switched to their hosted “Enterprise” solution they have given up on the source install. Its almost like they are purposely showing a lack of regard in order to push people to their hosted solution and their OpenX Market.

    When I read news stories like this, I am just glad I switched.

  2. TEA-Time

    Hi Brian,

    The “January 2012” that looks like a link in the last paragraph isn’t an actual link. :-/

  3. A

    Firefox security bug (proxy-bypass) in current TBBs

    https://blog.torproject.org/blog/firefox-security-bug-proxy-bypass-current-tbbs

    “A user has discovered a severe security bug in Firefox related to websockets bypassing the SOCKS proxy DNS configuration. This means when connecting to a websocket service, your Firefox will query your local DNS resolver, rather than only communicating through its proxy (Tor) as it is configured to do. This bug is present in current Tor Browser Bundles (2.2.35-9 on Windows; 2.2.35-10 on MacOS and Linux).

    To fix this dns leak/security hole, follow these steps:

    Type “about:config” (without the quotes) into the Firefox URL bar. Press Enter.
    Type “websocket” (again, without the quotes) into the search bar that appears below “about:config”.
    Double-click on “network.websocket.enabled”. That line should now show “false” in the ‘Value’ column.

    See Tor bug 5741 for more details.
    (https://bugs.torproject.org/5741)
    We are currently working on new bundles with a better fix.”

    http://pastebin.com/xajsbiyh

    1. JimV

      So with the present rating of 4 thumbs down and 0 thumbs up for this report, does that mean it’s bogus and should be ignored (the chatter on the Tor blog would seem to indicate it’s a legit bug with possible negative implications), or just that those attempting to somehow exploit it lurk here and dislike the fact that a potential malware vector they hoped to be useful for a longer period had been quickly exposed?

      1. BrianKrebs Post author

        I have found that nothing causes a thumbs-down faster on this blog than off-topic comments, regardless of whether the comment or topic of the comment itself is interesting or newsworthy.

  4. Paul Masson

    You have to admire the ingenuity of hackers. Why go to the effort of bot scanning for vulnerabilities, and the tedious work of inserting all those malware traps. An automated insertion technique.

Comments are closed.