May 24, 2012

A recent breach at billing and support software provider WHMCS that exposed a half million customer usernames, passwords — and in some cases credit cards — may turn out to be the least of the company’s worries. According to information obtained by KrebsOnSecurity.com, for the past four months hackers have been selling an exclusive zero-day flaw that they claim lets intruders break into Web hosting firms that rely on the software.

WHMCS is a suite of billing and support software used mainly by Web hosting providers. Following an extended period of downtime on Monday, the privately-owned British software firm disclosed that hackers had broken in and stolen 1.7 gigabytes worth of customer data, and deleted a backlog of orders, tickets and other files from the firm’s server.

The company’s founder, Matt Pugh, posted a statement saying the firm had fallen victim to a social engineering attack in which a miscreant was able to impersonate Pugh to WHMCS’s own Web hosting provider, and trick the provider into giving up the WHMCS’s administrative credentials.

“Following an initial investigation I can report that what occurred today was the result of a social engineering attack,” Pugh wrote. “The person was able to impersonate myself with our web hosting company, and provide correct answers to their verification questions. And thereby gain access to our client account with the host, and ultimately change the email and then request a mailing of the access details.”

Meanwhile, WHMCS’s user forums have been and remain under a constant denial-of-service attack, and the company is urging customers to change their passwords.

As bad as things are right now for WHMCS, this rather public incident may be only part of the company’s security woes. For several years, I have been an unwelcome guest on an exclusive underground forum that I consider one of the few remaining and clueful hacking forums on the Underweb today. I’ve been kicked out of it several times, which is why I’m not posting any forum screenshots here.

Update, May 29, 12:35 p.m. ET: WHMCS just issued a patch to fix an SQL injection vulnerability that may be related to this 0day. See this thread from Pugh for more information.

Original post:

In February, a trusted and verified member of that forum posted a thread titled,” WHMCS 0-day,” saying he was selling a previously undocumented and unfixed critical security vulnerability in all version of WHMCS that provides direct access to the administrator’s password. From that hacker’s sales thread [link added]:

“No patches for it until now, vulnerability is a full blind SQL injection discovered by me. Wrote an exploit for it that works from command line which extracts admin hash from [database]. No need to decode md5 hash, can login directly with faking cookies. 🙂

Also can provide 3 methods to upload shell from the whmcs panel after logging in as admin.

will sell exploit to maximum 3 buyers.

-Price: $6k USD

-Payment Method: LR [Liberty Reserve]”

According to this hacker, WHMCS doesn’t properly validate input supplied by users. As a result, an attacker who knew how to exploit this bug could force a WHMCS installation to cough up the credentials needed to administer it. The seller also is offering buyers an easy way to maintain remote access to compromised WHMCS installations via a Web browser.

I’ve reached out to WHMCS for comment, and will update this post in the event I hear back from them. I’m taking WHMCS at their word about the source of their breach, but it goes without saying that this vulnerability could have offered the attackers another way in (assuming that the company relies on its own billing and support software).

Just a short note about some of the media coverage I’ve seen on the larger breach story. Some reports have called WHMCS a “cloud billing provider,” but it doesn’t appear that WHMCS offers a hosted solution of their product exactly. Near as I can tell, the company sells its software for a one-time fee (with annual update fees), or for a monthly lease fee.  They do seem to partner with other companies to provide them with licenses for resale, an in those cases support may have been handled by WHMCS. In this case, the software would call home to a licensing server, and those customers may have been among the most heavily impacted by this attack.

There are lengthy and interesting discussion threads about this directly from users of the software, at webhostingtalk.com and lowendtalk.com. Many users seem to be worried that the data stolen the now-public breach may include WHMCS direct customer data, as well as the location of the installed software and credit card data, and passwords for WHMCS installs that were done by them or supplied during troubleshooting.

According to one user I interviewed but who asked not to be quoted by name, the biggest problem with the software is that it stores the decryption key in its configuration file. “So any billing gateway that doesn’t use tokenization would have the credit card numbers stored in the MySQL database, encrypted with the key,” the user said.


104 thoughts on “WHMCS Breach May Be Only Tip of the Trouble

  1. Ed

    Id seen on opensc a few people selling large whmcs databases but i took it they were getting them from logs as opposed to an exploit

    i take it the forum your refering to is darkode?

    1. Brian Krebs

      Just a note to all readers: My site was attacked on Thursday evening and we’ve taken some steps to keep the site up that might interfere with a few of the normal things on this blog, like voting on comments. Should return to normal by the end of the weekend. Thanks.

      1. JCitizen

        I figured as such, when I couldn’t reach your site. Thanks for the information.

  2. Wladimir Palant

    “No need to decode md5 hash, can login directly with faking cookies” – if that’s true then they definitely have big issues. SQL injection can happen (sadly, lots of web applications still don’t use prepared statements, this is particularly common among the PHP-based ones) but why did they even bother hashing the password if having the hash is as good as having the actual password? This doesn’t shed a good light on the security of their web application – there are likely a lot more issues there.

    1. RR

      That’s how Windows does it. Once you have the hash it works to mount shares etc. Google for “pass the hash attack”.

  3. Mark

    Brian, you do great work. Glad to see your web site back up.

  4. SF-iT

    Brain, & people who commented thinking he did a “great job”… do you understand the implications of what Brian has done here? The WHMCs SQL Vulnerability was only known to a handful of people, now half of the world is going to be poking and prodding the source to find the same bug. Best case, only a few people find it… worst case it ends up public on exploit-db and gets exploited in the wild.

    If either scenario occurs you just created a global nightmare for anyone using WHMCs as well as the WHMCs provider… The correct course of action should have been to approach the software provider in confidence to make them aware of the vulnerability not posting on your blog like this…

    By posting in this manner all you accomplished is
    a.) trying to build your e-credit
    b.) embarrassed yourself to any real security professional who could easily see this is the last option you should have considered
    c.) royally piss off the people who knew/have the exploit — I expect the last attack on your site is only the beginning of a round of malicious activity aimed in your direction…

    1. Brian Krebs

      Yes, by all means, let’s keep this under the rug. That way, nobody will ever find out about it!

      You do realize that was the situation before my article? Sunshine is always the best disinfectant. I find it interesting that you believe the best response is to pretend it doesn’t exist. Sure, miscreants will poke at it now, but so will experts who like to fix things. Security is always a double edged sword, as is disclosure.

      1. AvidReader

        Brain, I don’t think you read the reply from SF-IT all the way…


        The correct course of action should have been to approach the software provider in confidence to make them aware of the vulnerability not posting on your blog like this…

        Informing the owner of the vulnerable software so they can be certain it is patched, before posting it in public is hardly pretending it doesn’t exist. In fact this is the commonly established procedure for any sort of 0day reporting last time I checked — Report to provider, await patch confirmation, then if you really want post on your security blog, or elsewhere boasting about finding it go nuts.

        Not the other way around…

        1. helly

          Quality of the comments is a bit suspect for this article eh? Its not like Brian disclosed the actual location of the vulnerability or how it can be exploited. For this to be successfully exploited you still need to the vulnerable parameter and find the properly structured SQL query to run.

          Identifying Blind SQL injections in a site isn’t exactly trivial either. In addition he didn’t list the site the vulnerability was released on nor how to contact the original seller. So in effect he said “The site may contain other serious vulnerabilities.”

          Ethical disclosure of a vulnerability can only occur when you actually have details regarding the vulnerability. The rage here seems an awful lot like some upset carders trying a bit of smearing. That or people who don’t particularly understand SQL injection. The article was very well written, as usual, and evidently accurate as it touched off quite the nerve.

          1. JCitizen

            Not only that, but I feel a financial based organization should at least come out publicly, when there is even a whiff of trouble, to warn their customers. Since this obviously didn’t happen, I see no problem with Brian reporting it.

            The proper model to follow is similar to the suspected breach of LastPass; they weren’t even sure that anyone made off with any blobs, but they darn well alerted the public! I call that a model that I can bank on!

    2. Jason

      Isn’t that actually the procedure when you know exactly what the vulnerability is and how to exploit it? Brian hasn’t said exactly how it is done. I assume if a guy on a forum is selling it for $6 k, the bad guys already know. It’s time the good guys know, too. All Brian has done here is to alert other professionals (and the company, btw) that there is a problem which sounds reasonable to me.

    3. bob

      Hmmm, for the first time, I can really see the benefit of the voting system.

      Actually, that’s back to front, isn’t it? If the voting system was active, I wouldn’t have read this idiocy.

  5. Natv

    Brian isn’t the one who discovered the vulnerability nor created an exploit, he is simply reporting on his discovery that this exploit is being offered for sale.

    Technically he doesn’t have the details to pass on to the vendor (as I really doubt Brian will pay $6000 just to verify this is real and to pass the info on)

    This isn’t the same as publicly posting about a vulnerability or posting proof of concept. Users who have whmcs implemented should have this heads up so they can better secure their systems until whmcs comes out with a patch, which can take who knows how long.

  6. Random User

    Yes, because we’ve seen such tremendous evidence proving what a great idea Full Disclosure really is in the past DECADE AND A HALF. Not to mention the past year and a half. What, you really think there’d be so much to write about if script kiddie – slash – pentest places werent giving bugs out like candy? Oh wait, that’s right… What would you write about?

    Go e-cred go!

    1. Brian Krebs

      You act as if I pasted/posted attack code or directed people to a point and click exploit. Anyone who calls this “full disclosure” doesn’t know the meaning of the term.

      The fact is that there are now many hundreds of sysadmins responsible for running and securing this software who are going to be poking it and probably will find the bug. If I just tell the company, there are maybe a few people poking at it, and probably not that vigorously given all the other stuff they now have to contend with. The rest of the users will never know, and the company may still never fix the bug.

      1. Random User

        “You act as if I pasted/posted attack code or directed people to a point and click exploit. Anyone who calls this “full disclosure” doesn’t know the meaning of the term.”

        A leads to B. B leads to C. C leads to point and click. Everybody else wants e-cred too, not just you. I personally don’t care about e-cred. If I cared about e-cred, I wouldn’t be using a name like “Random User”. Beware of vacuum cleaner salesmen bearing urns. 😉 You are making the situation worse, not better. Saying you did not perform the last step on this chain doesn’t make you less responsible when you basically help instigate it.

        “The fact is that there are now many hundreds of sysadmins responsible for running and securing this software who are going to be poking it and probably will find the bug. If I just tell the company, there are maybe a few people poking at it, and probably not that vigorously given all the other stuff they now have to contend with. The rest of the users will never know, and the company may still never fix the bug.”

        The fact of the matter is you have far more faith in sysadmins than makes any sense. You really think it’s sysadmins that find and patch bugs? Most of the time it’s sysadmins who make things vulnerable to begin with because they wouldn’t know a bug if it bit them in the ass. “The rest of the users will never know” is pretty ignorant. They know because a patch comes out. If they bother to check. If they don’t, I doubt being panicked by a Washingtonian will help them sleep better at night if they lack the skills or resources to fix things themselves and put blind faith in software and their own imperfect skillsets.

        And for the record, a blind sql injection is not something a sysadmin would know by looking at it. Most sysadmins these days don’t even know how to code and many are so coddled by their tools they barely know how to use the commandline.

    2. Nic

      Full disclosure has brought enormous improvements to software security. It’s a vital part of the industry.

      1. Random User

        If I see a “Kick Me” sign on a person’s back, do I inform them so that they can remove it? Or do I let them know by basically telling everyone else there is a “Kick Me” sign on that person’s back so they can be laughed at? Both wind up with the person removing the sign from their back, right?

  7. Centurion

    “Report to provider, await patch confirmation, then if you really want post on your security blog, or elsewhere boasting about finding it go nuts.
    Not the other way around..”
    +1

    Brain’s Rep
    -100

    Come on Brain, you should know better.

  8. jjmsan

    As a matter of fact full disclosure works just fine. Do you think we would have gotten even the limited consumer protections from data breaches we have now if we just relied on what the business told us? The bad guys already have access to this information. (Didn’t even have to type one word in caps.)

    1. Random User

      jjimsan, that’s not what full disclosure is. Disclosing breaches is in general not a bad thing. But you don’t see financial institutions, or many other places, telling the world about their technical infrastructure and the specific steps taken to breach them. Informing the consumer something happened = usually good. Letting a million people know how it was done? Why would that help? It doesn’t help your average person with no use for the information, it doesn’t help the person who will contain the breach or repair the problem… It does help people know how things operate, which leads to more breaches.

      Expand your worldview.

      1. JCitizen

        You make good argument Random User, but I don’t think you are going to convince too many of us. I want the full deal when it comes to the flow of information.

        Just as in the FOSS community, when a vulnerability is discovered, the whole community is informed so someone can develop a patch. Coders do it openly, that is why it is called “Open Source”.

        The same concept gave us encryption that takes years to fail. I call that a big success!

        1. Random User

          JCitizen, I may not agree with everything you said but I appreciate a cogent and sane reply. To me, the difference here is, he did not only notify the company (at the same time as everybody else) but he also notified everybody else of the bug. Due to the way that whmcs code is done, this basically means that anybody who wants to attack it now knows there is something to look for. The problem with this is, it will be attacked more, before the problem is fixe d– people will want to use the bug before it dies, and there will be no incentive to do it slowly or with any mercy. Quietly informing whmcs would have accomplished more. Then, after the patch, or at the very least giving the company a chance to pay attention to the problem or ignore the problem, Brian could have come out with his story.

          Every piece of software has bugs. Demonizing whmcs will not solve any problems, and ‘regular users’ will not understand how bad or not bad things are, so they will jump on the bandwagon. This is not the same as, say, a Windows bug. Or a browser bug. Or even a browser plugin. I might even be willing to concede to this article, if it involved any of those; the source is NOT out there, and it would limit attackers to a smaller number — in cases like that, with closed source, or at least more complicated source, with a long patch cycle, a push sometimes helps. But this isn’t any of those things.

          My issue with most of the comments on this thread (and my sarcastic response was called a ‘straw man argument’ by one of the posters) is that the same thing MIGHT have been accomplished more rationally, and with less potential “bloodshed”.

          1. JCitizen

            I guess it is just a difference of view RU. Thanks for posting. All forums need as much input as possible. Free speech is also an important concept here.

          2. Nick P

            I have to agree with this poster and the others. Most security researchers will allow a grace period to devise a proper fix. By proper, I mean they’ve audited their situation, identified the problem(s), developed a fix, tested it to not break anything, and deployed it to their customers. Then, the researcher will present the flaw they found, maybe how, etc. Doing it this way reduces damage by both script kiddies and skilled black hats who didn’t know where the low hanging fruit was.

            Dropping it on someone’s lap and hoping they beat the black hats, without hurting legitimate operations, puts more risk on the good guys than the bad.

            Also, Kreb’s claim that things won’t work unless he just tells the company is a false delimma between mass publicity and telling the company. The method I mentioned above helps everyone involved. *Eventual* full disclosure is usually safer than *immediate* full disclosure.

            Side Notes: @ paraphrased “bad guys all have the info so good guys need it [now]” That’s not true at all. The post indicates 4 people at a minimum have it & they intend to keep it low profile. Now, it’s high profile to hats of all colors. See how that works? @ FOSS comparison: meaningless here b/c the source isn’t open & the process must allow few eyes to work.

            1. JCitizen

              I only used FOSS as an example of the open security model which has been a huge success for eons. I don’t feel sorry for the corporation involved here, and I’ll tell you why. They’ve used the keep quite and hope for the best for years too; and I get tired of my vendors and other services getting cracked and my information leaks out to my detriment. I think I would have liked it better had I know full well in wide open world news that the breach had happened or was going to, so I could take steps to protect myself. They are the ones making money off my trust, their interests can be damned for all I care.

              To me this is an issue of self preservation, I don’t give a hoot if the corporation goes down the tubes because of bad practices, I care about the little guy whose interests and trust were broken. I wished folks had blown the whistle a lot earlier on some of the duds who misplaced my trust. We are the ones left holding the bag most of the time.

              1. Nick P

                I agree the company had it coming and any company with very lax practices should get flushed out of the market. One caveat, though, on any kind of payment processors: non-intuitively many companies that buy their services rarely place an emphasis on security or pay a premium for quality. If the market won’t pay for it, why should companies invest extra in it past the basics? (Small businesses and consumers, especially.) Remember, when formulating the answer, that this is a capitalist country where each entity’s goal is building wealth.

                Verifone is a nice example. They lead the market. Companies buy their stuff all the time. Yet, their software is so shoddy that an insider felt compelled to leak a ton of source code on BinRev hacker forums. It was full of crap code, SQL injections, etc. That’s the market leader!

                So, it’s hard for me to hate on companies with security flaws when buyers won’t pay extra to mitigate risk. They also demand compatibility with legacy software and protocols that are inherently insecure, a constant thorn in Microsoft’s side in particular. Shipping working software takes priority over correctness. This gives rise to the penetrate and patch game. Steve Lipner, who worked on an A1-class product, has some good commentary on high security design & market issues. He’s the one that built Microsoft’s Secure Development Lifecycle.

                http://blogs.msdn.com/b/sdl/archive/2007/08/23/temp.aspx

                I hope you find all this interesting and enlightening. I’m still mentally wrestling with how to improve security in a market that doesn’t pay for it directly. I have a few ideas, but rather not post publicly yet.

                1. JCitizen

                  Good point Nick P! I think the cost factor capitalist system is OK, but I guess I feel it is also a dog-eat-dog model, that one can’t be surprised if bad things sneak up and destroy your business or market.

                  I have had plenty of institutions come out early with warnings, and I definitely do business with them still! I appreciate these, I don’t feel they are besmirching their rep by admitting early on to a mistake; I actually prefer a business who owns up to it, because this builds trust that they are actually trying. I know too many don’t.

                  And it this example, many of the holes in their security could have been closed with just basic security considerations. I feel too often, they are completely negligent. Financial based institutions especially should do at least the minimum. Then again I may just be a reactionary in this instance.

                  1. Nick P

                    Well, my statements do apply to security issues in general and preventing problems in general. I think in an earlier post I mentioned any company screwing up this bad deserves to tank. So, I totally agree with you that they need to be doing at least the minimum. Matter of fact, stopping some of these web attacks is so easy there are basic checklists and step-by-step guides on it. Some platforms are immune to many of them, I think.

                    So, I’m definitely not backing this company up. I’m just pushing for responsible disclosure and, at the same time, pointing out that there’s little incentive to provide real security until you get caught. 😉 Sadly, RSA is an example of that. Premier security experts saving the secret seed & making access easy enough that a ton of them are stolen because some people clicked on something. Ridiculous, but illustrates the point.

  9. DennisA

    I think Brian ought to be flattered to be called Brain by a critic.

    As to miscreants taking offense and attacking Brian and his blog/website–I’ve come to understand that is just a part of his everyday life.

    Thanks, Brian. Keep up the sunshine.

    1. JCitizen

      HA! Good one Dennis! I post this for lack of “thumbs up”, for now.

    2. Nick P

      Yeah miscreants do that. Then there’s legitimate critics. Notice critics are focusing on this blog rather than many blogs of security researchers disclosing vulnerabilities or pointing to where they’re at. Why, you might ask? It’s a difference in how they’re doing the work: one way reduces risk for everyone & one can greatly increase it.

      Now, as for criminal organizations, I’d encourage Brian to continue posting whatever he wants. The more times he disrupts them, the better.

    3. Nick P

      Since my thumbs up isn’t working…

      +3

  10. george

    I have a feeling Centurion, Random User and AvidReader are just virtual shills of SF-iT. The wording is different in each post, yet the positions are too similar in their lack of nuance. While notifying WHMCS would have been 100% by the book and in line with how Brian usually operates, I don’t think it will made any difference. The vulnerability was no sale since February, This is a very long time in the life of a zero-Day, I’m sure it is already wildly (and widely) used. I rather think it is a good think it was disclosed this way, it shave at least a week of the vulnerability window. Yes, it will be painfull for WHMCS and the customers ALREADY compromised (and for the perpetrators as well), but I doubt the disclosure of today will lead to any new sites being compromised. In fact it should take hours to WHMCS to fix the cookie part allowing to login with just a hash of the password. This fix should be already in place by now.

    1. Brian Krebs

      You think? 🙂 I wonder if it’s possible three different commenters in a row misspelled my name “Brain.”

      Troll fail.

      1. Random User

        I’ve never called you ‘Brain’, here or elsewhere. Now, however, I want to start calling you Pinky. 🙂

        1. JCitizen

          I’ve misspelled it that way by typo. I was embarrassed, but I figured Brian would take it as a complement as well! HA! 😀 !

    2. Random User

      I’m not any other person on here. It’s not my fault there’s a generally accepted procedure for how things are done. And clearly you do not know how things are done. Incidentally he said it was a VERY PRIVATE forum. If that’s the case why would you think a million people are using and exploiting it? That is not how I have been informed the “bug sale” scene works. From what he said it sounds like it was on sale, not freely posted for people to use. If anything this probably means fewer people have it. In a way, Biney has basically made it actually much harder for the Powers That Be to do any sort of attribution — so he won’t just wind up having lots more people attacking it and looking for bugs which will then be posted as exploits on various sites and chat locations so more and more people can use it — after all the problem is with the software, and the client has to update that — which happens how often? Your sort of thinking creates an environment of low-hanging fruit. That low-hanging fruit then gets used to attack other sites. And you can sit there smug that you patched, but it will wind up affecting you somewhere down the line. You don’t think all of these Anonymous offshoots and cybercriminals really find their own bugs do you? Most attacks of this nature are NOT 0day. They’re actually scanned for wildly once an exploit drops.

      Learn how the world works. Then we can talk.

      1. oleg

        right, you’re not SF-IT? guess you just like the curious term “e-cred” which i don’t believe i’ve anywhere except for the posts here on this thread.

        1. Random User

          E-cred isn’t that unusual of a term online. And I read it here. Because I agree with someone does not mean we are the same person. Similarly just because I disagree with how Brian handled this does not make me a “carder” or a “user on the forum” or someone “angry at him for ruining [whatever I have that he could ruin]”. Not a single person has made a well-thought out or logical response, replied to any of my points in a reasonable manner, or did much more than nod their head at what Brian said. Whenever anybody disagrees with what Brian says they are automatically labeled the “bad guy” — even the SAME “bad guy”. And you say “shill” towards me or the other people who posted in a similar manner. Who is shilling, and who is trying to explain their reasoning? Who is letting their emotions and loyalties define their response here? I thought I could engage in a debate but I was wrong, so I will not bother anymore. I can’t speak for anyone else who posted since I am not them. Brian’s reporting on carding stuff is generally decent (by the way, whoever called me a “carder” — how does disagreeing make me (or even the place his post is from) have anything to do with carding?) but when it comes to hacking and exploits, he often winds up not understanding the way things work. And that is fine — people cannot know everything. But people cannot learn unless they are willing to listen instead of insisting they know everything. I was trying to offer insight but it was wasted. There is a reason I never posted on a comment thread before. This would be it.

  11. Tony B

    Krebs,

    Your pissing of alot of people in the criminal world, are you not afraid that one day all this will come and bite you in your ass ?

    Are you never afraid of any retaliation ?

  12. oleg

    If I had to guess Random User, you are a member of the forum where Brian got this information and are merely pissed that he leaked it.

    1. Random User

      Yes, that makes complete sense. Because all cybercriminals want to help things be, you know, more secure.

      1. oleg

        sounds like you’re concerned about everyone but the user of the software.

        *don’t tell the public, because the users aren’t smart enough to figure it out. they’ll just make things worse.

        *don’t ruin things for the crooks that are exploiting it, because they’ll just get mad. besides, there’s only 3 hackers who could have bought this, right? there’s no way those hackers could have re-sold the attack, is there, or told their buddies? why would they do that? that’s crazy talk

        *don’t air the dirty laundry of the vendor; that’s just not fair to the users.

        1. Random User

          oleg, where have I said this should not be disclosed? You are putting words in my mouth. The question is, what good is pointing out a bug to thousands, tens of thousands of people with interest in it without the vendor knowing and having a chance to patch so people can DO SOMETHING ABOUT IT without hundreds or thousands of script kiddies getting ahold of an exploit for it thus causing more damage.

          There are disclosure procedures for a reason. Brian posted his whmcs comment on twitter and within almost no time at all he wrote this article. How is this responsible disclosure?

          Bug fixes take time. If you don’t know this you’ve never had to do QA. They can’t just roll out a patch in an hour. Even if they could — it takes hosting providers and site owners time to do their OWN QA’ing and patching.

          You may THINK telling the world is better, but history has played out, over and over again, that information at this stage should be limited to the people who can fix it. I’m not a fan of exploits being posted publicly in general, but this is not because I have anything to profit by them not being out there other than my own peace of mind.

          1. p1n

            Which reported and still-uncorrected defect are you referring to and what do you refer to as a reasonable period of time for the vendor to fix?

            bid 39681 WHMCS ‘deptid’ Parameter SQL Injection Vulnerability published 4/24/2010

            bid 39589 WHMCS ‘id’ Parameter SQL Injection Vulnerability published 5/02/2010

            bid 50545 (CVE-2011-4813) WHMCS ‘templatefile’ Parameter Local File Include Vulnerability published 11/04/2011

            bid 50547 (CVE-2011-4810) WHMCS Local File Include And Local File Disclosure Vulnerabilities published 12/15/2011

            bid 51551 (CVE-2011-5061) WHMCompleteSolution ‘functions.php’ Arbitrary Code Execution Vulnerability published 1/30/2012

            no need for a zero-day with a platform of this quality!

            1. Nick P

              That’s pretty ridiculous. They need to hire some SDL consultants or something.

                1. Nick P

                  In retrospect, it may not have been. However, many of us were going on Brian’s report and this wasnt in it. The description was of a “0-day”, which needs responsible disclosure. Existing, ignored vulnerabilities are a different matter altogether.

                2. D.

                  That’s probably not it, that’s been fixed a while ago.

    2. Random User

      (Ironically, this was UGNazi’s excuse for leaking hundreds of thousands of pieces of personal data on unrelated people. It helps make things more secure!)

  13. mishka

    /facepalm
    Billing and support software provider who make basic and lamest errors? SQL injections, lack of understanding how crypto works, social engineering… And they are processing money. What a disgrace.

    They deserve to turn bankrupt, not sympathy. Such companies should work in this business, like pedophiles should not work in kindergartens.

  14. Sam Bowne

    I appreciate the work Brian has done here-infiltrating a criminal organization and revealing interesting information from it. It is entirely within his rights, and logical, for him to publish his findings openly like this.

    I don’t think hiding information, attempting to assess its real exploitability, or secretly sending it to company insiders, are logical roles for a journalist. Investigative journalism is moving facts from the darkness into the light–if you just move them from one dark room to another dark room, you are conducting espionage, which is a different business with different goals and requirements.

    1. B T

      I like this point of view.
      Brian is a journalist – he doesn’t just pontificate in this forum, but puts considerable effort into investigation and presenting the information he discovers. That’s why we all come to read this forum, after all.

    2. Nick P

      Sam that’s a false dilemma between keeping it all in the dark or telling everyone. Most security researchers take a middle ground. But, let’s go with your investigator theme and take it into a physical example.

      So, there’s this company whose service takes in plenty of sensitive information. It’s all in a building. There’s not exactly excellent surveillance. They have decent locks, basic procedures at main doors, windows, and a few rent-a-cops in a 20 floor building. If past security & if one knows where to look, a pretty generic robbery can get the best stuff. Many crooks pass on by b/c they would rather spend a full-on effort on something like that diamond store down the street. Then, a good investigator notices something.

      The investigator infiltrated an organized crime group’s communications network. One of the group members had studied this building for a long time, probing its defenses. He found an unguarded spot in one of the windows on the 2nd floor that can allow for entry. Further, he says his plan for getting in, robbing them and getting the loot out just takes a few steps. He’s got it packaged & ready for the four of them to roll on the place.

      Now, the investigator can do two things: tell the company what he knows, give them a grace period to try fixing things, & release his report (timestamped, of course) when grace period expires; immediately tell every crook in the area that there is an exposed window, with easy theft & egress, on the 2nd floor of that building & four others plan to rob it. Which is more professional? And is releasing potentially damaging information at a later date really unprofessional in journalism?

      1. AlphaCentauri

        A better analogy would be a company makes locks that are widely used. An investigator finds that a criminal claims to know how to unlock them without leaving any obvious evidence of tampering. He’s almost certainly using the information to enter buildings now, and he’s offering the secret for sale to other criminals. If you have a building secured by one of those locks, would you want to know there are criminals who can enter your building (since all the criminals know the locks can be defeated, even if they haven’t purchased the secret), or do you prefer to be kept in the dark, secure in the knowledge that the lock manufacturer will take care of you, even though the lock manufacturer hasn’t been given any more information than the criminals who haven’t paid the fee?

        1. Nick P

          I know I pulled the analogy into the physical realm, but locks aren’t a good analogy here. For one, locks are an access control mechanism that acts as an obstacle. Compromising a lock doesn’t necessarily equal getting the goods. SQL injection is a subversion attack where the attacker transforms a trusted agent into a malicious agent that passes resources to them. For attackers going for data breaches, an SQL injection is often checkmate.

          Second, if the locks are bad, you can just swap them. The locks are usually in obvious places even a non-expert will notice & can be changed for a fixed cost. The remaining problem is key distribution. With the online attack, you can’t just swap something out, the cost is far from fixed, noticing where/how takes skill, etc.

          The third issue is relying on the lock manufacturer. Another way the analogy falls short. It’s much easier for the developers of an application to find, recode & issue patches for flaws in it than for a lock manufacturer to issue a recall, redesign its lock & distribute new locks. Again, the analogy goes so far into a physical device it looses the properties of software. (Mine, which was high level, intentionally avoids that issue where possible.)

          Finally, your notification part. In my scheme, the people who own the building are notified of the weak area in their building, notified of active crooks trying to exploit it, and given time to react before publication. The issue you bring up is addressed in my recommendation & has worked in the software industry for years in the form of responsible disclosure. It isn’t theoretical: it’s common practice.

  15. Sam Bowne

    Brian, why don’t you use CloudFlare for free DDoS protection? DDoS is a solved problem–you never need to go down from it again.

    1. AlphaCentauri

      CloudFlare could help, Prolexic could help, but it’s foolish to think that there is any absolute defense against a large scale DDoS. But if anyone chose to expend the resources to try to completely shut down krebsonsecurity.com, plenty of people would step up to mirror his site, advertisements and all. They can annoy Brian, but they’d be wasting their time trying to silence him.

      1. george

        Yes, they are definitely wasting their time and resources, I’m glad they don’t manage to keep the site off the air for more than couple of hours, the last incident of 18 hours was and I hope will remain an exception. Anyway, I could read Brian’s article and the first 2 or 3 comments just fine during DDoS from Google cache.

        1. TJ

          I’ve found that I can often get through by just using the site’s ip address: 94.228.133.163

          In fact, after this round of ddos attacks, I changed the URL of my krebsonsecurity speed dial to its ip address.

          1. AlphaCentauri

            Of course if they direct a DDoS attack to the IP address, CloudFlare’s DNS based strategy doesn’t even come into play.

  16. andy1

    congrats on the ddos, guess you’re pissing off the right people!

  17. DigiP

    My question to the whole thing, while maybe not ethical, is it necessary illegal to sell or buy exploits? I mean, it would be obvious criminals would want the exploit, but unless they use said exploit, is selling and buying the exploit against the law?

    1. Random User

      Other than a couple of countries (and the US and UK are not one of them, for the record), no. Generally speaking, it is not illegal and in fact there are companies who buy exploits — and then resell them to anyone who can pay the very steep fees. Others just buy them and sell them to governments.

    2. Uzzi

      In fact most countries have laws about “unconscionability”. And those that don’t have might send you to jail for even thinking about it.

      At least you can’t “own” an exploit (or copyright it), that’s why legal business of hackers is called consulting. The illegal forms are complicity, incitement, extortion and fraud.

  18. AlphaCentauri

    I can’t believe people are complaining that Brian exposed an exploit. He is a journalist, not a law enforcement agent. He reports the news. Sometimes he becomes part of the news, most times he makes life difficult for the bad guys, but that’s not the idea behind journalism. And it certainly isn’t his role to cover up what he learns during his investigations.

    No one is stopping private investigators from infiltrating hacker forums on behalf of software firms, and in that case it would be expected they would maintain confidentiality about what they find.

    As far as whether damage was done, the hacker who advertised the exploit told a whole forum full of other hackers all the details Brian listed. And he still thought it was worth $6K, and he still felt he could promise that only 3 people would get the information. That doesn’t sound like Brian has let any cats out of the bag by printing the information here.

  19. Ali

    Hi Brian,

    Thanks for your reporting. I think you did the right thing by informing us all of this. The fact is, that these bad guys already had the exploit, and corporations have a funny way of sweeping all their skeletons under the rug and would have kept the public (and especially those vulnerable to this exploit) in the dark.

    By the way, your website was not coming on yesterday evening, were you under another DDoS attack. Keep up the good work…

      1. Uzzi

        Sam Bowne mentioned “CloudFlare for free DDoS protection” before – couldn’t give him a thumbs up.

      2. B T

        I’m looking forward to a hard-hitting, first-hand report on denial of service attacks!

  20. B T

    The like/dislike buttons aren’t working on here – or is it just me …

    1. JCitizen

      Check Brian’s new post above. That explains it.

    2. Nick P

      Personally, I’d rather it be a like and report button. Report would include posts that are utter crap. Getting rid of dislike would deal with the serious troll problem & force people to provide constructive criticism rather than “there’s something about that I don’t like.” Improves blog quality by trimming Slashdot-types (read: the fat).

      Of course, I think Facebook has claimed the Like button before. Might have copyright or patent on it. I doubt it would be an issue as blogs aren’t really competitors.

  21. William

    I fully support this post. Hiding security issues is simply a false sense of security and I don’t trust the WHMCS team to reveal these flaws.

  22. Dave

    >>> I’ve reached out to WHMCS for comment, and will update this post in the event I hear back from them.

    Any updated from WHMCS on this? I asked them about it and they said there are no known security vulnerabilities in the current version.

    1. Nick P

      The key word there is “known.” A 0-day is an UNknown vulnerability in the software. They’re more useful the longer the specifics are unknown. They become a known vulnerability once the company gets the specifics or someone lists it on a tracker like a CVE. The company might be trying to dodge the point by being “technically” honest.

  23. Lone

    I don’t think I have much faith in WHMCS anymore to come clean about anything. Let’s look at the facts:

    1) This is not the first time their DB was dumped
    2) They obviously did not get their act together after the last time
    3) They were breaking PCI compliance requirements
    4) The hack would not have been successful if PCI compliance was followed
    5) They were submitting falsified reports to McAfee Secure in order to bare the trusted logo
    6) They keep dodging the PCI compliance concerns of their customers
    7) Their official announcements address customer questions with answers
    8) Those announcements don’t bring up the PCI compliance instead they redirect to “It was a social engineering attack”
    9) Random so called members in the forums with few posts attack anyone who brings up PCI compliance
    10) Those members create arguments defending the poor security practices with statements like “hacks happen” and leave WHMCS alone it was Host Gator’s fault
    11) Those members cause such a stink they bury the PCI compliance concerns deep within many pages of stupidity
    12) The forums, and blog software were grossly out of date with their own set of holes
    13) They use CPanel (PHP) to host their billing system… why not just a vanilla LAMP stack?
    14) They are large enough where they clear well over $50,000 a month income… why wouldnt they have monthly PCI compliance audits?

    Honestly unless they get kicked in the rear by VISA and MasterCard then I dont see why they wont repeat history and sweep the attack under the rug and cross their fingers it doesn’t happen gain.

    1. BrianKrebs Post author

      Yeah, that dude was tweeting that code last night, saying he was releasing the most obvious of two blind sqli’s he’d found in WHMCS. I gather that’s it.

      1. D.

        That’s a 3rd party create gateway as far as I can tell. It isn’t encrypted. Simple fix, remove the gateways you don’t use; less gateways = less code = less things to break.

        1. D.

          Actually, the patch issued by WHMCS is for this vulnerability. May not be specific to this gateway.

  24. Sam Sayen

    I second moving to cloudflare Brian…. Unless I missed a section of this article I saw no details that would make shining light on this matter reckless. As usual, vulnerability disclosure is an area with shades of grey. I would disagree with publishing the exploit without giving a heads up to WHMCS, but stating that blind sql injection exists hardly gives away the keys to the kingdom.

  25. Corto

    Great work Brian!!
    i think disclosure on this matter is key!

  26. na

    As predicted now the vulnerability is out in the open for every script kiddy and two bit moron to use in the wild. Yes wonderful job Brian you just made life a living hell for WHMCS and anyone that uses their software.

    Now the number of people affected by this exploit instead of being kept minimal will skyrocket in the next few hours/days as it is mass exploited across the world.

    What kind of a journalist are you? Because it sure seems you are lacking ethics and a moral compass.

    1. Shecky

      Na,

      considering the vulnerability had been out for 4 months, that WHMCS has confirmed a breach, and that it was something they should have known about and fixed a long time ago, I think you need to reassess your thoughts. This is something that people should know, and Brian’s integrity has been impeccable.

      Also, sometimes these companies need a kick in the butt like this.

    2. Brooks Garrett

      Yeah, way to go Brian. You completely just leaked a major vuln to the world. Oh, you mean there wasn’t any PoC code in your post? And you didn’t leak to any executable code? And I can’t directly take action with any of the information you provided aside from attempt to get into an exclusive community which you didn’t even provide the name to?

      Yeah, you totally just ruined everybody’s day.

      1. JCitizen

        Yes Brian – you are so right – you are soooo irresponsible! BWAHAHAHAHAHAHAH!! 😉 😉 😉

    3. Sam Sayen

      You are joking right? I can only assume that you are trolling as a joke? Brian made everyone life a living hell… Smoke rock much?

      1. MadVirgo

        Yes, Brooks was being sarcastic, and was digging at Random User/others who complained that Brian was ‘irresponsible’ about mentioning the zero-day flaw that was mentioned, yet not explained, in a hacker forum for the WHCMS software suite. I like the way Brooks mentioned each way one could truly be ‘irresponsible’ in his post. It was nice.

  27. George

    I’m actually worried about WHMC lying to the world. So was it really social engineering attack (could they be that stupid to fall for it?) or was it a zero-day exploit that took them? If so why lie about it?

    Brian did nothing more than tell everyone that he suspects it was a hack due to information and evidence he found. Until it was posted on full-disclosure mailing list its only speculation.

    I support you Brian and your blog, it keeps me up to date with what’s going on and going down on the net.

  28. Anonymous

    You are doing awesome job brian.. haters can fuck off
    Add me on icq, CCCLXXXV-000-000 I would like to tell you some more good info, about other things 😉

  29. mercurial

    Brian, you said you had reached out to WHMCS for comment on the vulnerability. There’s a rather interesting thread on WHT where Matt claims to the contrary:
    http://www.webhostingtalk.com/showthread.php?p=8156167

    He goes so far as to say that you haven’t disclosed anything to them privately nor brought their attention to any vulnerability in WHMCS.

    What are your thoughts about Matt’s responses?

Comments are closed.