Documenti di Didattica
Documenti di Professioni
Documenti di Cultura
Conviso IT Security
Rua Deputado Mário de Barros 1700 Sala 208
T 55 (41) 3095.3986
CEP 80030-280, Curitiba, PR, Brazil www.conviso.com.br
Contents
Introduction
.....................................................................................................................................1
1. Copyright and Disclaimer
...............................................................................................................1
2. About Conviso IT Security
..............................................................................................................1
Security Advisory | CVE 2010--1582 | 24/7 Real Media’s Open AdStream v.5.7
i
Conviso IT Security
Introduction
This advisory has been discovered as part of a general investigation into the security of software used in the IT
environments of our customers. For more information about our company and services provided, please check our
website at www.conviso.com.br.
The vulnerability described in this security advisory was discovered by Wagner Elias on January 14th 2010 during a
malware investigation project.
Security Advisory | CVE 2010--1582 | 24/7 Real Media’s Open AdStream v.5.7
1
Conviso IT Security
Security Advisory
1. Issue Description
This advisory describes a vulnerability in the permission of the directory RealMedia created as default during the
installation of Open AdStream, an ad campaign management platform provided by 24/7 Real Media, which
exposes directly to the Internet the configuration files, including .sql which contains access credentials. As a result,
a cracker can use this flaw to install a backdoor or take the ownership of the affected component as he/she had
access to all configuration files and access credentials.
2. Affected Components
The vulnerability was identified on the deployment of Open AdStream Version 5.7 in several large Brazilian Internet
portals and media delivery websites. The product’s webpage is located at http://www.247realmedia.com/EN-US/
us/open-ad-stream.html. This version of the product can be used only with MySQL 3.23 and Apache 1.36.x,
versions which are outdated and vulnerable to several exploits as described on the security advisories posted on
the Internet at http://www.securityfocus.com/bid/11357 and http://httpd.apache.org/security/
vulnerabilities_13.html.
4. Details
The deployment process performed by 24/7 Real Media keeps the default configuration on Open AdStream which
publishes the configuration files of the host exposed to the Internet on a format such as http://
admXX.customername.com.br/RealMedia. As a result the following example files can be fully accessed:
ads oasis_mysql_insertdb.sql
bcrypt oasis_mysql_insertdb.sql.template
Classes oasis_mysql_insertuser.sql
ConvertNotification.ini oasis_mysql_insertuser.sql.template
hash.txt oasis_mysql_testdb.sql
index.html oasis_mysql_testdb.sql.template
ini oasis_mysql_uninstalldb.sql
install.sh oasis_mysql_uninstalldb.sql.template
libstdc++.so.2.10 oasis_mysql_uninstallOAS.sql
license.txt oasis_mysql_uninstallOAS.sql.template
license.txt.bfe oasis_params.cfg
oasis_apache.layout oasis_path_substitution.sh
oasis.cfgoasis_ReportFormat.awk
oasis_cfg_apache.sh oasis_ReportFormat_mapping.5.1.1
Security Advisory | CVE 2010--1582 | 24/7 Real Media’s Open AdStream v.5.7
2
Conviso IT Security
oasis_cfg_cron.sh oasis_ReportFormat_mapping.5.1.2
oasis_cfg_distrib.sh oasis.sh
oasis_cfg_mysql.sh oasis_upgrade_apache.cfg
oasis_cfg_ns.sh oasis_upgrade_de.sh
oasis_copysofiles.sh oasis_upgrade_ns.cfg
oasis_errorlog.sh oasis_upgrade_ns.sh
oasis_example.cfg oasis_util.sh
oasis_find_apache.sh oasis_validate_config.sh
oasis_finish_upgrade.sh oasis_wsusr_apache.cron
oasis_install.ini oasis_wsusr_bean.cron
oasis_install_oas.sh oasis_wsusr_bean.cron.template
oasis.log oasis_wsusr_nightly.cron
oasis_mysql_createdb.sql oasis_wsusr_nightly.cron.template
oasis_mysql_createdb.sql.template
The database server location as well as access credentials of administrative accounts can be found within the files
oasis_mysql_insertuser.sql and oasis_params.cfg. With this information, an attacker could gain access to the
database and perform any malicious activity. Other files such as oasis_install.ini and install.sh discloses the
directory organization of Open AdStream server, which could be useful in combination with another attack.
Other problem we found is related to the old versions of Apache HTTP server and MySQL that must be installed to
use the affected software.
Apache Foundation released the final release of version 1.3 of the Apache HTTP Server on February 3rd 2010,
stating that no more full releases will be produced, although critical security updates may be made available as
described on their mailing lists archives at http://mail-archives.apache.org/mod_mbox/httpd-announce/
201002.mbox/%3C20100203000334.GA19021@infiltrator.stdlib.net%3E. They recommend that users update to
the current 2.2 version.
5. Issue Mitigation
The permission of the directory RealMedia should be changed in order to deny access to the configuration files.
6. Additional Information
The Common Vulnerabilities and Exposures (CVE) project has assigned the name CVE-2010-1582 to this issue.
This is a candidate for inclusion in the CVE list (http://cve.mitre.org), which standardizes names for security
problems.
Security Advisory | CVE 2010--1582 | 24/7 Real Media’s Open AdStream v.5.7
3
Conviso IT Security
Conviso IT Security calculated the scores of this vulnerability using the online CVSS calculator found at http://
www.patchadvisor.com/PatchAdvisor/CVSSCalculator.aspx and described at http://www.first.org/cvss/cvss-
guide.pdf.
Security Advisory | CVE 2010--1582 | 24/7 Real Media’s Open AdStream v.5.7
4
Conviso IT Security
Issue History
Date Comments
18-Jan-10 Technical report describing the vulnerability produced and delivered to affected customer
18-Jan-10 24/7 Real Media Brazil notified by the Conviso IT Security’s affected customer
19-Jan-10 Issue mitigation proposed by affected customer to 24/7 Real Media Brazil
10-Mar-10 24/7 Real Media Brazil notified by Conviso IT Security about the Security Advisory publishing date
05-May-10 Security Advisory published on Conviso IT Security web site and relevant discussion lists and
forums on the Internet.
Security Advisory | CVE 2010--1582 | 24/7 Real Media’s Open AdStream v.5.7 5