#Carberp vulnerabilities - C&C pie

Who doesn't love pie?   Add in vulnerability classes and it is a smorgasbord of epic awesome.   I have finished looking through Carberp's C&C web tools / control centers.  Then took my automation and built a google pie chart.  If you are waiting for additional 0days, In the following posts, I will dig into each OWASP Top 10 - 2013 class.  In the meantime, below is a nifty pie chart.

OWASP Top 10 - 2013

Simple code metrics: 

600 files

27,121 lines of code

0.038199 defect density

1 critical vulnerability per 114 lines of code. 

1 high vulnerability per 1520 lines of code.

1 medium vulnerability per 294 lines of code. 

1 low vulnerability per 51 lines of code.

18 high risk cyclomatic complexity. 

 

As a result, one can see the glaring priorities of the project:

  1. Features and functions.
  2. Uptime
  3. Performance
  4. Usability
  5. Maintainability
  6. Security

Which doesn't match well with typical secure development priorities: 

  1. Security
  2. Compliance
  3. Uptime
  4. Performance
  5. Features and Functions
  6. Usability / maintainability

 

Let Security vs. Usability vs. Business arguments commence.  I shall grab a glass of water.  Ok, done? Let's look at the large surface area colors. 

 

The panel uses outdated third party UI frameworks.  Heck, I found my JQuery (patched by the vendor last year) exploit works.  

It isn't terribly surprising to see a significant number of command injection vulnerabilities.  Typically, a panel is installed on a compromised web host and administered quick / dirty until the hosting provider is notified by law enforcement, so why attempt to hide, sanitize, and / or validate command parameters.  Write more features, less secure coding.  

Cross-site scripting galore   Everything from persistent to reflected to lacking validation.  More on this in a later post. 

Other than storing passwords as a md5 hashes, there is no attempt to securely handle credentials.  No secure buckets, credential splitting, kernel root kits, and other two-party+ system schemes to protect credentials in transit and rest.  

 

Enjoy your pie.