Who doesn't love pie? Add in vulnerability classes and it is a smorgasbord of epic awesome. I have finished looking through Carberp's C&C web tools / control centers. Then took my automation and built a google pie chart. If you are waiting for additional 0days, In the following posts, I will dig into each OWASP Top 10 - 2013 class. In the meantime, below is a nifty pie chart.
OWASP Top 10 - 2013
Simple code metrics:
600 files
27,121 lines of code
0.038199 defect density
1 critical vulnerability per 114 lines of code.
1 high vulnerability per 1520 lines of code.
1 medium vulnerability per 294 lines of code.
1 low vulnerability per 51 lines of code.
18 high risk cyclomatic complexity.
As a result, one can see the glaring priorities of the project:
- Features and functions.
- Uptime
- Performance
- Usability
- Maintainability
- Security
Which doesn't match well with typical secure development priorities:
- Security
- Compliance
- Uptime
- Performance
- Features and Functions
- Usability / maintainability
Let Security vs. Usability vs. Business arguments commence. I shall grab a glass of water. Ok, done? Let's look at the large surface area colors.
The panel uses outdated third party UI frameworks. Heck, I found my JQuery (patched by the vendor last year) exploit works.
It isn't terribly surprising to see a significant number of command injection vulnerabilities. Typically, a panel is installed on a compromised web host and administered quick / dirty until the hosting provider is notified by law enforcement, so why attempt to hide, sanitize, and / or validate command parameters. Write more features, less secure coding.
Cross-site scripting galore Everything from persistent to reflected to lacking validation. More on this in a later post.
Other than storing passwords as a md5 hashes, there is no attempt to securely handle credentials. No secure buckets, credential splitting, kernel root kits, and other two-party+ system schemes to protect credentials in transit and rest.
Enjoy your pie.