OpenX / Revive Adserver zero-day actively exploited in the wild

A zero-day vulnerability that allows attackers to gain back-end access to popular open-source advertising server OpenX Source has been discovered by Florian Sander, founder of the continuous checklist tool Checkpanel.

OpenX Source has recently been bought by a team led by Andrew Hill, one of the code’s original developers, who now operates the open source project under the name Revive Adserver.

“The vulnerability is already being exploited,” Sander said to Help Net Security, adding that he discovered it while investigating an intrusion in an ad server he is currently managing.

“I noticed the intrusion when I received a password reset request email, which I did not initiate,” he explained. “Upon closer inspection I discovered that my account had configured the server to append some arbitrary code after each banner. Since I did not do these changes myself, and the appended code was obviously shady (obfuscated JavaScript code), it was clear that the account had been compromised.”

The vulnerability affects the current versions of OpenX Source (2.8.11) and Revive Adserver (3.0.1), and effectively makes the software vulnerable to SQL injection and all the dangers this type of attack brings with it.

When I asked if he knew how widespread the attacks are, Sander said he didn’t.

“Reports of compromised servers are common in OpenX’s forums, but people are often using way outdated versions so it is hard to tell if this or older vulnerabilities are responsible,” he said, adding that the attack has been used approximately three times on their servers since September.

“The goal of the attackers is usually to use the ad server to spread malicious code. Ad servers are a great target for this, since they are often in a position to inject code in multiple websites,” he explained. “It depends on the attacker what exactly the goal is, but it is common to spread browser exploits or replace ads by the attacker’s own ads to make a profit.”

Sander has notified the OpenX team of the problem, and has submitted a pull request with a fix for Revive Adserver. Apparently, the Revive team is already working on a new version that will plug the hole.

“Since Revive Adserver is the official successor to OpenX Source, I assume that there will not be an updated version of OpenX Source,” he opined.

Luckily, he has already created a set of patched files which fix the vulnearbility in both OpenX 2.8.11 and Revive Adserver. I’m guessing they haven’t been extensively tested for stability yet, but if you are using OpenX you might consider trying the patch out.

Revive Adserver can opt to wait for the team to issue an official fix, which will hopefully be soon.

All in all, it’s been a bad year for OpenX developers. First some serious vulnerabilities in the software were discovered in July, then in August came the news that OpenX.org was compromised and the OpenX download files were injected with a backdoor.