After-Market InternetBS Module Issue

[Kian]

Hi guys,

I just spot a critical and dangerous vulnerability in a third-party component of WHMCS.

I would like to share info but the thing is that as soon as I reveal details, all lamers will start exploiting it. I'm pretty sure that no one other than me and my clients know anything about it. Let me give you a bit of context:

• I underline that this is NOT caused by WHMCS but by a widely used third-party component
• When I say "critical" I mean that you can lose real money and cause enormous legal troubles
• The issue has been already reported by me a month ago to the developer in question but no fix so far
• Only few minutes ago I discovered how it can be exploited to cause harm
• I have already shared updated details with the developer in question. They are checking it
• The fix is pretty easy. It takes few seconds. I just finished securing a dozen of my clients

I think I'll stay quiet for now so that the developer can do his job but the fix will require providers to perform an update. We all know most people ignore software updates unless there is a security issue. So what if the developer refuses to admit the issue? Should I post something here our tell the story to people like @WHMCS John @WHMCS ChrisD so that I can go back to my business?

p.s. As soon as the update is available, I'll post here without mentioning the name of the module... this way you simply need to update all modules you have 🤣

Edit: I sent a DM to John to make sure WHMCS is not affected. I'm 99% sure that it is all right but I can't see encrypted files (have no time to decrypt it) so let's wait 🤞

Edited June 27, 2022 by Kian

[yggdrasil]

I would refrain from posting any exploit in a public community, even if a patch is made, not everyone will patch their installations. If WHMCS already has the information that is more than enough information for them to fix the issue.

[WHMCS John]

Hi @Kian,

We welcome and reward responsible disclosure of potential security concerns via our Security Bounty Program: https://www.whmcs.com/security-bounty-program/

I'd encourage you to submit the details via Bugcrowd, so it can be validated and any appropriate action taken.

[Kian]

John edited the title of this post so now everyone knows the name of the module in question. Balls of steel 😱😁

8 hours ago, WHMCS John said:

I'd encourage you to submit the details via Bugcrowd, so it can be validated and any appropriate action taken.

I'll do it but I suspect that WHMCS is not affected by this issue. Anyway I'll send you all details including the super-easy fix via DM and Bugcrowd so that you can take a look. I will not say anything here to avoid having people exploiting the bug.

[bear]

The risk he's taking is something we all get to share. Good times. 😉 
Quick question, and hopefully it can be answered; can it be exploited without being enabled, or only if it's active?
 

[Kian]

Yes, it must be enabled and configured.

[Kian]

IBS released an update that fixes the issue.

Download it asap! Trust me 😱

[Kian]

There is another problem. Not only we have/had the exploit but as I can see their module even failed at renewing domains.

I am seeing clients realizing they never renewed any domain during the last 40 or more days even if WHMCS performed renewals as normal and invoices have been paid.

That said, I highly suggest you to double check manually that all renewals occurred during the last 3 months have been successful.

I say 3 months because IBS module doesn't come with versioning so I can't tell the exact date starting from which we had this mess. For sure more than 40 days but it can be more!

Edited June 29, 2022 by Kian

[Kian]

SELECT t3.date, t3.invoicenum, t2.domain, t3.status FROM tblinvoiceitems AS t1 LEFT JOIN tbldomains AS t2 ON t1.relid = t2.id LEFT JOIN tblinvoices AS t3 ON t1.invoiceid = t3.id WHERE t1.type IN ('Domain', 'DomainRegister', 'DomainTransfer') AND t3.status = 'Paid' AND t3.date >= '2022-03-01' order by t3.date DESC

I personally finished checking tens of thousands of domains on several systems using this query. It selects all domains that have been renewed, registered and transfered starting from 2022-03-01. This date should safe to use. In fact I think the faulty version of IBS has been released 40 days ago.

You need to get all the returned domains and check them in bulk on internetbs.net. I spent hours trying to understand how to identify potential issues but I wasn't able to do that so I focused on all domains with expiration date set on 2022 and checked them manually one by one 😩 Sorting them by expiration date DESC was very helpful.

Sadly I found several domains that haven't been renewed even if end-users paid invoices and WHMCS performed renewals. At least there were less cases than I expected.

Special note for .it domains. Unlike other TLDs where you  explicitly need to send "Renew Domain" command, .it domains get automatically renewed. To avoid renewing domains that haven't been paid, IBS automatically sends "Delete Domain" command usually 14 days after expiration .This way NicIT (IT Registry) doesn't renew them automatically. With all this mess I am still figuring out what happened to .it domains. Maybe nothing or maybe IBS allowed NicIT to renew them even if they haven't been paid by customers.

In conclusion you should update IBS module asap and perform the check I just described but there is a twist. You should do that only if you were running this buggy version of IBS. The problem is that the only way for me to explain how to determine if your IBS module is good or bad, is to describe the exploit 🥶

Okay enough drama for me today. See you 🕳️

[WHMCS John]

Hi all,

I feel it's worth noting that the scope of WHMCS technical support and our Responsible Disclosure program apply to the software distributed via whmcs.com.

At this point we do not have reason to believe the referenced issue relates to the InternetBS module distributed by WHMCS.

I'd advise due diligence when using modules and code from other sources.