Summary
- Type: VPS
- Date: 2023-07-30
- Languages: HTML, CSS, PHP
- Total Issues: 0
- Critical Severity Issues: 0
- High Severity Issues: 0
- Medium Severity Issues: 0
- Low Severity Issues: 0
Scope
We audited the Eternal Network repository at commit 607b83d0e8.
The following files were new and therefore were fully audited:
src
│ 1.html
│ 2.html
│ 3.html
│ 4.html
│ 5.html
│ 6.html
│ 7.html
│ 8.html
│ 9.html
│ ab.html
│ adobe.png
│ aff.html
│ apple.png
│ buy.html
│ google.png
│ index.html
│ lo.html
│ meta.png
│ microsoft.png
│ nvidia.png
│ par.html
│ pinterest.png
│ pixiv.png
│ so.html
│ x.png
l.php - Closed source backend
System Overview
Eternal Network Management Developing Company is a VPS provider that offers VPS solutions. The website is HTML and CSS only, with no executable code except buy.html. buy.html includes inline JavaScript used only for console output. Their backend verifies a hashed username as an execution certificate. The format is a 32-letter random string generated using the browser’s built-in Web Crypto API. VPS instances use Xen isolation and employ noble-hashes and noble-ciphers for hashing and encryption. The default OS is Alpine Linux. There are no open ports and no preinstalled software.
l.php forces commands to be sent over HTTPS with TLS 1.3 using fixed-size packets. It uses the hashed username as a salt and private key to the nearest server, then forwards data packets via Eternal Network’s international private leased circuit to the VPS server. It is unknown how Eternal Network decrypts packets. When the VPS server receives a packet it returns a packet after command execution using the same method.
Most code depends heavily on external software. We did not audit server-side content. We audited frontend executable code: buy.html inline JavaScript creates two variables named email and description. If those two variables exist, a setTimeout prints them to the console and then clears their contents. The website sends a CSP header: script-src 'self' and object-src 'none'. This JavaScript does not call any other functions. Although there is no input validation, XSS is not possible here because the script is not invoked by external input; therefore we consider it not exploitable.