lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list] 
Message-ID: <20060312142256.02709B0FA5@ws4-4.us4.outblaze.com>
Date: Sun, 12 Mar 2006 22:22:55 +0800
From: "dong-hun you" <xploit@...kermail.com>
To: bugtraq@...urityfocus.com
Subject: [INetCop Security Advisory] zeroboard IP session bypass XSS
 vulnerability




	========================================
	INetCop Security Advisory #2006-0x82-029
	========================================


* Title: zeroboard IP session bypass XSS vulnerability


0x01. Description


Zeroboard is a popular web notice board used in Korea.

INetCop Security found XSS vulnerability in the latest zeroboard version 4.1 pl 7 (2005. 4. 4).
Basically, zeroboard uses the following algorithm so that session may not be abused
by the attack related with cookie. (e.g: cookie spoofing, sniffing)

After login, is part that handle session: --

bbs/login_check.php:
...
    24  // ȸ¿ø·Î±×ÀÎÀÌ ¼º°øÇÏ¿´À» °æ¿ì ¼¼¼ÇÀ» »ý¼ºÇÏ°í ÆäÀÌÁö¸¦ À̵¿ÇÔ
    25          if($member_data[no]) {
    26
    27                  if($auto_login) {
    28                          makeZBSessionID($member_data[no]);
    29                  }
    30
    31                  // 4.0x ¿ë ¼¼¼Ç ó¸®
    32                  $zb_logged_no = $member_data[no];
    33                  $zb_logged_time = time();
    34                  $zb_logged_ip = $REMOTE_ADDR; <--- Recording IP address
    35                  $zb_last_connect_check = '0';
    36
    37                  session_register("zb_logged_no");
    38                  session_register("zb_logged_time");
    39                  session_register("zb_logged_ip");
    40                  session_register("zb_last_connect_check");
    41
--

If IP address is different from present session user's, connection terminates: --

bbs/lib.php:

    94                  // ¼¼¼Ç °ªÀ» üũÇÏ¿© ·Î±×ÀÎÀ» ó¸®
    95                  } elseif($HTTP_SESSION_VARS["zb_logged_no"]) {
    96
    97                          // ·Î±×ÀÎ ½Ã°£ÀÌ ÁöÁ¤µÈ ½Ã°£À» ³Ñ¾ú°Å³ª ·Î±×ÀÎ
¾ÆÀÌÇÇ°¡ ÇöÀç »ç¿ëÀÚÀÇ ¾ÆÀÌÇÇ¿Í ´Ù¸¦ °æ¿ì ·Î±×¾Æ¿ô ½ÃÅ´
    98                          if(time()-$HTTP_SESSION_VARS["zb_logged_time"]>
$_zbDefaultSetup["login_time"]||$HTTP_SESSION_VARS["zb_logged_ip"]!=$REMOTE_ADDR)
 {
    99
   100                                  $zb_logged_no=""; // session initialization
   101                                  $zb_logged_time="";
   102                                  $zb_logged_ip="";
   103                                  session_register("zb_logged_no");
   104                                  session_register("zb_logged_ip");
   105                                  session_register("zb_logged_time");
   106                                  session_destroy();
   107
   108                          // À¯È¿ÇÒ °æ¿ì ·Î±×ÀÎ ½Ã°£À» ´Ù½Ã ¼³Á¤
   109                          } else {
--


This seems to be intercepting cookie hacking.
But, if we take advantage of IP session disablement technique, session bypassing may be possible.
Detailed explanation about the way to exploit this vulnerability is found at the following reference.

URL: http://x82.inetcop.org/h0me/papers/iframe_tag_exploit.txt (Korean)

As a result, hacker through administrator's web browser exploit code workably become.


--


0x02. Vulnerable Packages


Vendor site: http://www.nzeo.com/

Low versions including Zeroboard 4.1 pl 7 (2005. 4. 4) version.
-zb41pl7.tar.Z 

Disclosure Timeline:
2003-04.??: Vulnerabilities found.
2006-02.17: 1st vendor contact. (didn't respond)
2006-02.22: 2nd vendor contact. (didn't respond)
2006-02.25: Vendor responded, patch released.
2006-03.12: Public disclosure.


0x03. Exploit


We have 2 `Proof-of-Concept' exploit about this vulnerability.

This XSS vulnerability happens in memo box title and user email, homepage information input.
When administrator logins and checks a user information page, attack code can be achieved,
and there is another way, which injects an attack code in memo title.
After exploit, an attacker can inject PHP code through an administrator web page function.
Through this PHP code injection, the attacker(normal user) can change the password of
administrator, and take administrator's privilege

To prevent the abuse of this vulnerabilty, INetCop Security will not publish POC code.


0x04. Patch


INetCop Security released temporary patch:
INetCop Security Patch URL: http://inetcop.net/upfiles/Zeroboard-4.1_pl7_patch.tgz

And vendor's patch after INetCop Security advisory:
Vendor Patch URL: http://www.nzeo.com/bbs/zboard.php?id=cgi_bugreport2&no=5406

--
Thank you.

P.S: I give thanks to Securityproof that suffer translation.
Korean Advisory URL: http://www.inetcop.org/upfiles/33INCSA.2006-0x82-029-zeroboard.pdf


--
By "dong-houn yoU" (Xpl017Elz), in INetCop(c) Security.

MSN & E-mail: szoahc(at)hotmail(dot)com,
              xploit(at)hackermail(dot)com

INetCop Security Home: http://www.inetcop.org
             My World: http://x82.inetcop.org

GPG public key: http://x82.inetcop.org/h0me/pr0file/x82.k3y
--




-- 
_______________________________________________
Get your free email from http://www.hackermail.com

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ