lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Message-ID: <47BC85A2.9060306@sektioneins.de>
Date: Wed, 20 Feb 2008 20:55:14 +0100
From: Stefan Esser <stefan.esser@...tioneins.de>
To: Full-Disclosure <full-disclosure@...ts.grok.org.uk>,
	bugtraq@...urityfocus.com
Subject: Advisory SE-2008-01: PunBB Blind Password
 Recovery Vulnerability

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1


                           SektionEins GmbH
                          www.sektioneins.de

                       -= Security  Advisory =-


      Advisory: PunBB Blind Password Recovery Vulnerability
  Release Date: 2008/02/20
Last Modified: 2008/02/20
        Author: Stefan Esser [stefan.esser[at]sektioneins.de]

   Application: PunBB <= 1.2.16
      Severity: Weak random numbers lead to a blind password recovery
                vulnerability that allows account takeover
          Risk: High
Vendor Status: Vendor has released PunBB 1.2.17 which fixes this issue
     Reference: http://www.sektioneins.de/advisories/SE-2008-01.txt


Overview:

    Quote from http://punbb.org/
    "PunBB is a fast and lightweight PHP-powered discussion board.
     It is released under the GNU General Public License. Its primary
     goals are to be faster, smaller and less graphically intensive as
     compared to other discussion boards. PunBB has fewer features
     than many other discussion boards, but is generally faster and
     outputs smaller, semantically correct XHTML-compliant pages."

    PunBB comes with a password reset feature that allows resetting a
    forgotten password. When a password reset is requested an email
    is sent to the user containing a new random password and an
    activation link that needs to be visited in order for the password
    change to become effective.

    Unfortunately it is possible due to several weak random numbers
    to determine the new random password and the activation link
    from the outside. This allows taking over any account on the
    forum including the administrator account.


Details:

    PunBB's password reset functionality uses internally mt_rand() to
    generate a new password and a new activation link that are both
    send to the user by email.

    Unfortunately PunBB initialises the mersenne twister random number
    generator on every request with a number between 0 and 1.000.000,
    depending on the current microsecond. This means there are only
    one million possible new passwords and new activation links. It
    would be possible to bruteforce this limited area, but the amount
    of time and traffic that would be required is huge.

    Because of this a better one shot solution was developed that
    allows to determine the new password and the new activation link
    from the result of the request that triggered the password reset.

    To understand how this is possible it is necessary to know that
    during the installation PunBB creates a "random" cookie seed that
    is used to store login data in the cookie during a visit. This
    cookie seed generation is not really random, because it is more
    or less the MD5 hash of the current timestamp. This means it is
    easily bruteforceable when the attacker has his own user account
    at the forum. He just needs to use his own login cookie and then
    check all seconds backwards from the date the admin account was
    created (see in memberlist).

    The second component required for the attack to work is PunBB's
    habit to return a cookie with a randomly generated password, when
    it receives a wrong login cookie. Because the cookie seed is known
    it can be used to check which one of the one million possible
    passwords was generated. By knowing the password we know the
    seed used in the call to mt_srand() which lets us predict all
    random numbers during the request.

    It should be obvious that using this attack on the request that
    triggers the password reset allows to blindly determine the new
    password and the new activation link in a few seconds. Both can
    then be used to takeover the attacked account.


Proof of Concept:

    SektionEins GmbH is not going to release a proof of concept
    exploit for this vulnerability.


Disclosure Timeline:

    15. February 2008 - Notified security@...bb.org
    19. February 2008 - PunBB developers released PunBB 1.2.17
    20. February 2008 - Public Disclosure


Recommendation:

    It is strongly recommended to upgrade to the latest version of
    PunBB which also fixes additional vulnerabilities reported by
    third parties.

    Grab your copy at:

    http://punbb.org/downloads.php


CVE Information:

    The Common Vulnerabilities and Exposures project (cve.mitre.org) has
    not assigned a name to this vulnerability yet.


GPG-Key:

    http://www.sektioneins.de/sektioneins-signature-key.asc

    pub  1024D/48A1DB12 2007-10-04 SektionEins GmbH - Signature Key 
<info@...tioneins.de>
    Key fingerprint = 4462 A777 4237 E292 F52D  5AFE 7C9C C1AF 48A1 DB12


Copyright 2008 SektionEins GmbH. All rights reserved.

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (GNU/Linux)

iD8DBQFHsBeQfJzBr0ih2xIRAqSPAKDp9oJQm3SrouI9fkkAq7fgtRpSrwCg4iOm
vc4jP+EeE3nDnfr43Ngbc5w=
=aJM7
-----END PGP SIGNATURE-----

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ