lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list] 
Date: Mon, 27 Dec 2010 07:49:57 -0700
From: Michael Brooks <firealwaysworks@...il.com>
To: full-disclosure@...ts.grok.org.uk
Subject: OpenClassifieds 1.7.0.3 Exploit chain:captcha
 bypass->sqli(insert)->persistant xss on front page

Author:Michael Brooks (Rook)
Application: OpenClassifieds 1.7.0.3
download: http://open-classifieds.com/download/
Exploit chain: captcha bypass->sqli(insert)->persistant xss on front page
If registration is required an extra link in the chain is added:
Exploit chain:blind sqli(select)->captcha
bypass->sqli(insert)->persistant xss on front page
sites with SEO url's enabled:
"powered by Open Classifieds" inurl:"publish-a-new-ad.htm"  (85,000 results)
or default urls:
"powered by Open Classifieds"  inurl:"item-new.php" (16,500 results)
Total sites: ~100,000

 CWE Violations leveraged by this exploit:
 CWE-256: Plaintext Storage of a Password
 CWE-804: Guessable CAPTCHA  (I asked that they create this CWE when I
ran into a guy that works for Mitre.)
 CWE-89: SQL Injection x2
 CWE-79: Cross-site Scripting (Persistant)

I have always wanted to write a chained exploit with a captcha bypass,
 so I couldn't miss this
 opportunity.    I spent a bit more effort on this exploit even though
there aren't very many hits (around
 100k starts to be worth while). Regardless, I dug into the
application and pulled out the vulnerabilities
 needed to Finnish my masterpiece.  Usually when I write a Remote Code
Execution exploit for a web
 app you guys just deface the site or throw up drive-by attacks.  So I
figured, persistent XSS on the
 front page is equally as valuable,  especially with yet another IE
0-day in the wild.  The chain is within
 the application its self.  Process sand-boxing like
chroot/AppArmor/SELinux/Application-V(MS)
 doesn't come into play.  It works regardless of the operating system
or configurations (Suhosin,
 safemode, magic_quotes_gpc and register_globals doesn't come into
play). I focused on the
 application's internal configurations that could break the
exploitation process.  In this case seo friendly
 urls and requiring an account before posting.

 "This web application [OpenClassifieds] is developed to be fast,
light, secure and SEO friendly."
 Usually when I see that an application claims to be secure,  they
really don't know what the fuck they
 are doing.  OpenClassifieds' Security model is deeply flawed and as a
result there are MANY
 vulnerabilities in this code base which allowed me to string a few
cool ones together to make an
 interesting exploit.    OpenClassifieds is sanitizing everything on
input using cG() and cP(),  these
 functions are used to perform a mysql_real_escape_string()  on all
GET and POST variables.  Most
 servers aren't using an exotic character set so from a security stand
point this is exactly identical to
 magic_quotes_gpc.  So I dusted off my usual magic_quotes_gpc auditing
tricks,  look for
 stripslashes(),base64decode(),urldecode(),html_entity_decode() lack
of quote marks around variables
 in a query,  ect...  Sanitation must ALWAYS be done at the time of
use, parametrized queries are a
 good example of this.   Its impossible to account for all the ways a
variable can be mangled once it
 enters a program and if you Sanitize input when it first enters the
program there will be cases where it
 will become dangerous again.   This isn't only a problem for SQLi,
its also a problem for XSS.  I am
 inserting JS into the database, which isn't a vulnerablity,  but
printing it, is persistant XSS.

 The blind sql injection is a bit strange.  I can't use white space or
commas,  which is a pain.  I had to
 rewrite my general purpose Blind SQLi Class to accommodate.   A
binary search is used to greatly
 speed up the blind sqli attack.
 (which I also used in my php-nuke exploit:
http://www.exploit-db.com/exploits/12510/)

 Special thanks to Reiners for this sqli filter evasion cheat sheet:
 http://websec.wordpress.com/2010/12/04/sqli-filter-evasion-cheat-sheet-mysql/
 Here are some changes I had to make to my blind sql injection class:
 "select substring('abc',1,1)"=>"select substring('abc' from 1 for 1)"
 if(greatest(".sprintf($question,$cur).",".$pos.")!=".$pos.",sleep(".$this->timeout."),0)"
=>"case ".sprintf($question,"0+".$cur).">".$pos." when true  then
sleep(".$this->timeout.") end"

-------------------------------------------------------------------------------------------------------------------------------------------------------------------------
Vulnerable captcha:
openclassifieds/includes/common.php line 291
function encode_str ($input){//converts the input into Ascii HTML, to
ofuscate a bit
    for ($i = 0; $i < strlen($input); $i++) {
         $output .= "&#".ord($input[$i]).';';
    }
    //$output = htmlspecialchars($output);//uncomment to escape sepecial chars
    return $output;
}
-------------------------------------------------------------------------------------------------------------------------------------------------------------------------
function mathCaptcha(){//generates a captcha for the form
	$first_number=mt_rand(1, 94);//first operation number
	$second_number=mt_rand(1, 5);//second operation number

	$_SESSION["mathCaptcha"]=($first_number+$second_number);//operation result

	$operation=" <b>".encode_str($first_number ." + ".
$second_number)."</b>?";//operation codifieds

	echo _("How much is")." ".$operation;
}
-------------------------------------------------------------------------------------------------------------------------------------------------------------------------
Vulnerable persistant xss and sqli
/content/item-new.php line 41
$ocdb->insert(TABLE_PREFIX."posts
(idCategory,type,title,description,price,idLocation,place,name,email,phone,password,ip,hasImages)","".
												cP("category").",".cP("type").",'$title','$desc',$price,$location,'".cP("place")."','".cP("name")."','$email','".cP("phone")."','$post_password','$client_ip',$hasImages");
-------------------------------------------------------------------------------------------------------------------------------------------------------------------------

Download attachment "openclass_exp.php" of type "application/x-httpd-php" (40414 bytes)

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ