lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Message-ID: <52AAFB4B.1070206@jakoblell.com>
Date: Fri, 13 Dec 2013 13:19:23 +0100
From: Jakob Lell <jakob@...oblell.com>
To: full-disclosure <full-disclosure@...ts.grok.org.uk>
Subject: Multiple vulnerabilities in SMF forum software

Advisory location:
http://www.jakoblell.com/blog/2013/12/13/multiple-vulnerabilities-in-smf-forum-software/

I. Introduction

Simple Machines Forum (abbreviated as SMF) is a free Internet forum 
(BBS) software written in PHP.

II. Username faking via Unicode homoglyphs or duplicate spaces allows 
user impersonation

The forum registration process allows registering UTF8 usernames. Since 
Unicode contains a lot of additional symbols and some of them look very 
similar (or even identical) to standard ASCII characters, this allows 
registering a user with a name which is visually indistinguishable from 
an existing forum user. As an example, someone may register a user named 
"admiÕ¸" with the "n" replaced by the Unicode letter u+0578 (ARMENIAN 
SMALL LETTER VO), which looks more or less exactly like the ASCII 
character "n" depending on the font. This may be used in order to 
impersonate users e.g. in forum messages. Additionally to choosing a 
name which looks more or less exactly as the victim, an attacker can 
also steal the avatar of the victim in order to further improve the 
illusion.

The following page simplifies finding matching homoglyph characters for 
a given string:

http://www.irongeek.com/homoglyph-attack-generator.php

If the original username contains a space, user impersonation is also 
possible by registering the same username with two or more consecutive 
spaces. These spaces will be passed to all HTML pages containing the 
username and since web browsers ignore multiple consecutive spaces in 
HTML, there is no visible difference between the original and the faked 
username.


III. Clickjacking in SMF forum allows user-assisted remote arbitrary 
code execution

The forum software SMF contains no protection against clickjacking. This 
allows tricking a currently logged in user to do various unintended 
actions in the forum when the user visits a malicious website. I have a 
working POC exploit which requires no more than 2 clicks to a 
predictable location to achieve full remote code execution when 
exploited against a forum administrator (although I will not disclose 
the exact attack vector in this public advisory). A cleverly designed 
attack site may trick the user do these two clicks without much 
thinking. The first click can be achieved by displaying one of the 
annoying overlays which requests the user to fill out a survey, like the 
site on facebook or subscribe to a newsletter. Most users are 
conditioned to directly click on the small x on the top right of the 
overlay to close it. For the second click, the attack site may just not 
react to the first click hoping that the victim tries again. 
Alternatively, the site could also pretend to be a video site waiting 
for the user to click on the play button.


IV. Affected versions

All three vulnerabilities are present in SMF1 up to version 1.1.18 and 
SMF2 up to version 2.0.5. The SMF team has released updates (version 
1.1.19 and 2.0.6) which fix the clickjacking problem (via an 
X-Frame-Options header) and the username faking possibility via multiple 
consecutive spaces. However, the Unicode homoglyph attack has not yet 
been fixed since it is not trivial to filter out all confusable 
characters while still allowing legitimate Unicode characters in 
usernames (especially if you can't use the Spoofchecker class because 
you have to support PHP versions below 5.4.0).

V. Credits

Jakob Lell

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ