| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <001a01cfe726$26598c10$730ca430$@oststrom.com>
Date: Mon, 13 Oct 2014 22:42:02 +0200
From: "oststrom \(public\)" <pub@...strom.com>
To: <fulldisclosure@...lists.org>
Subject: [FD] CVE-2014-2022 - vbulletin 4.x - SQLi in breadcrumbs via xmlrpc
API (post-auth)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
CVE-2014-2022 - vbulletin 4.x - SQLi in breadcrumbs via xmlrpc API
(post-auth)
============================================================================
==
Overview
- --------
date : 10/12/2014
cvss : 7.1 (AV:N/AC:H/Au:S/C:C/I:C/A:C) base
cwe : 89
vendor : vBulletin Solutions
product : vBulletin 4
versions affected : latest 4.x (to date); verified <= 4.2.2
* vBulletin 4.2.2 (verified)
* vBulletin 4.2.1 (verified)
* vBulletin 4.2.0 PL2 (verified)
exploitability :
* remotely exploitable
* requires authentication (apikey)
patch availability (to date) : None
Abstract
- ---------
vBulletin 4 does not properly sanitize parameters to breadcrumbs_create
allowing
an attacker to inject arbitrary SQL commands (SELECT).
risk: rather low - due to the fact that you the api key is required
you can probably use CVE-2014-2023 to obtain the api key
Details
- --------
vulnerable component:
./includes/api/4/breadcrumbs_create.php
vulnerable argument:
conceptid
which is sanitized as TYPE_STRING which does not prevent SQL injections.
Proof of Concept (PoC)
- ----------------------
see https://github.com/tintinweb/pub/cve-2013-2022
1) prerequesites
1.1) enable API, generate API-key
logon to AdminCP
goto "vBulletin API"->"API-Key" and enable the API interface,
generate key
2) run PoC
edit PoC to match your TARGET, APIKEY (, optionally DEBUGLEVEL)
provide WWW_DIR which is the place to write the php_shell to (mysql
must have permissions for that folder)
Note: meterpreter_bind_tcp is not provided
run PoC, wait for SUCCESS! message
Note: poc will trigger meterpreter shell
meterpreter PoC scenario requires the mysql user to have write
permissions
which may not be the case in some default installations.
Timeline
- --------
2014-01-14: initial vendor contact, no response
2014-02-24: vendor contact, no response
2014-10-13: public disclosure
Contact
- --------
tintinweb - https://github.com/tintinweb/pub/cve-2013-2022
(0x721427D8)
-----BEGIN PGP SIGNATURE-----
iQIcBAEBAgAGBQJUPDhLAAoJEBgB43t1YjbLFOwP/Alc3Rb4c+1l4efPQrZhO96r
Vx+YtClXEXjGeSphZddFegVh/WlY8HQioepmMO9pwz3ehl00pGEu7N2qAILoO2pA
DZ8Lj89WZiXDkDAI56RTjDsxnf8BgxWTBZn4HO2kQtziPV9adsm7bN+fBN0Pn0D6
uTm5fM3Sd6x4NZyt6moi3oImHeTCd+KxDokBskPLT7i7fUPmyMDkv8a564DZyjz3
iCp9ZfjKEF/O2+r+UOgbtr8jyqcfosVIgn9ldJmKMut04hOC5Q6a4GnivyCbGS+E
B/pkiqSWQDbCThQcfTS+3vRubH3N2V3Y3I2VnnCdosK4VnrlVIiekHxfOyCyXxJZ
HjNxptG6WvSv3/cywb/FyEY114AArYpfBdb8rJs/DniQJ7soCMMFaYVPO/LpdRV/
4xC5Rj/g5ud59dDUtCT62+tmzfKt5Lh+/wmBRliCU9EEzRqcpUdh1xn/BDy2XzlP
6PFvQpTLAmzGXP4X+QkPr+iIvGvPCuu9BjHiFuEeHItaXc0tFTjKkohI0Iv1Yjvg
PhGkGXuEuBBwg3Cec/NT/5+1Jj2RahvFC6EMAXKPu2X3n/SeBRDqqurNL8LgkZIR
ycCVO04yGDns5ikpFGHMqXBH1uvCB5OQVDtVvVLQZOxC7JLd4cA/AmvltDwVeb7u
GZhJijkeC0vpRxM+kcTY
=BhWu
-----END PGP SIGNATURE-----
_______________________________________________
Sent through the Full Disclosure mailing list
http://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/
Powered by blists - more mailing lists