[Full-disclosure] phpBB 2.0.17 (and other BB systems as well) Cookie disclosure exploit.

From: K-Gen Gen (alphakgen_at_gmail.com)
Date: 10/22/05

  • Next message: Billy Rios: "RE: [Full-disclosure] New (19.10.05) MS-IE Url Spoofing bug (by K-Gen)." 
    Date: Sat, 22 Oct 2005 07:42:48 -0700
To: full-disclosure@lists.grok.org.uk

    phpBB 2.0.17 (and other BB systems as well) Cookie disclosure exploit.

    I sent the report to phpBB and they said that a patch will be available
    withing a few days and It will be integrated into 2.0.18 .

    Note: This works like XSS, and requires the victim to use IE (Affects all
    versions of IE).

    Special Credits to: Sven Vetsch (the original finder of "The gif bug").
    The original gif-bug article :
    http://www.securiteam.com/windowsntfocus/6F00B00EBY.html
    Also thanks to the experts at securiteam.com <http://securiteam.com> for
    clarifying some issues.

    Since what is described in the original article doesn't work, I have written
    this step-by-step
    article explaining how to replicate this bug successfuly.

    Affected: All phpBB systems allowing "Upload Avatar from URL" and most
    likely all other systems
    with such a feature (Other bulletin boards - but I didn't check).

    Well, the base for the problem lies within IE.. The core element of my Proof
    of Concept is the
    lately found Gif-bug in IE (Originally found by Sven Vetsch).

    For some reason IE renders malformed embedded content files (like
    gif,jpg,wav,and so on..)
    as HTML when they are accessed directly e.g.
    http://attacker.com/xss.gif(Not through the <img>
    tag).

    If we create an HTML file and rename its extention to .GIF (or other
    embedded content file
    extention), and upload it to an HTTP server (it dosn't work locally for some
    reason), when we
    will navigate to http://myserver.com/xss.gif the HTML code will be executed
    instead of showing
    that the image is invalid.

    So, if we could upload such a file to a server that allows image upload we
    could actually upload
    HTML code instead (Inside the image file). If the victim will be lured to
    navigate to this
    specially crafted image in IE, arbitary HTML code could be executed in the
    servers security zone,
    e.g. we could steall the users cookie, for example.

    However it is not that simple with systems (like phpBB) that verify the
    image file before it
    is uploaded to the server. If we try to upload our previosly made
    http://attacker.com/xss.gif
    gif file the system will complain about incorrect image size - that's
    because our image is invalid.
    The verification system chechs the files header. In a valid 1x1 gif file the
    header should be
    (in hex) : 47 49 46 38 39 61 01 00 01 00 . After the header we will insert
    the next HTML code:
    <HTML><HEAD><SCRIPT>alert(document.cookie);</SCRIPT></HEAD></HTML>
    So the file will look like this (in hex):
    47 49 46 38 39 61 01 00 01 00 3C 48 54 4D 4C 3E 3C 48 45 41 44 3E 3C 53 43
    52 49 50 54 3E 61 6C 65 72 74 28 64 6F 63 75 6D 65 6E 74 2E 63 6F 6F 6B 69
    65 29 3B 3C 2F 53 43 52 49 50 54 3E 3C 2F 48 45 41 44 3E 3C 2F 48 54 4D 4C
    3E

    If we upload this file instead the old one to :
    http://myserver.com/xss.gifwe will be able to
    upload it as a phpBB avatar. However when we access the file directly (as
    before) no HTML code
    is going to be executed. That is because IE sees the valid header and tries
    to draw the image
    instead of rendering the HTML (and fails anyway ...).

    However if we change the file extention from .GIF to .JPG the GIF header in
    the beginning will
    become meaningless to IE and the HTML code will be executed. So if we rename
    our image from
    xss.gif to xss.jpg when we will navigate to http://myserver.com/xss.jpg we
    will see an alert
    box (that should show the cookie on its current server).

    The phpBB avatar upload system verifies the files header - and our header is
    pretty much valid -
    for a GIF file, but not JPG. If we try to upload the file
    http://myserver.com/xss.jpg as our avatar
    it will be successfuly uploaded. Hence any one who will navigate (in IE)
    directly to our avatar in its new address on the phpBB forum server (the URL
    should look like
    http://phpbbforum.com/phpbb/images/avatars/2131121a2121f.jpg) will be able
    to see his cookie information in an alert window.
    Instead an image something like GIF89a_--. will apear, but it can be easily
    obfuscated with a simple
    JavaScript.

    As a Proof of Concept here is a ready made JPG file: (Save target as)
    http://planet.nana.co.il/mycoolpictures123/fake/lt2.jpg . Upload this (from
    its current location, or your HTTP server) as
    an avatar to phpBB (or as I believe - any Bulletin Board system). In your
    avatar an invalid image
    (red X) will appear, but when you navigate to it's current location (e.g.
    http://phpbbforum.com/phpbb/images/avatars/2131121a2121f.jpg) you will see
    an alert with your cookie.

    Using the basic idea of my PoC, the code can be manipulated to send a users
    cookie information to
    a CGI sniffer on a remote server. All that should be done is sending a
    message saying "Check out
    this image" and specifying the avatars URL.

    This is a major problem since 90% of the internet users use IE and lots of
    dynamic sites (like
    bulletin boards) allow image upload to the server.

    The solution could come in many ways. The best solution for the user is to
    use another browser
    (like FireFox) untill a vendor patch from Micrsoft is available. For
    bulletin board administrators
    it is highly advised to turn off the "Upload avatar from URL" option untill
    a patch from the vendor
    (phpBB, vBulletin, IPB, and so on...) arrives.

    Have a good day.
    K-Gen

    _______________________________________________
    Full-Disclosure - We believe in it.
    Charter: http://lists.grok.org.uk/full-disclosure-charter.html
    Hosted and sponsored by Secunia - http://secunia.com/

  • Next message: Billy Rios: "RE: [Full-disclosure] New (19.10.05) MS-IE Url Spoofing bug (by K-Gen)."

    Relevant Pages

    • phpBB 2.0.17 (and other BB systems as well) Cookie disclosure exploit.
      ... phpBB 2.0.17 Cookie disclosure exploit. ... I sent the report to phpBB and they said that a patch will be available withing a few days and It will be integrated into 2.0.18. ... All phpBB systems allowing "Upload Avatar from URL" and most likely all other systems ...
      (Bugtraq)
    • setcookie() Expiration
      ... I am having problems setting a cookie to expire in the future rather ... than at end of session on a particular server. ... I can upload the code ... to another server and the cookie expiration is correct. ...
      (comp.lang.php)
    • Fwd: [Full-disclosure] RE: eRoom Multiple Security Issues
      ... The .lnk file can be anything and IS only executed once the user ... i.e, I'm a vendor with access to the site, I upload my ... the eRoom plugin will silently download and run the file without popping up any ... The cookie code can be used for any cookie stealing yes, ...
      (Full-Disclosure)
    • RE: [PHP] phpbb / sessionid nightmare
      ... In the directory structure, I have gone from ... phpbb / sessionid nightmare ... Users are able to browse around phpbb and a sudo phpbb program called ... Check the parameters for the cookie. ...
      (php.general)
    • Re: ANN: Pocoo (bulletin board software) 0.1 beta released
      ... written in Python, adhering to the WSGI ... I've never understood why the phpBB, ... which would let you couple multiple boxes together with ordinary LAN ... had the clever idea of using an NNTP back end, using a news server (or ...
      (comp.lang.python)