Re: [Full-disclosure] phpBB 2.0.17 (and other BB systems as well) Cookie disclosure exploit.

• Previous message: Q_EADS_CCR_DCR/STI/C?=: "[Full-disclosure] Skype security advisory"
• In reply to: Tatercrispies: "Re: [Full-disclosure] phpBB 2.0.17 (and other BB systems as well) Cookie disclosure exploit."
• Next in thread: Paul Laudanski: "[Full-disclosure] phpBB 2.0.17 (and other BB systems as well) Cookie disclosure exploit."
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Date: Tue, 25 Oct 2005 13:18:43 -0500
To: K-Gen Gen <alphakgen@gmail.com>

I can confirm that this vulnerability in IE can be used in the following
applications:

. Invision Gallery
. Vbulletin
. Hotmail.com <http://Hotmail.com>
. Most "photo gallery" scripts

Then I gave up looking.

Surprised this doesn't have more coverage.

On 10/23/05, Tatercrispies <tatercrispies@gmail.com> wrote:
>
> This is a very interesting find. I suspect that there is an enormous
> amount of software that is vulnerable to this aside from just message
> forums. I'm talking webmail systems, photo album systems, CMS systems, or
> really any web app that allows the user to upload an image of some type. The
> impact is enormous.
>
> Internet Explorer ignores the content type sent by the web server and
> attempts to render whatever it feels like as HTML. The file extension does
> not matter, I mean, if you're parsing the data out through a .php or .asp
> page, it just flat out ignores the image/jpeg or image/gif header and does
> whatever it feels like.
>
> Sure it doesn't execute automatically embedded in an <img> tag, but I can
> see plenty of opportunity to get someone to click on your link to open the
> file directly. Even using some obfuscation on the URL. "Hey check out these
> great pics!" that sends them to an offiste link that just redirects back to
> the hosted bomb.
>
> The only true solution seems like it must come from Redmond. And fast.
>
> Yeah and thanks for reporting this on a Saturday.
>
> Nice.
>
>
> On 10/22/05, K-Gen Gen <alphakgen@gmail.com> wrote:
>
> > phpBB 2.0.17 (and other BB systems as well) Cookie disclosure exploit.
> >
> > I sent the report to phpBB and they said that a patch will be available
> > withing a few days and It will be integrated into 2.0.18 .
> >
> > Note: This works like XSS, and requires the victim to use IE (Affects
> > all versions of IE).
> >
> > Special Credits to: Sven Vetsch (the original finder of "The gif bug").
> > The original gif-bug article : http://www.securiteam.com/windowsntfocus/6F00B00EBY.html
> >
> > Also thanks to the experts at securiteam.com <http://securiteam.com> for
> > clarifying some issues.
> >
> > Since what is described in the original article doesn't work, I have
> > written this step-by-step
> > article explaining how to replicate this bug successfuly.
> >
> > Affected: All phpBB systems allowing "Upload Avatar from URL" and most
> > likely all other systems
> > with such a feature (Other bulletin boards - but I didn't check).
> >
> > Well, the base for the problem lies within IE.. The core element of my
> > Proof of Concept is the
> > lately found Gif-bug in IE (Originally found by Sven Vetsch).
> >
> > For some reason IE renders malformed embedded content files (like
> > gif,jpg,wav,and so on..)
> > as HTML when they are accessed directly e.g. http://attacker.com/xss.gif(Not through the <img>
> > tag).
> >
> > If we create an HTML file and rename its extention to .GIF (or other
> > embedded content file
> > extention), and upload it to an HTTP server (it dosn't work locally for
> > some reason), when we
> > will navigate to http://myserver.com/xss.gif the HTML code will be
> > executed instead of showing
> > that the image is invalid.
> >
> > So, if we could upload such a file to a server that allows image upload
> > we could actually upload
> > HTML code instead (Inside the image file). If the victim will be lured
> > to navigate to this
> > specially crafted image in IE, arbitary HTML code could be executed in
> > the servers security zone,
> > e.g. we could steall the users cookie, for example.
> >
> > However it is not that simple with systems (like phpBB) that verify the
> > image file before it
> > is uploaded to the server. If we try to upload our previosly made http://attacker.com/xss.gif
> >
> > gif file the system will complain about incorrect image size - that's
> > because our image is invalid.
> > The verification system chechs the files header. In a valid 1x1 gif file
> > the header should be
> > (in hex) : 47 49 46 38 39 61 01 00 01 00 . After the header we will
> > insert the next HTML code:
> > <HTML><HEAD><SCRIPT>alert(document.cookie);</SCRIPT></HEAD></HTML>
> > So the file will look like this (in hex):
> > 47 49 46 38 39 61 01 00 01 00 3C 48 54 4D 4C 3E 3C 48 45 41 44 3E 3C 53
> > 43 52 49 50 54 3E 61 6C 65 72 74 28 64 6F 63 75 6D 65 6E 74 2E 63 6F 6F 6B
> > 69 65 29 3B 3C 2F 53 43 52 49 50 54 3E 3C 2F 48 45 41 44 3E 3C 2F 48 54 4D
> > 4C 3E
> >
> > If we upload this file instead the old one to :
> > http://myserver.com/xss.gif we will be able to
> > upload it as a phpBB avatar. However when we access the file directly
> > (as before) no HTML code
> > is going to be executed. That is because IE sees the valid header and
> > tries to draw the image
> > instead of rendering the HTML (and fails anyway ...).
> >
> > However if we change the file extention from .GIF to .JPG the GIF header
> > in the beginning will
> > become meaningless to IE and the HTML code will be executed. So if we
> > rename our image from
> > xss.gif to xss.jpg when we will navigate to http://myserver.com/xss.jpgwe will see an alert
> > box (that should show the cookie on its current server).
> >
> > The phpBB avatar upload system verifies the files header - and our
> > header is pretty much valid -
> > for a GIF file, but not JPG. If we try to upload the file http://myserver.com/xss.jpg
> > as our avatar
> > it will be successfuly uploaded. Hence any one who will navigate (in IE)
> > directly to our avatar in its new address on the phpBB forum server (the URL
> > should look like
> > http://phpbbforum.com/phpbb/images/avatars/2131121a2121f.jpg) will be
> > able to see his cookie information in an alert window.
> > Instead an image something like GIF89a_--. will apear, but it can be
> > easily obfuscated with a simple
> > JavaScript.
> >
> > As a Proof of Concept here is a ready made JPG file: (Save target as) http://planet.nana.co.il/mycoolpictures123/fake/lt2.jpg
> > . Upload this (from its current location, or your HTTP server) as
> > an avatar to phpBB (or as I believe - any Bulletin Board system). In
> > your avatar an invalid image
> > (red X) will appear, but when you navigate to it's current location (e.g.
> > http://phpbbforum.com/phpbb/images/avatars/2131121a2121f.jpg) you will
> > see an alert with your cookie.
> >
> > Using the basic idea of my PoC, the code can be manipulated to send a
> > users cookie information to
> > a CGI sniffer on a remote server. All that should be done is sending a
> > message saying "Check out
> > this image" and specifying the avatars URL.
> >
> > This is a major problem since 90% of the internet users use IE and lots
> > of dynamic sites (like
> > bulletin boards) allow image upload to the server.
> >
> > The solution could come in many ways. The best solution for the user is
> > to use another browser
> > (like FireFox) untill a vendor patch from Micrsoft is available. For
> > bulletin board administrators
> > it is highly advised to turn off the "Upload avatar from URL" option
> > untill a patch from the vendor
> > (phpBB, vBulletin, IPB, and so on...) arrives.
> >
> > Have a good day.
> > K-Gen
> >
> >
> > _______________________________________________
> > Full-Disclosure - We believe in it.
> > Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> > Hosted and sponsored by Secunia - http://secunia.com/
> >
> >
>

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

• Previous message: Q_EADS_CCR_DCR/STI/C?=: "[Full-disclosure] Skype security advisory"
• In reply to: Tatercrispies: "Re: [Full-disclosure] phpBB 2.0.17 (and other BB systems as well) Cookie disclosure exploit."
• Next in thread: Paul Laudanski: "[Full-disclosure] phpBB 2.0.17 (and other BB systems as well) Cookie disclosure exploit."
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]