Home page logo
/

bugtraq logo Bugtraq mailing list archives

Re: DCForum Password File Manipukation Vulnerability (qDefense Advisory Number QDAV-5-2000-2)
From: David Choi <dcscripts () yahoo com>
Date: Wed, 16 May 2001 08:44:40 -0700 (PDT)

The vendor DCScripts.com has already issued a patch
for this vulnerability.  Please see

http://www.dcscripts.com/dcforum/dcfNews/167.html

David S. Choi
DCScripts


DCForum Password File Manipulation Vulnerability 
qDefense Advisory Number QDAV-5-2000-2

Product: DCForum

Vendor: D.C. Script

Version Tested: DCForum 2000 1.0 (Version 6.0 is
believed to be vulnerable as well)

Severity: Remote; Any attacker may gain DCForum
admin privileges, which result in read/write/execute
privileges

Cause: Failure to validate input 


The current version of this document is available at
http://qDefense.com/Advisories/QDAV-5-2000-2.html.

DCForum is a popular CGI to create message boards on
web sites.

It is vulnerable to an attack which will grant a
remote attacker the status of DCForum administrator,
which can then be used to execute arbitrary commands
on the server.

The DCForum password file (normally the file
auth_user_file.txt, located in the
/cgi-bin/dcforum/User_info directory), stores the
user info in a text file database, using the pipe
symbol ( | ) as a delimiter by default. Here is a
sample file: 


1ejq5eWn718pA|bill|admin|William|Smith|webmaster () letstalksports com|on

mgHX9HISAezfQ|joe|normal|Joe|Smith|joe () mailboxesrus com|on

67NuyNzElLQs.|iceman|normal|Alfred|Lehoya|js124 () abracadabra com|on

79NAtkW0UxFWE|hank|normal|Harold|Jenkins|hjenkins () aricdorsresearch org|on


By registering with a last name containing
url-encoded newlines and pipes, an attacker can
imbed a second line into his last name, which will
be recorded as an entirely new line in the password
file, containing whatever information the attacker
wants. For instance, an attacker may register as
follows:


Username = dummyuser
Password = *****
Password again = *****
Firstname = John
Lastname =
Doe\nzzw1I3xWVi.zE|evilhacker|admin|Evil|Hacker
Email = evil () hackerstogo com
When url encoded and submitted properly, this will
add two lines to the auth_user_file.txt. The example
auth_user_file.txt will now look like this:



1ejq5eWn718pA|bill|admin|William|Smith|webmaster () letstalksports com|on

mgHX9HISAezfQ|joe|normal|Joe|Smith|joe () mailboxesrus com|on

67NuyNzElLQs.|iceman|normal|Alfred|Lehoya|js124 () abracadabra com|on

79NAtkW0UxFWE|hank|normal|Harold|Jenkins|hjenkins () aricdorsresearch org|on
fgRldEzNsQL1p|dummyuser|normal|John|Doe

zzw1I3xWVi.zE|evilhacker|admin|Evil|Hacker|evil () hackerstogo com|on

As you can see, an entry, evilhacker, has been added
with full admin status. This account can be used
provided that the password hash given,
zzw1I3xWVi.zE, was constructed from a known password
(in this case it was "gotya"). This technique will
work even if DCForum is set to e-mail passwords,
and, with a minor modification, will work even if
accounts are not enabled automatically. Once admin
status has been acquired, an attacker can execute
arbitrary commands. The easiest way for an attacker
to do this is to set the sendmail program to the
command the attacker wants to execute, set DCForum
to e-mail the admin upon new registration, and then
to register a new user.

Proof of concept:

A fully working proof-of-concept script,
dcgetadmin.pl, is available at the qDefense web site
( http://qDefense.com/downloads/dcgetadmin_pl.txt).


Franklin DeMatto
franklin () qDefense com
qDefense - DEFENDING THE ELECTRONIC FRONTIER



__________________________________________________
Do You Yahoo!?
Yahoo! Auctions - buy the things you want at great prices
http://auctions.yahoo.com/


  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]
AlienVault