Bugtraq mailing list archives

Previous By Date Next
Previous By Thread Next

Vulnerabilty in PaintBBS v1.2

From: John Bissell <sbccmonk () hotmail com>
Date: 23 Jan 2002 04:45:01 -0000


  PaintBBS Server v1.2 Advisory
                   
  Author: John Bissell A.K.A. HighT1mes 
  Vulnerable: PaintBBS Server Ver.1.2 Build 010514
  Impact: PaintBBS Server 0wn3d 
  Release Date: January, 22, 2002
  Contact:  blumorpho () cox net 
  Vendor Homepage: 
http://www.ax.sakura.ne.jp/~aotama/

 ---------------------------------------------------------------------
---------------------

 Introduction:
 
        PaintBBS Server v.1.2 is a cool WWW app 
that allows people to draw pictures as well
 leave messages like a normal BBS. A few days ago I 
learned about this app and decided to 
 test some of it's security for fun. Since the 
documentation is in Japanese it took a little
 time to figure out what files did what. The main file to 
be aware of is oekakibbs.conf.
 Anyone can read this file by default and it contains 
the encrypted password to the PaintBBS
 Server. The other problem is that the permissions of 
the /oekaki/ folder is 777 allowing 
 all hell to break loose by anyone. So if I don't know 
what the .conf file is named I can 
 go to that folder from a web browser and see.

        I haven't tested any other version of this 
software yet. PaintBBS Server is 
 actually up to v2.40. So if anyone wants to continue 
the investigation have fun! :p
 
 Problem Description:

        This is one of those default configuration 
problems. A malicious person
 can read the oekaki config file from the web then find 
the encrypted password then 
 crack it. Thus giving them admin access to the 
server.

        As an example if I wanted to remotely take 
over 
 http://www.victim.com/oetaki/oetaki.cgi I would first 
go to the config file located in the
 /oetaki/ dir by default at 
http://www.victim.com/oetaki/oekakibbs.conf. If that 
didn't work
 then I could set my web browser to  the /oetaki/ 
folder then see what the .conf files are
 named and access them. Once I could view the 
config file I would see something like this...

 password=m8kl78sKTixvs
 ...
 etc

        Now that I have the encrypted password I 
would take a standerd DES password
 cracking program (I prefer John the Ripper) since 
PaintBBS uses the crypt() function
 and get the goods. If you use John the Ripper put the 
encrypted password into a
 unix type /etc/passwd.txt file format and run John.

        Now that I have the cracked password then 
I would go over to one of the 
 following admin url's to have some fun..

        http://www.victim.com/oekaki/oekaki.cgi?
mode=administration
        http://www.victim.com/oekaki/oekaki.cgi?
mode=deleteUserCommentView

 Solution:

        To solve this security problem first you 
should change the /oekaki/ folder from
 777 to something more secure like 333 using the 
chmod command. Next you will want to rename
 the oekakibbs.conf file so no one can get easy 
access to that file. If you have the right 
 web server you should also change the permissions 
of the file so not everyone can read it. 
 Have a good day!

 ---------------------------------------------------------------------
---------------------

 Thank you to Chris_Judah and Hiroshi :)
Previous By Date Next
Previous By Thread Next

Current thread: