Re: phpBB 2.0.17 (and other BB systems as well) Cookie disclosure exploit.

[Tatercrispies <tatercrispies () gmail com>]

This is a very interesting find. I suspect that there is an enormous amount
of software that is vulnerable to this aside from just message forums. I'm
talking webmail systems, photo album systems, CMS systems, or really any web
app that allows the user to upload an image of some type. The impact is
enormous.

Internet Explorer ignores the content type sent by the web server and
attempts to render whatever it feels like as HTML. The file extension does
not matter, I mean, if you're parsing the data out through a .php or .asp
page, it just flat out ignores the image/jpeg or image/gif header and does
whatever it feels like.

Sure it doesn't execute automatically embedded in an <img> tag, but I can
see plenty of opportunity to get someone to click on your link to open the
file directly. Even using some obfuscation on the URL. "Hey check out these
great pics!" that sends them to an offiste link that just redirects back to
the hosted bomb.

The only true solution seems like it must come from Redmond. And fast.

Yeah and thanks for reporting this on a Saturday.

Nice.


On 10/22/05, K-Gen Gen <alphakgen () gmail com> wrote:
> phpBB 2.0.17 (and other BB systems as well) Cookie disclosure exploit.
>
> I sent the report to phpBB and they said that a patch will be available
> withing a few days and It will be integrated into 2.0.18 .
>
> Note: This works like XSS, and requires the victim to use IE (Affects all
> versions of IE).
>
> Special Credits to: Sven Vetsch (the original finder of "The gif bug").
> The original gif-bug article : http://www.securiteam.com/windowsntfocus/6F00B00EBY.html
>
> Also thanks to the experts at securiteam.com <http://securiteam.com> for
> clarifying some issues.
>
> Since what is described in the original article doesn't work, I have
> written this step-by-step
> article explaining how to replicate this bug successfuly.
>
> Affected: All phpBB systems allowing "Upload Avatar from URL" and most
> likely all other systems
> with such a feature (Other bulletin boards - but I didn't check).
>
> Well, the base for the problem lies within IE.. The core element of my
> Proof of Concept is the
> lately found Gif-bug in IE (Originally found by Sven Vetsch).
>
> For some reason IE renders malformed embedded content files (like
> gif,jpg,wav,and so on..)
> as HTML when they are accessed directly e.g. http://attacker.com/xss.gif(Not through the <img>
> tag).
>
> If we create an HTML file and rename its extention to .GIF (or other
> embedded content file
> extention), and upload it to an HTTP server (it dosn't work locally for
> some reason), when we
> will navigate to http://myserver.com/xss.gif the HTML code will be
> executed instead of showing
> that the image is invalid.
>
> So, if we could upload such a file to a server that allows image upload we
> could actually upload
> HTML code instead (Inside the image file). If the victim will be lured to
> navigate to this
> specially crafted image in IE, arbitary HTML code could be executed in the
> servers security zone,
> e.g. we could steall the users cookie, for example.
>
> However it is not that simple with systems (like phpBB) that verify the
> image file before it
> is uploaded to the server. If we try to upload our previosly made http://attacker.com/xss.gif
>
> gif file the system will complain about incorrect image size - that's
> because our image is invalid.
> The verification system chechs the files header. In a valid 1x1 gif file
> the header should be
> (in hex) : 47 49 46 38 39 61 01 00 01 00 . After the header we will insert
> the next HTML code:
> <HTML><HEAD><SCRIPT>alert(document.cookie);</SCRIPT></HEAD></HTML>
> So the file will look like this (in hex):
> 47 49 46 38 39 61 01 00 01 00 3C 48 54 4D 4C 3E 3C 48 45 41 44 3E 3C 53 43
> 52 49 50 54 3E 61 6C 65 72 74 28 64 6F 63 75 6D 65 6E 74 2E 63 6F 6F 6B 69
> 65 29 3B 3C 2F 53 43 52 49 50 54 3E 3C 2F 48 45 41 44 3E 3C 2F 48 54 4D 4C
> 3E
>
> If we upload this file instead the old one to :
> http://myserver.com/xss.gif we will be able to
> upload it as a phpBB avatar. However when we access the file directly (as
> before) no HTML code
> is going to be executed. That is because IE sees the valid header and
> tries to draw the image
> instead of rendering the HTML (and fails anyway ...).
>
> However if we change the file extention from .GIF to .JPG the GIF header
> in the beginning will
> become meaningless to IE and the HTML code will be executed. So if we
> rename our image from
> xss.gif to xss.jpg when we will navigate to http://myserver.com/xss.jpg we
> will see an alert
> box (that should show the cookie on its current server).
>
> The phpBB avatar upload system verifies the files header - and our header
> is pretty much valid -
> for a GIF file, but not JPG. If we try to upload the file http://myserver.com/xss.jpg
> as our avatar
> it will be successfuly uploaded. Hence any one who will navigate (in IE)
> directly to our avatar in its new address on the phpBB forum server (the URL
> should look like
> http://phpbbforum.com/phpbb/images/avatars/2131121a2121f.jpg) will be able
> to see his cookie information in an alert window.
> Instead an image something like GIF89a_--. will apear, but it can be
> easily obfuscated with a simple
> JavaScript.
>
> As a Proof of Concept here is a ready made JPG file: (Save target as)
> http://planet.nana.co.il/mycoolpictures123/fake/lt2.jpg . Upload this
> (from its current location, or your HTTP server) as
> an avatar to phpBB (or as I believe - any Bulletin Board system). In your
> avatar an invalid image
> (red X) will appear, but when you navigate to it's current location (e.g.
> http://phpbbforum.com/phpbb/images/avatars/2131121a2121f.jpg) you will see
> an alert with your cookie.
>
> Using the basic idea of my PoC, the code can be manipulated to send a
> users cookie information to
> a CGI sniffer on a remote server. All that should be done is sending a
> message saying "Check out
> this image" and specifying the avatars URL.
>
> This is a major problem since 90% of the internet users use IE and lots of
> dynamic sites (like
> bulletin boards) allow image upload to the server.
>
> The solution could come in many ways. The best solution for the user is to
> use another browser
> (like FireFox) untill a vendor patch from Micrsoft is available. For
> bulletin board administrators
> it is highly advised to turn off the "Upload avatar from URL" option
> untill a patch from the vendor
> (phpBB, vBulletin, IPB, and so on...) arrives.
>
> Have a good day.
> K-Gen
>
>
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/