Full Disclosure mailing list archives
CVE-2014-2022 - vbulletin 4.x - SQLi in breadcrumbs via xmlrpc API (post-auth)
From: "oststrom \(public\)" <pub () oststrom com>
Date: Mon, 13 Oct 2014 22:42:02 +0200
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 CVE-2014-2022 - vbulletin 4.x - SQLi in breadcrumbs via xmlrpc API (post-auth) ============================================================================ == Overview - -------- date : 10/12/2014 cvss : 7.1 (AV:N/AC:H/Au:S/C:C/I:C/A:C) base cwe : 89 vendor : vBulletin Solutions product : vBulletin 4 versions affected : latest 4.x (to date); verified <= 4.2.2 * vBulletin 4.2.2 (verified) * vBulletin 4.2.1 (verified) * vBulletin 4.2.0 PL2 (verified) exploitability : * remotely exploitable * requires authentication (apikey) patch availability (to date) : None Abstract - --------- vBulletin 4 does not properly sanitize parameters to breadcrumbs_create allowing an attacker to inject arbitrary SQL commands (SELECT). risk: rather low - due to the fact that you the api key is required you can probably use CVE-2014-2023 to obtain the api key Details - -------- vulnerable component: ./includes/api/4/breadcrumbs_create.php vulnerable argument: conceptid which is sanitized as TYPE_STRING which does not prevent SQL injections. Proof of Concept (PoC) - ---------------------- see https://github.com/tintinweb/pub/cve-2013-2022 1) prerequesites 1.1) enable API, generate API-key logon to AdminCP goto "vBulletin API"->"API-Key" and enable the API interface, generate key 2) run PoC edit PoC to match your TARGET, APIKEY (, optionally DEBUGLEVEL) provide WWW_DIR which is the place to write the php_shell to (mysql must have permissions for that folder) Note: meterpreter_bind_tcp is not provided run PoC, wait for SUCCESS! message Note: poc will trigger meterpreter shell meterpreter PoC scenario requires the mysql user to have write permissions which may not be the case in some default installations. Timeline - -------- 2014-01-14: initial vendor contact, no response 2014-02-24: vendor contact, no response 2014-10-13: public disclosure Contact - -------- tintinweb - https://github.com/tintinweb/pub/cve-2013-2022 (0x721427D8) -----BEGIN PGP SIGNATURE----- iQIcBAEBAgAGBQJUPDhLAAoJEBgB43t1YjbLFOwP/Alc3Rb4c+1l4efPQrZhO96r Vx+YtClXEXjGeSphZddFegVh/WlY8HQioepmMO9pwz3ehl00pGEu7N2qAILoO2pA DZ8Lj89WZiXDkDAI56RTjDsxnf8BgxWTBZn4HO2kQtziPV9adsm7bN+fBN0Pn0D6 uTm5fM3Sd6x4NZyt6moi3oImHeTCd+KxDokBskPLT7i7fUPmyMDkv8a564DZyjz3 iCp9ZfjKEF/O2+r+UOgbtr8jyqcfosVIgn9ldJmKMut04hOC5Q6a4GnivyCbGS+E B/pkiqSWQDbCThQcfTS+3vRubH3N2V3Y3I2VnnCdosK4VnrlVIiekHxfOyCyXxJZ HjNxptG6WvSv3/cywb/FyEY114AArYpfBdb8rJs/DniQJ7soCMMFaYVPO/LpdRV/ 4xC5Rj/g5ud59dDUtCT62+tmzfKt5Lh+/wmBRliCU9EEzRqcpUdh1xn/BDy2XzlP 6PFvQpTLAmzGXP4X+QkPr+iIvGvPCuu9BjHiFuEeHItaXc0tFTjKkohI0Iv1Yjvg PhGkGXuEuBBwg3Cec/NT/5+1Jj2RahvFC6EMAXKPu2X3n/SeBRDqqurNL8LgkZIR ycCVO04yGDns5ikpFGHMqXBH1uvCB5OQVDtVvVLQZOxC7JLd4cA/AmvltDwVeb7u GZhJijkeC0vpRxM+kcTY =BhWu -----END PGP SIGNATURE----- _______________________________________________ Sent through the Full Disclosure mailing list http://nmap.org/mailman/listinfo/fulldisclosure Web Archives & RSS: http://seclists.org/fulldisclosure/
Current thread:
- CVE-2014-2022 - vbulletin 4.x - SQLi in breadcrumbs via xmlrpc API (post-auth) oststrom (public) (Oct 13)