Re: DCForum Password File Manipukation Vulnerability (qDefense Advisory Number QDAV-5-2000-2)

[David Choi <dcscripts () yahoo com>]

The vendor DCScripts.com has already issued a patch
for this vulnerability.  Please see

http://www.dcscripts.com/dcforum/dcfNews/167.html

David S. Choi
DCScripts

> DCForum Password File Manipulation Vulnerability 
> qDefense Advisory Number QDAV-5-2000-2
>
> Product: DCForum
>
> Vendor: D.C. Script
>
> Version Tested: DCForum 2000 1.0 (Version 6.0 is
> believed to be vulnerable as well)
>
> Severity: Remote; Any attacker may gain DCForum
> admin privileges, which result in read/write/execute
> privileges
>
> Cause: Failure to validate input 
>
>
> The current version of this document is available at
> http://qDefense.com/Advisories/QDAV-5-2000-2.html.
>
> DCForum is a popular CGI to create message boards on
> web sites.
>
> It is vulnerable to an attack which will grant a
> remote attacker the status of DCForum administrator,
> which can then be used to execute arbitrary commands
> on the server.
>
> The DCForum password file (normally the file
> auth_user_file.txt, located in the
> /cgi-bin/dcforum/User_info directory), stores the
> user info in a text file database, using the pipe
> symbol ( | ) as a delimiter by default. Here is a
> sample file: 
1ejq5eWn718pA|bill|admin|William|Smith|webmaster () letstalksports com|on
>
mgHX9HISAezfQ|joe|normal|Joe|Smith|joe () mailboxesrus com|on
>
67NuyNzElLQs.|iceman|normal|Alfred|Lehoya|js124 () abracadabra com|on
>
79NAtkW0UxFWE|hank|normal|Harold|Jenkins|hjenkins () aricdorsresearch org|on
> By registering with a last name containing
> url-encoded newlines and pipes, an attacker can
> imbed a second line into his last name, which will
> be recorded as an entirely new line in the password
> file, containing whatever information the attacker
> wants. For instance, an attacker may register as
> follows:
>
>
> Username = dummyuser
> Password = *****
> Password again = *****
> Firstname = John
> Lastname =
> Doe\nzzw1I3xWVi.zE|evilhacker|admin|Evil|Hacker
> Email = evil () hackerstogo com
> When url encoded and submitted properly, this will
> add two lines to the auth_user_file.txt. The example
> auth_user_file.txt will now look like this:
1ejq5eWn718pA|bill|admin|William|Smith|webmaster () letstalksports com|on
>
mgHX9HISAezfQ|joe|normal|Joe|Smith|joe () mailboxesrus com|on
>
67NuyNzElLQs.|iceman|normal|Alfred|Lehoya|js124 () abracadabra com|on
>
79NAtkW0UxFWE|hank|normal|Harold|Jenkins|hjenkins () aricdorsresearch org|on
> fgRldEzNsQL1p|dummyuser|normal|John|Doe
zzw1I3xWVi.zE|evilhacker|admin|Evil|Hacker|evil () hackerstogo com|on
> As you can see, an entry, evilhacker, has been added
> with full admin status. This account can be used
> provided that the password hash given,
> zzw1I3xWVi.zE, was constructed from a known password
> (in this case it was "gotya"). This technique will
> work even if DCForum is set to e-mail passwords,
> and, with a minor modification, will work even if
> accounts are not enabled automatically. Once admin
> status has been acquired, an attacker can execute
> arbitrary commands. The easiest way for an attacker
> to do this is to set the sendmail program to the
> command the attacker wants to execute, set DCForum
> to e-mail the admin upon new registration, and then
> to register a new user.
>
> Proof of concept:
>
> A fully working proof-of-concept script,
> dcgetadmin.pl, is available at the qDefense web site
> ( http://qDefense.com/downloads/dcgetadmin_pl.txt).
>
>
> Franklin DeMatto
> franklin () qDefense com
> qDefense - DEFENDING THE ELECTRONIC FRONTIER


__________________________________________________
Do You Yahoo!?
Yahoo! Auctions - buy the things you want at great prices
http://auctions.yahoo.com/