Discuz X3. 3 patch security analysis-vulnerability warning-the black bar safety net

ID MYHACK58:62201788806
Type myhack58
Reporter 佚名
Modified 2017-08-23T00:00:00


Discuz official in 2017 8 May 1 release of the latest version of the X3. 4 version, the latest version fixes multiple security issues. 360CERT and 360 0KEE Team then for the events to follow. 0x01 vulnerability overview 360CERT and 360 0KEE Team by comparing Discuz_X3. 3_SC_UTF8 with Discuz_X3. 4_SC_UTF8 version found X3. 3_SC_UTF8 version of the presence of a number of vulnerabilities. This report mainly relates to two vulnerabilities: 1. authkey generation algorithm of the security issue: The user in the initial installation of the software, the system will automatically generate an authkey write the global configuration file and the database, after the install file will be deleted. The authkey used for ordinary user cookie encryption and other cryptographic operations, but since the generation algorithm is too simple, you can use the public information for local blasting. 2. Background arbitrary code execution issues: The administrator in the background of the database connection password to be modified, since there is no on input to be checked, leading to arbitrary code execution. 0x02 vulnerabilities to attack the impact of 1. Affect Discuz is basically a Cookie based rather than Session, so once the authkey is acquired, will cause the Cookie to the encrypted failure, and thus can decrypt the Cookie to the auth field to obtain the user's password. Other system logic is also extensive use of the authkey and the authcode algorithms, the vulnerability can lead to a range of security issues: falsification of ulastactivity can control the session lasting time; mailbox check the hash parameter to be cracked, leading to any mailbox Registered and the like. In addition once you have an administrator account, you can use the background arbitrary code execution vulnerability in the background Getshell then control the server. After 360CERT with 360 0KEE Team judged after the confirmation, the vulnerability risk level is high, affecting a wide range. 2. Impact version By code analysis, to determine relates to the following versions: Discuz_X3. 3_SC_GBK Discuz_X3. 3_SC_UTF8 Discuz_X3. 3_TC_BIG5 Discuz_X3. 3_TC_UTF8 Discuz_X3. 2_SC_GBK Discuz_X3. 2_SC_UTF8 Discuz_X3. 2_TC_BIG5 Discuz_X3. 2_TC_UTF8 Discuz_X2. 5_SC_GBK Discuz_X2. 5_SC_UTF8 Discuz_X2. 5_TC_BIG5 Discuz_X2. 5_TC_UTF8 3. Fix version Discuz_X3. 4_SC_GBK Discuz_X3. 4_SC_UTF8 Discuz_X3. 4_TC_BIG5 Discuz_X3. 4_TC_UTF8 0x03 vulnerability details 1. authkey generation algorithm of the security vulnerability Discuz_X3. 3_SC_UTF8\upload\install\index. php

! authkey generation method is as follows:

$authkey = substr(md5($_SERVER['SERVER_ADDR'].$ _SERVER['HTTP_USER_AGENT'].$ dbhost.$ dbuser.$ dbpw.$ dbname.$ username.$ password.$ pconnect. substr($timestamp, 0, 6)), 8, 6). random(10); As can be seen authkey is mainly composed of two parts: MD5 part of the first 6-bit + random generated 10-bit With the random function

! Since the character generating set is fixed, and no repeating characters, then the function in each of the generated hash are unique to the chars in the array one position, and is using the same seed to generate. In the following code use the same random function:

$config['cookie']['cookiepre'] = random(4).''; Cookie the first four bytes is known, and use the same random function, then the idea is obvious: By known 4, The calculated random using the seed, and then get the authkey after 10 bits. That the rest of you need to get the first 6 bits, according to the generation algorithm, to select a blasting manner, since the number is too large, be sure to select a local blast of the way, even with the authkey and the encrypted result is known. In the call authcode function many of the places can be verified, here using the Retrieve password link in the id and sign parameters: sign generate method is as follows: function dsign($str, $length = 16){ return substr(md5($str. getglobal('config/security/authkey')), 0, ($length ? max(8, $length) : 16)); } Blasting authkey the process: 1. By the cookie prefix blasting random number seed to. Use php_mt_seed tool. 2. Use the seed to generate random(10), to give all possible authkey suffix. 3. Give your own account to send an email to retrieve password for email, remove the Retrieve password link. 4. Using the generated suffix blasting the first 6 bits, the range is 0x000000-0xffffff, and retrieve password the url of stitching to do after the MD5 calculated sign. 5. The obtained sign and the Retrieve password link in the sign comparison, equal to that stop, get the current authkey。 2. Background arbitrary code execution vulnerability Contrast X3. 4 with the X3. 3 version of the discovery of a vulnerability present in: upload\source\admincp\admincp_setting.php

! In 2535 the left and right, in the background of the UCenter password to be updated, not the input password is checked, the direct write to the configuration file, resulting in we can be closed in front of the single quote so as to achieve getshell purposes, here only do a connection test if the connection is successful then write the configuration file. !

! 0x04 exploits to verify 1. authkey generation algorithm of the security vulnerability Use an ordinary user login:

! Get the cookie before 4: uie7 !

[1] [2] next