VBULLETIN 5.2.0/5.2.1/5.2.2 MEDIA UPLOAD SSRF PRIVILEGE ESCALATION

2016-08-09T00:00:00
ID SSV:92266
Type seebug
Reporter Root
Modified 2016-08-09T00:00:00

Description

Author: c1tas, p0wd3r (know Chong Yu 404 security lab)

CVE: CVE-2016-6483

A vulnerability overview

vBulletin accepts the url parameters, it is not prohibited to jump transduction induced SSRF

vBulletin need this function to access external connections, but this limit is not strict cause can trigger the redirect

Vulnerability exists version:

vBulletin <= 5.2.2

vBulletin <= 4.2.3

vBulletin <= 3.8.9

Second, the vulnerability reproduction

Vulnerability analysis

Vulnerability process

The analysis process

  1. Looking for SSRFtrigger point
  2. PHPcan initiate a request to the module and function generally there
    • cURL
    • file_get_contents()
    • fopen()
    • fsockopen()

Validated is the use of the cURLmodule, and vBof the secondary package

  1. The cURLclass tracking

So according to the appeal of the search results positioning to

/upload/core/vb/vurl/curl.php

After reading the source code, and found this package of the bottom of the implement in cURLclass

Got the most of the lower class we continue to look for where he is calling

So we take a class vB_vURLthe core code

Continue to be on track looking for vB_vURLis instantiated place - core/includes/class_apiclient.php - class vB_APIClient - public function __construct - core/includes/class_humanverify_recaptcha.php - class vB_HumanVerify_Recaptcha - function verify_token - core/includes/class_sitemap.php - class vB_SiteMapRunner - public function ping_search_engines - core/includes/class_upload.php - abstract class vB_Upload_Abstract - function accept_upload - function fetch_remote_filesize - core/includes/functions_file.php - function fetch_body_request - core/includes/paymentapi/class_google.php - class vB_PaidSubscriptionMethod_google - public function verify_payment - core/vb/akismet.php - class vB_Akismet - protected function _submit - core/vb/api/content/link.php - class vB_Api_Content_Link - public function parsePage - core/vb/api/profile.php - class vB_Api_Profile - public function uploadUrl - core/vb/library/content/attach.php - class vB_Library_Content_Attach - public function uploadUrl - core/vb/library/content/video.php - class vB_Library_Content_Video - public function getVideoFromUrl - core/vb/stopforumspam.php - class vB_StopForumSpam - protected function _submit

In the above class or function in the vB_vURLclass to be instantiated

  1. How to trigger

  2. From the available information point of view

    • A jump trigger SSRFrequired conditions have
    • The Access Protocol is http/https
    • Prohibit local address
    • Only 80/443
    • It is clear in a jump case, the basic unable to complete the with threat operations
    • Then only from the secondary to jump into the hand
    • The conditions required to VURL_FOLLOWLOCATIONis true
    • Then with the above having examples of vB_vURLof the class or function to do a take the intersection of we is not difficult to find
    • core/vb/api/content/link.phpthe function prasePage()is our breakthrough
  3. Controllable input points

  4. We have found how to trigger the method, then the next should be looking for input point

  5. From the above results, read the source code found

upload/core/vb/api/content/link.php

  • Continue upstream looking for call point
  • /upload/include/vb5/frontend/controller/link.php

  • Typical inlet frame

  1. Routing analysis

  1. It is configured to trigger the URL: http://localhost/link/getlinkdata

3. Exploit

Demo `` python

!/ usr/bin/env python

coding: utf-8

import requests as req

u = 'vB_Server' redirect_server = 'Your_VPS:80' vul_url = u + '/link/getlinkdata' data = { 'url': redirect_server } req. post(vul_url, data=data) ``

4. Bug fixes

  • Manufacturers of vB_vURL_cURLclass in the secondary jump for more stringent restrictions
  • Users waiting for the upgrade version or modify the above trigger the vulnerability the source code

Third, the reference

  • <http://legalhackers.com/advisories/vBulletin-SSRF-Vulnerability-Exploit.txt>