weak activationid and password generator

[chinchilla2k]

Hi, I was originally going to get an admin account on this site using this method but tbh I've already donated hours trying to find the best way to pull it off. I wanna get working on something else now.

When you use the "forgot password" dealie it emails you a link that will reset the password to something "randomly" generated. The link is something like

http://antionline.com/login.php?a=pw...431&i=73954595

The 'i' at the end is a validation ID used as a security measure to prevent users from resetting other user's passwords. However the way they generate it is gay.

line 183 in login.php

PHP Code:

$user['activationid'] = build_user_activation_id($user['userid'], 2, 1); 


line 580 in functions_user.php (within the function build_user_activation_id)

PHP Code:

$activateid = vbrand(0,100000000); 


and finally lines 318-332 in functions.php

PHP Code:

function vbrand($min, $max, $seed = -1)
{
    if (!defined('RAND_SEEDED'))
    {
        if ($seed == -1)
        {
            $seed = (double) microtime() * 1000000;
        }
        mt_srand($seed);
        define('RAND_SEEDED', true);
    }
    return mt_rand($min, $max);
} 


All you really have to know is that random number generators aren't random at all, that's why they're called pseudo random number generators. Given the same seed a prng will generate the same "random" numbers. In vbrand() we see that if the prng isn't seeded it will seed it with

PHP Code:

(double) microtime() * 1000000; 


For which there are only 1 million possibilties of. Another point to mention is that a single seed from 0-1mil will also have a duplicate. So really there are only 500k possibilties for the validation ID (if the seed is even, then seed + 1 will generate the same random numbers).

The randomly generated password is created using the same method, so the same principles apply.

My main problem was that vBulletin only allows 5 bad logins every 15 minutes from a single IP. This is a problem because I would have to try to login with all 500k possible passes. I was planning to defeat this by either abusing tor or hunting for thousands of proxies, both which would've taken up alot of time. (and wouldn'tve been reliable)

I had also considered taking advantage of using a login cookie, bbpassword value in the cookie was generated using

PHP Code:

md5(md5(md5($password) . $vbulletin->userinfo['salt']), '') . COOKIE_SALT) 


I could've predicted cookie_salt but the user salt, despite being only 3 symbols long, makes it impractical to use.

So at the moment the most I'd be able to easily do is just reset people's passes, which sucks.

PS
when you receive a lost password request is processed the IP of the user who requested the password change isn't stored anywhere, so had I managed to reset a user's password, all they would be able to do is speculate from server logs who reset it.

PPS
I wouldn't have to try to login with all 500k possible passes if I could coordinate it so that the server processes my request at a certain microtime. I could've potentially eliminated it down to 50k possible passes.. maybe even less.

PPPS
This applies to the latest vBulletin board. I managed to predict the passwords + validation ids on other major vBulletin boards too. so yea..


The following code generates all possible validation ids and passwords generated by vBulletin.

PHP Code:

<?php
for($i = 0; $i < 1000000; $i+=2) {
    mt_srand($i);
    print mt_rand(0, 100000000) . "\r\n";
}
?>

or if you want a hardcopy
http://www.freewebtown.com/cyberhacker665/output.txt


a t t r i t i o n . o r g > AO (I read about this site from them, lol, shame on you JP for shutting down packetstorm )

I can be reached at irc.iris-network.net #80h

[JPnyc]

And how do you get around not having the user's email?

[chinchilla2k]

That is usually almost never a problem. I assumed the email you used was jp@antionline.com

If it is publicly available anywhere online it can be found easily. People can also guess, if they have a unique name, just get a list of popular email providers and see if any of them return a postive response when you send a lost password request.

[JPnyc]

No, the email must be precise or the function isn't called. In fact on 2 of our forums it's even case sensitive.

[chinchilla2k]

Not on this forum, tried requesting for ChinCHIlla@gmail.com and it went through just fine.

Also, what amazes me is that you focus on not giving email out as a measure of security. That would mean that every admin, moderator, and person you trust would have a private email only used for this website.

Also, which function are you referring to? o.O

[JPnyc]

Yes, it's not case sensitive here. We wouldn't give emails out even if it had nothing to do with security, it's a privacy issue as well. What I'm asking is this, even if you have the user's email, and can change their pw, you would have to attempt to log in using every possible randomly generated pw, since you wouldn't receive the email with the newly generated pw.

[chinchilla2k]

Had you read my post I discussed that.

"
My main problem was that vBulletin only allows 5 bad logins every 15 minutes from a single IP. This is a problem because I would have to try to login with all 500k possible passes. I was planning to defeat this by either abusing tor or hunting for thousands of proxies, both which would've taken up alot of time. (and wouldn'tve been reliable)
"

and

"
PPS
I wouldn't have to try to login with all 500k possible passes if I could coordinate it so that the server processes my request at a certain microtime. I could've potentially eliminated it down to 50k possible passes.. maybe even less.
"

[JPnyc]

Yes, I did read it, and I'm agreeing with what you said, it's not really practical, but just the same, I will look into it as proof of concept.