-
January 30th, 2007, 03:34 PM
#1
Junior Member
weak activationid and password generator
Hi, I was originally going to get an admin account on this site using this method but tbh I've already donated hours trying to find the best way to pull it off. I wanna get working on something else now.
When you use the "forgot password" dealie it emails you a link that will reset the password to something "randomly" generated. The link is something like
http://antionline.com/login.php?a=pw...431&i=73954595
The 'i' at the end is a validation ID used as a security measure to prevent users from resetting other user's passwords. However the way they generate it is gay.
line 183 in login.php
PHP Code:
$user['activationid'] = build_user_activation_id($user['userid'], 2, 1);
line 580 in functions_user.php (within the function build_user_activation_id)
PHP Code:
$activateid = vbrand(0,100000000);
and finally lines 318-332 in functions.php
PHP Code:
function vbrand($min, $max, $seed = -1)
{
if (!defined('RAND_SEEDED'))
{
if ($seed == -1)
{
$seed = (double) microtime() * 1000000;
}
mt_srand($seed);
define('RAND_SEEDED', true);
}
return mt_rand($min, $max);
}
All you really have to know is that random number generators aren't random at all, that's why they're called pseudo random number generators. Given the same seed a prng will generate the same "random" numbers. In vbrand() we see that if the prng isn't seeded it will seed it with
PHP Code:
(double) microtime() * 1000000;
For which there are only 1 million possibilties of. Another point to mention is that a single seed from 0-1mil will also have a duplicate. So really there are only 500k possibilties for the validation ID (if the seed is even, then seed + 1 will generate the same random numbers).
The randomly generated password is created using the same method, so the same principles apply.
My main problem was that vBulletin only allows 5 bad logins every 15 minutes from a single IP. This is a problem because I would have to try to login with all 500k possible passes. I was planning to defeat this by either abusing tor or hunting for thousands of proxies, both which would've taken up alot of time. (and wouldn'tve been reliable)
I had also considered taking advantage of using a login cookie, bbpassword value in the cookie was generated using
PHP Code:
md5(md5(md5($password) . $vbulletin->userinfo['salt']), '') . COOKIE_SALT)
I could've predicted cookie_salt but the user salt, despite being only 3 symbols long, makes it impractical to use.
So at the moment the most I'd be able to easily do is just reset people's passes, which sucks.
PS
when you receive a lost password request is processed the IP of the user who requested the password change isn't stored anywhere, so had I managed to reset a user's password, all they would be able to do is speculate from server logs who reset it.
PPS
I wouldn't have to try to login with all 500k possible passes if I could coordinate it so that the server processes my request at a certain microtime. I could've potentially eliminated it down to 50k possible passes.. maybe even less.
PPPS
This applies to the latest vBulletin board. I managed to predict the passwords + validation ids on other major vBulletin boards too. so yea..
The following code generates all possible validation ids and passwords generated by vBulletin.
PHP Code:
<?php
for($i = 0; $i < 1000000; $i+=2) {
mt_srand($i);
print mt_rand(0, 100000000) . "\r\n";
}
?>
or if you want a hardcopy
http://www.freewebtown.com/cyberhacker665/output.txt
a t t r i t i o n . o r g > AO (I read about this site from them, lol, shame on you JP for shutting down packetstorm )
I can be reached at irc.iris-network.net #80h
Last edited by chinchilla2k; January 30th, 2007 at 10:55 PM.
Reason: typos
-
January 30th, 2007, 04:23 PM
#2
And how do you get around not having the user's email?
-
January 30th, 2007, 04:49 PM
#3
Junior Member
That is usually almost never a problem. I assumed the email you used was jp@antionline.com
If it is publicly available anywhere online it can be found easily. People can also guess, if they have a unique name, just get a list of popular email providers and see if any of them return a postive response when you send a lost password request.
-
January 30th, 2007, 04:51 PM
#4
No, the email must be precise or the function isn't called. In fact on 2 of our forums it's even case sensitive.
-
January 30th, 2007, 04:57 PM
#5
Junior Member
Not on this forum, tried requesting for ChinCHIlla@gmail.com and it went through just fine.
Also, what amazes me is that you focus on not giving email out as a measure of security. That would mean that every admin, moderator, and person you trust would have a private email only used for this website.
Also, which function are you referring to? o.O
-
January 30th, 2007, 05:05 PM
#6
Yes, it's not case sensitive here. We wouldn't give emails out even if it had nothing to do with security, it's a privacy issue as well. What I'm asking is this, even if you have the user's email, and can change their pw, you would have to attempt to log in using every possible randomly generated pw, since you wouldn't receive the email with the newly generated pw.
-
January 30th, 2007, 05:08 PM
#7
Junior Member
Had you read my post I discussed that.
"
My main problem was that vBulletin only allows 5 bad logins every 15 minutes from a single IP. This is a problem because I would have to try to login with all 500k possible passes. I was planning to defeat this by either abusing tor or hunting for thousands of proxies, both which would've taken up alot of time. (and wouldn'tve been reliable)
"
and
"
PPS
I wouldn't have to try to login with all 500k possible passes if I could coordinate it so that the server processes my request at a certain microtime. I could've potentially eliminated it down to 50k possible passes.. maybe even less.
"
Last edited by chinchilla2k; January 30th, 2007 at 08:51 PM.
Reason: more typos
-
January 30th, 2007, 05:13 PM
#8
Yes, I did read it, and I'm agreeing with what you said, it's not really practical, but just the same, I will look into it as proof of concept.
Posting Permissions
- You may not post new threads
- You may not post replies
- You may not post attachments
- You may not edit your posts
-
Forum Rules
|
|