CVE-2014-2022 - vbulletin 4.x - SQLi in breadcrumbs via xmlrpc API
(post-auth)
==============================
==
Overview
- --------
date : 10/12/2014
cvss : 7.1 (AV:N/AC:H/Au:S/C:C/I:C/A:C) base
cwe : 89
vendor : vBulletin Solutions
product : vBulletin 4
versions affected : latest 4.x (to date); verified <= 4.2.2
* vBulletin 4.2.2 (verified)
* vBulletin 4.2.1 (verified)
* vBulletin 4.2.0 PL2 (verified)
exploitability :
* remotely exploitable
* requires authentication (apikey)
patch availability (to date) : None
Abstract
- ---------
vBulletin 4 does not properly sanitize parameters to breadcrumbs_create
allowing
an attacker to inject arbitrary SQL commands (SELECT).
risk: rather low - due to the fact that you the api key is required
you can probably use CVE-2014-2023 to obtain the api key
Details
- --------
vulnerable component:
./includes/api/4/breadcrumbs_
vulnerable argument:
conceptid
which is sanitized as TYPE_STRING which does not prevent SQL injections.
Proof of Concept (PoC)
- ----------------------
see https://github.com/tintinweb/
1) prerequesites
1.1) enable API, generate API-key
logon to AdminCP
goto "vBulletin API"->"API-Key" and enable the API interface,
generate key
2) run PoC
edit PoC to match your TARGET, APIKEY (, optionally DEBUGLEVEL)
provide WWW_DIR which is the place to write the php_shell to (mysql
must have permissions for that folder)
Note: meterpreter_bind_tcp is not provided
run PoC, wait for SUCCESS! message
Note: poc will trigger meterpreter shell
meterpreter PoC scenario requires the mysql user to have write
permissions
which may not be the case in some default installations.
Timeline
- --------
2014-01-14: initial vendor contact, no response
2014-02-24: vendor contact, no response
2014-10-13: public disclosure
Contact
- --------
tintinweb - https://github.com/tintinweb/
//The information contained within this publication is
//supplied "as-is"with no warranties or guarantees of fitness
//of use or otherwise. Bot24, Inc nor Bradley Sean Susser accepts
//responsibility for any damage caused by the use or misuse of
//this information
(post-auth)
==============================
==
Overview
- --------
date : 10/12/2014
cvss : 7.1 (AV:N/AC:H/Au:S/C:C/I:C/A:C) base
cwe : 89
vendor : vBulletin Solutions
product : vBulletin 4
versions affected : latest 4.x (to date); verified <= 4.2.2
* vBulletin 4.2.2 (verified)
* vBulletin 4.2.1 (verified)
* vBulletin 4.2.0 PL2 (verified)
exploitability :
* remotely exploitable
* requires authentication (apikey)
patch availability (to date) : None
Abstract
- ---------
vBulletin 4 does not properly sanitize parameters to breadcrumbs_create
allowing
an attacker to inject arbitrary SQL commands (SELECT).
risk: rather low - due to the fact that you the api key is required
you can probably use CVE-2014-2023 to obtain the api key
Details
- --------
vulnerable component:
./includes/api/4/breadcrumbs_
vulnerable argument:
conceptid
which is sanitized as TYPE_STRING which does not prevent SQL injections.
Proof of Concept (PoC)
- ----------------------
see https://github.com/tintinweb/
1) prerequesites
1.1) enable API, generate API-key
logon to AdminCP
goto "vBulletin API"->"API-Key" and enable the API interface,
generate key
2) run PoC
edit PoC to match your TARGET, APIKEY (, optionally DEBUGLEVEL)
provide WWW_DIR which is the place to write the php_shell to (mysql
must have permissions for that folder)
Note: meterpreter_bind_tcp is not provided
run PoC, wait for SUCCESS! message
Note: poc will trigger meterpreter shell
meterpreter PoC scenario requires the mysql user to have write
permissions
which may not be the case in some default installations.
Timeline
- --------
2014-01-14: initial vendor contact, no response
2014-02-24: vendor contact, no response
2014-10-13: public disclosure
Contact
- --------
tintinweb - https://github.com/tintinweb/
//The information contained within this publication is
//supplied "as-is"with no warranties or guarantees of fitness
//of use or otherwise. Bot24, Inc nor Bradley Sean Susser accepts
//responsibility for any damage caused by the use or misuse of
//this information