*Preliminary VulnNote*
CVE-2014-2023 - Tapatalk for vbulletin 4.x - multiple blind sql injection
(pre-auth)
==============================
========
Overview
- --------
date : 10/12/2014
cvss : 7.8 (AV:N/AC:L/Au:N/C:C/I:N/A:N) base
cwe : 89
vendor : Tapatalk Inc
product : Tapatalk for vBulletin 4.x
versions affected: latest (to date)
5.2.1 (verified)
4.9.0 (verified)
exploitability :
* remotely exploitable
* NO authentication required
* NO user interaction required
* NO special configuration required (default settings)
Abstract
- ---------
Tapatalk for vBulletin 4.x does not properly sanitize some xmlrpc calls
allowing unauthenticated users to inject arbitrary SQL commands.
risk: high
!! Note !! - this is a preliminary VulnNote. The full PoC / Description
will
be made available within the next 7 days (see contact) to allow mobiquo
to
fix this.
googledork: see PoC code
Details
- --------
vulnerable component:
* stripped // see full VulnNote - (contact)
xmlrpc request is decoded, decoded attacker provided values are directly
being used in sql query.
Proof of Concept (PoC)
- ----------------------
see https://github.com/tintinweb/
1) prerequesites
vBulletin 4.x with Tapatalk for vBulletin 4.x installed
2) run PoC
edit PoC to match your TARGET (, optionally DEBUG=True)
(optionally) edit your query to extract specific database values
Note: PoC will try to detect tapatalk on that host
run PoC
by default extracts
* mysql root hash (in case vBulletin db user has permissions to do so)
* vbulletin db record fields (apikey) - perfectly chains with
CVE-2014-2023
only limited by the vBulletin db_user access permissions
Timeline
- --------
2014-01-14: initial vendor contact, no response
2014-02-24: vendor contact, no response
2014-10-13: public disclosure
Contact
- --------
tintinweb - https://github.com/tintinweb/
//The information contained within this publication is
//supplied "as-is"with no warranties or guarantees of fitness
//of use or otherwise. Bot24, Inc nor Bradley Sean Susser accepts
//responsibility for any damage caused by the use or misuse of
//this information