Sign Up for Your FREE Weekly SecurityTracker E-mail Alert Summary
|
|
|
|
|
|
|
Put SecurityTracker Vulnerability Alerts on Your Web Site -- It's Free!
|
|
|
|
Become a Partner and License Our Database or Notification Service
|
|
|
|
|
|
|
|
|
|
|
|
|
DCForum Web Messaging Board Software Lets Remote Users Gain DCForum Administrator Privileges and Execute Arbitrary Code on the Server
|
|
SecurityTracker Alert ID: 1001551 |
|
SecurityTracker URL: http://securitytracker.com/id/1001551
|
|
CVE Reference:
GENERIC-MAP-NOMATCH
(Links to External Site)
|
Date: May 15 2001
|
Impact:
Execution of arbitrary code via network, Modification of authentication information, Modification of user information
|
Exploit Included: Yes
|
Version(s): DCForum 2000 1.0 (Version 6.0 is believed to be vulnerable as well)
|
Description:
qDefense reported a vulnerability in DCScript's DCForum web messaging software, warning that it allows remote users to gain DCForum administrator privileges and then to cause arbitrary code to be executed by the server.
The DCForum password file (which is normally the file auth_user_file.txt, located in the /cgi-bin/dcforum/User_info directory), reportedly stores the user information in a text file database, using the pipe symbol "|" as a delimiter.
If a remote user registers with a last name that contains url-encoded newlines and pipes, the remote user can insert a second line into his last name, which will be recorded as an entirely new line in the password file, containing whatever information the remote user specifies.
This allows remote users to assign themselves full administrator status. Once administrator status has been acquired, a remote user can then execute arbitrary commands on the server.
|
Impact:
A remote user can gain DCForum administrator privileges and then can cause arbitrary code to be executed by the server.
|
Solution:
No solution was available at the time of this entry.
|
Vendor URL: www.dcscripts.com/dcforum.shtml (Links to External Site)
|
Cause:
Authentication error, Input validation error
|
Underlying OS:
Linux (Any), UNIX (Any), Windows (NT), Windows (2000)
|
|
Message History:
This archive entry has one or more follow-up message(s) listed below.
|
Source Message Contents
|
Date: Tue, 15 May 2001 12:52:33 -0600
Subject: DCForum Password File Manipukation Vulnerability (qDefense Advisory Number QDAV-5-2000-2)
|
DCForum Password File Manipulation Vulnerability
qDefense Advisory Number QDAV-5-2000-2
Product: DCForum
Vendor: D.C. Script
Version Tested: DCForum 2000 1.0 (Version 6.0 is believed to be vulnerable as well)
Severity: Remote; Any attacker may gain DCForum admin privileges, which result in read/write/execute privileges
Cause: Failure to validate input
The current version of this document is available at http://qDefense.com/Advisories/QDAV-5-2000-2.html.
DCForum is a popular CGI to create message boards on web sites.
It is vulnerable to an attack which will grant a remote attacker the status of DCForum administrator, which can then be used to execute
arbitrary commands on the server.
The DCForum password file (normally the file auth_user_file.txt, located in the /cgi-bin/dcforum/User_info directory), stores the
user info in a text file database, using the pipe symbol ( | ) as a delimiter by default. Here is a sample file:
1ejq5eWn718pA|bill|admin|William|Smith|webmaster@letstalksports.com|on
mgHX9HISAezfQ|joe|normal|Joe|Smith|joe@mailboxesrus.com|on
67NuyNzElLQs.|iceman|normal|Alfred|Lehoya|js124@abracadabra.com|on
79NAtkW0UxFWE|hank|normal|Harold|Jenkins|hjenkins@aricdorsresearch.org|on
By registering with a last name containing url-encoded newlines and pipes, an attacker can imbed a second line into his last name,
which will be recorded as an entirely new line in the password file, containing whatever information the attacker wants. For instance,
an attacker may register as follows:
Username = dummyuser
Password = *****
Password again = *****
Firstname = John
Lastname = Doe\nzzw1I3xWVi.zE|evilhacker|admin|Evil|Hacker
Email = evil@hackerstogo.com
When url encoded and submitted properly, this will add two lines to the auth_user_file.txt. The example auth_user_file.txt will now
look like this:
1ejq5eWn718pA|bill|admin|William|Smith|webmaster@letstalksports.com|on
mgHX9HISAezfQ|joe|normal|Joe|Smith|joe@mailboxesrus.com|on
67NuyNzElLQs.|iceman|normal|Alfred|Lehoya|js124@abracadabra.com|on
79NAtkW0UxFWE|hank|normal|Harold|Jenkins|hjenkins@aricdorsresearch.org|on
fgRldEzNsQL1p|dummyuser|normal|John|Doe
zzw1I3xWVi.zE|evilhacker|admin|Evil|Hacker|evil@hackerstogo.com|on
As you can see, an entry, evilhacker, has been added with full admin status. This account can be used provided that the password hash
given, zzw1I3xWVi.zE, was constructed from a known password (in this case it was "gotya"). This technique will work even if DCForum
is set to e-mail passwords, and, with a minor modification, will work even if accounts are not enabled automatically. Once admin
status has been acquired, an attacker can execute arbitrary commands. The easiest way for an attacker to do this is to set the sendmail
program to the command the attacker wants to execute, set DCForum to e-mail the admin upon new registration, and then to register
a new user.
Proof of concept:
A fully working proof-of-concept script, dcgetadmin.pl, is available at the qDefense web site ( http://qDefense.com/downloads/dcgetadmin_pl.txt).
Franklin DeMatto
franklin@qDefense.com
qDefense - DEFENDING THE ELECTRONIC FRONTIER
|
|
Go to the Top of This SecurityTracker Archive Page
|
