SecurityTracker.com
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 


Category:   Application (Forum/Board/Portal)  >   vBulletin Vendors:   Jelsoft Enterprises
vBulletin Input Validation Flaw in XMLRPC API Lets Remote Users Inject SQL Commands
SecurityTracker Alert ID:  1031001
SecurityTracker URL:  http://securitytracker.com/id/1031001
CVE Reference:   CVE-2014-2022   (Links to External Site)
Date:  Oct 14 2014
Impact:   Disclosure of system information, Disclosure of user information, User access via network
Exploit Included:  Yes  
Version(s): 4.x; Tested on 4.2.0 PL2, 4.2.1, 4.2.2
Description:   A vulnerability was reported in vBulletin. A remote authenticated user can inject SQL commands.

The XMLRPC API breadcrumbs_create script does not properly validate user-supplied input. A remote authenticated user with knowledge of the API key can supply a specially crafted parameter value to execute SQL commands on the underlying database.

The vendor was notified on January 14, 2014, without response.

oststrom reported this vulnerability.

Impact:   A remote authenticated user can execute SQL commands on the underlying database.
Solution:   No solution was available at the time of this entry.
Vendor URL:  www.vbulletin.com/ (Links to External Site)
Cause:   Input validation error
Underlying OS:  Linux (Any), UNIX (Any), Windows (Any)

Message History:   None.


 Source Message Contents

Subject:  [FD] CVE-2014-2022 - vbulletin 4.x - SQLi in breadcrumbs via xmlrpc API (post-auth)

-----BEGIN PGP SIGNED MESSAGE-----

Hash: SHA1

 

CVE-2014-2022 - vbulletin 4.x - SQLi in breadcrumbs via xmlrpc API
(post-auth)

============================================================================
==

 

Overview

- --------

 

    date    :  10/12/2014   

    cvss    :  7.1 (AV:N/AC:H/Au:S/C:C/I:C/A:C) base

    cwe     :  89   

    

    vendor  : vBulletin Solutions

    product : vBulletin 4

    versions affected :  latest 4.x (to date); verified <= 4.2.2

            * vBulletin 4.2.2     (verified)  

            * vBulletin 4.2.1     (verified)  

            * vBulletin 4.2.0 PL2 (verified)  

                        

    exploitability :

            * remotely exploitable

            * requires authentication (apikey)

                

    patch availability (to date) :  None

                

Abstract

- ---------

    vBulletin 4 does not properly sanitize parameters to breadcrumbs_create
allowing

    an attacker to inject arbitrary SQL commands (SELECT).

    

    risk:  rather low - due to the fact that you the api key is required

           you can probably use CVE-2014-2023 to obtain the api key

 

 

 

Details

- --------

    

    vulnerable component: 

        ./includes/api/4/breadcrumbs_create.php

    vulnerable argument:

        conceptid

    

    which is sanitized as TYPE_STRING which does not prevent SQL injections.

 

 

Proof of Concept (PoC)

- ----------------------

 

    see https://github.com/tintinweb/pub/cve-2013-2022

    

    

    1) prerequesites

    1.1) enable API, generate API-key

         logon to AdminCP

         goto "vBulletin API"->"API-Key" and enable the API interface,
generate key

    2) run PoC

         edit PoC to match your TARGET, APIKEY (, optionally DEBUGLEVEL)

         provide WWW_DIR which is the place to write the php_shell to (mysql
must have permissions for that folder)

         Note: meterpreter_bind_tcp is not provided

         run PoC, wait for SUCCESS! message

         Note: poc will trigger meterpreter shell

         

    meterpreter PoC scenario requires the mysql user to have write
permissions 

    which may not be the case in some default installations.

    

    

Timeline

- --------

 

    2014-01-14: initial vendor contact, no response

    2014-02-24: vendor contact, no response

    2014-10-13: public disclosure

    

Contact

- --------

    tintinweb - https://github.com/tintinweb/pub/cve-2013-2022

    

    

(0x721427D8)

    

    

-----BEGIN PGP SIGNATURE-----

iQIcBAEBAgAGBQJUPDhLAAoJEBgB43t1YjbLFOwP/Alc3Rb4c+1l4efPQrZhO96r

Vx+YtClXEXjGeSphZddFegVh/WlY8HQioepmMO9pwz3ehl00pGEu7N2qAILoO2pA

DZ8Lj89WZiXDkDAI56RTjDsxnf8BgxWTBZn4HO2kQtziPV9adsm7bN+fBN0Pn0D6

uTm5fM3Sd6x4NZyt6moi3oImHeTCd+KxDokBskPLT7i7fUPmyMDkv8a564DZyjz3

iCp9ZfjKEF/O2+r+UOgbtr8jyqcfosVIgn9ldJmKMut04hOC5Q6a4GnivyCbGS+E

B/pkiqSWQDbCThQcfTS+3vRubH3N2V3Y3I2VnnCdosK4VnrlVIiekHxfOyCyXxJZ

HjNxptG6WvSv3/cywb/FyEY114AArYpfBdb8rJs/DniQJ7soCMMFaYVPO/LpdRV/

4xC5Rj/g5ud59dDUtCT62+tmzfKt5Lh+/wmBRliCU9EEzRqcpUdh1xn/BDy2XzlP

6PFvQpTLAmzGXP4X+QkPr+iIvGvPCuu9BjHiFuEeHItaXc0tFTjKkohI0Iv1Yjvg

PhGkGXuEuBBwg3Cec/NT/5+1Jj2RahvFC6EMAXKPu2X3n/SeBRDqqurNL8LgkZIR

ycCVO04yGDns5ikpFGHMqXBH1uvCB5OQVDtVvVLQZOxC7JLd4cA/AmvltDwVeb7u

GZhJijkeC0vpRxM+kcTY

=BhWu

-----END PGP SIGNATURE-----


_______________________________________________
Sent through the Full Disclosure mailing list
http://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/
 
 


Go to the Top of This SecurityTracker Archive Page





Home   |    View Topics   |    Search   |    Contact Us

This web site uses cookies for web analytics. Learn More

Copyright 2019, SecurityGlobal.net LLC