goinfre/externals/080221-epibite-pwnbb/SE-2008-01.txt
goinfre/externals/080221-epibite-pwnbb/SE-2008-01.txt
_____________________________________________________________________________
/ / Index / Goinfre / Resume / Links / Contact / Sitemap / .: v0.6.1.0 |^|
|\__/-------+ +--------+-------+---------+---------+-----------------+#|
| 1| /goinfre/externals/080221-epibite-pwnbb/SE-2008-01.txt |#|
| 2| ========================================== |#|
| 3| |#|
| 4| [ raw ] [ download ] |#|
| 5| ` `` ````````````````````` |#|
| 6| |#|
| 7| -----BEGIN PGP SIGNED MESSAGE----- |#|
| 8| Hash: SHA1 |#|
| 9| |#|
| 10| |#|
| 11| SektionEins GmbH |#|
| 12| www.sektioneins.de |#|
| 13| |#|
| 14| -= Security Advisory =- |#|
| 15| |#|
| 16| |#|
| 17| Advisory: PunBB Blind Password Recovery Vulnerability |#|
| 18| Release Date: 2008/02/20 |#|
| 19| Last Modified: 2008/02/20 |#|
| 20| Author: Stefan Esser [stefan.esser[at]sektioneins.de] |#|
| 21| |#|
| 22| Application: PunBB <= 1.2.16 |#|
| 23| Severity: Weak random numbers lead to a blind password recovery |#|
| 24| vulnerability that allows account takeover |#|
| 25| Risk: High |#|
| 26| Vendor Status: Vendor has released PunBB 1.2.17 which fixes this issue |#|
| 27| Reference: http://www.sektioneins.de/advisories/SE-2008-01.txt |#|
| 28| |#|
| 29| |#|
| 30| Overview: |#|
| 31| |#|
| 32| Quote from http://punbb.org/ |#|
| 33| "PunBB is a fast and lightweight PHP-powered discussion board. |#|
| 34| It is released under the GNU General Public License. Its primary |#|
| 35| goals are to be faster, smaller and less graphically intensive as |#|
| 36| compared to other discussion boards. PunBB has fewer features |#|
| 37| than many other discussion boards, but is generally faster and |#|
| 38| outputs smaller, semantically correct XHTML-compliant pages." |#|
| 39| |#|
| 40| PunBB comes with a password reset feature that allows resetting a |#|
| 41| forgotten password. When a password reset is requested an email |#|
| 42| is sent to the user containing a new random password and an |#|
| 43| activation link that needs to be visited in order for the password |#|
| 44| change to become effective. |#|
| 45| |#|
| 46| Unfortunately it is possible due to several weak random numbers |#|
| 47| to determine the new random password and the activation link |#|
| 48| from the outside. This allows taking over any account on the |#|
| 49| forum including the administrator account. |#|
| 50| |#|
| 51| |#|
| 52| Details: |#|
| 53| |#|
| 54| PunBB's password reset functionality uses internally mt_rand() to |#|
| 55| generate a new password and a new activation link that are both |#|
| 56| send to the user by email. |#|
| 57| |#|
| 58| Unfortunately PunBB initialises the mersenne twister random number |#|
| 59| generator on every request with a number between 0 and 1.000.000, |#|
| 60| depending on the current microsecond. This means there are only |#|
| 61| one million possible new passwords and new activation links. It |#|
| 62| would be possible to bruteforce this limited area, but the amount |#|
| 63| of time and traffic that would be required is huge. |#|
| 64| |#|
| 65| Because of this a better one shot solution was developed that |#|
| 66| allows to determine the new password and the new activation link |#|
| 67| from the result of the request that triggered the password reset. |#|
| 68| |#|
| 69| To understand how this is possible it is necessary to know that |#|
| 70| during the installation PunBB creates a "random" cookie seed that |#|
| 71| is used to store login data in the cookie during a visit. This |#|
| 72| cookie seed generation is not really random, because it is more |#|
| 73| or less the MD5 hash of the current timestamp. This means it is |#|
| 74| easily bruteforceable when the attacker has his own user account |#|
| 75| at the forum. He just needs to use his own login cookie and then |#|
| 76| check all seconds backwards from the date the admin account was |#|
| 77| created (see in memberlist). |#|
| 78| |#|
| 79| The second component required for the attack to work is PunBB's |#|
| 80| habit to return a cookie with a randomly generated password, when |#|
| 81| it receives a wrong login cookie. Because the cookie seed is known |#|
| 82| it can be used to check which one of the one million possible |#|
| 83| passwords was generated. By knowing the password we know the |#|
| 84| seed used in the call to mt_srand() which lets us predict all |#|
| 85| random numbers during the request. |#|
| 86| |#|
| 87| It should be obvious that using this attack on the request that |#|
| 88| triggers the password reset allows to blindly determine the new |#|
| 89| password and the new activation link in a few seconds. Both can |#|
| 90| then be used to takeover the attacked account. |#|
| 91| |#|
| 92| |#|
| 93| Proof of Concept: |#|
| 94| |#|
| 95| SektionEins GmbH is not going to release a proof of concept |#|
| 96| exploit for this vulnerability. |#|
| 97| | |
| 98| | |
| 99| Disclosure Timeline: | |
|100| | |
|101| 15. February 2008 - Notified security@punbb.org | |
|102| 19. February 2008 - PunBB developers released PunBB 1.2.17 | |
|103| 20. February 2008 - Public Disclosure | |
|104| | |
|105| | |
|106| Recommendation: | |
|107| | |
|108| It is strongly recommended to upgrade to the latest version of | |
|109| PunBB which also fixes additional vulnerabilities reported by | |
|110| third parties. | |
|111| | |
|112| Grab your copy at: | |
|113| | |
|114| http://punbb.org/downloads.php | |
|115| | |
|116| | |
|117| CVE Information: | |
|118| | |
|119| The Common Vulnerabilities and Exposures project (cve.mitre.org) | |
|120| has | |
|121| not assigned a name to this vulnerability yet. | |
|122| | |
|123| | |
|124| GPG-Key: | |
|125| | |
|126| http://www.sektioneins.de/sektioneins-signature-key.asc | |
|127| | |
|128| pub 1024D/48A1DB12 2007-10-04 SektionEins GmbH - Signature Key | |
|129| <info@sektioneins.de> | |
|130| Key fingerprint = 4462 A777 4237 E292 F52D 5AFE 7C9C C1AF 48A1 | |
|131| DB12 | |
|132| | |
|133| | |
|134| Copyright 2008 SektionEins GmbH. All rights reserved. | |
|135| | |
|136| -----BEGIN PGP SIGNATURE----- | |
|137| Version: GnuPG v1.4.6 (GNU/Linux) | |
|138| | |
|139| iD8DBQFHsBeQfJzBr0ih2xIRAqSPAKDp9oJQm3SrouI9fkkAq7fgtRpSrwCg4iOm | |
|140| vc4jP+EeE3nDnfr43Ngbc5w= | |
|141| =aJM7 | |
|142| -----END PGP SIGNATURE----- | |
|143| | |
+---+ | |
\_ \______ mo5.so - normal - 1337.so - rev.so - video_r.so +---------------+ |
|__ \_____ plain.so - color.so - comment.so / moul 2008 (c) |V|
\-----\______\________________________________________/-----------------+-+