exploit the possibilities
Home Files News &[SERVICES_TAB]About Contact Add New

Simple Machines Forum Username Faking / Clickjacking

Simple Machines Forum Username Faking / Clickjacking
Posted Dec 14, 2013
Authored by Jakob Lell | Site jakoblell.com

Simple Machines Forum suffers from username impersonation and clickjacking issues. These issues are are present in SMF1 up to version 1.1.18 and SMF2 up to version 2.0.5.

tags | advisory
SHA-256 | ec054b0bcc023ef1325986cda6d0998e1dc4e6a4098ffcf06f2400521afdec66

Simple Machines Forum Username Faking / Clickjacking

Change Mirror Download
Advisory location:
http://www.jakoblell.com/blog/2013/12/13/multiple-vulnerabilities-in-smf-forum-software/

I. Introduction

Simple Machines Forum (abbreviated as SMF) is a free Internet forum
(BBS) software written in PHP.

II. Username faking via Unicode homoglyphs or duplicate spaces allows
user impersonation

The forum registration process allows registering UTF8 usernames. Since
Unicode contains a lot of additional symbols and some of them look very
similar (or even identical) to standard ASCII characters, this allows
registering a user with a name which is visually indistinguishable from
an existing forum user. As an example, someone may register a user named
"admiÕ¸" with the "n" replaced by the Unicode letter u+0578 (ARMENIAN
SMALL LETTER VO), which looks more or less exactly like the ASCII
character "n" depending on the font. This may be used in order to
impersonate users e.g. in forum messages. Additionally to choosing a
name which looks more or less exactly as the victim, an attacker can
also steal the avatar of the victim in order to further improve the
illusion.

The following page simplifies finding matching homoglyph characters for
a given string:

http://www.irongeek.com/homoglyph-attack-generator.php

If the original username contains a space, user impersonation is also
possible by registering the same username with two or more consecutive
spaces. These spaces will be passed to all HTML pages containing the
username and since web browsers ignore multiple consecutive spaces in
HTML, there is no visible difference between the original and the faked
username.


III. Clickjacking in SMF forum allows user-assisted remote arbitrary
code execution

The forum software SMF contains no protection against clickjacking. This
allows tricking a currently logged in user to do various unintended
actions in the forum when the user visits a malicious website. I have a
working POC exploit which requires no more than 2 clicks to a
predictable location to achieve full remote code execution when
exploited against a forum administrator (although I will not disclose
the exact attack vector in this public advisory). A cleverly designed
attack site may trick the user do these two clicks without much
thinking. The first click can be achieved by displaying one of the
annoying overlays which requests the user to fill out a survey, like the
site on facebook or subscribe to a newsletter. Most users are
conditioned to directly click on the small x on the top right of the
overlay to close it. For the second click, the attack site may just not
react to the first click hoping that the victim tries again.
Alternatively, the site could also pretend to be a video site waiting
for the user to click on the play button.


IV. Affected versions

All three vulnerabilities are present in SMF1 up to version 1.1.18 and
SMF2 up to version 2.0.5. The SMF team has released updates (version
1.1.19 and 2.0.6) which fix the clickjacking problem (via an
X-Frame-Options header) and the username faking possibility via multiple
consecutive spaces. However, the Unicode homoglyph attack has not yet
been fixed since it is not trivial to filter out all confusable
characters while still allowing legitimate Unicode characters in
usernames (especially if you can't use the Spoofchecker class because
you have to support PHP versions below 5.4.0).

V. Credits

Jakob Lell


Login or Register to add favorites

File Archive:

March 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Mar 1st
    16 Files
  • 2
    Mar 2nd
    0 Files
  • 3
    Mar 3rd
    0 Files
  • 4
    Mar 4th
    32 Files
  • 5
    Mar 5th
    28 Files
  • 6
    Mar 6th
    42 Files
  • 7
    Mar 7th
    17 Files
  • 8
    Mar 8th
    13 Files
  • 9
    Mar 9th
    0 Files
  • 10
    Mar 10th
    0 Files
  • 11
    Mar 11th
    15 Files
  • 12
    Mar 12th
    19 Files
  • 13
    Mar 13th
    21 Files
  • 14
    Mar 14th
    38 Files
  • 15
    Mar 15th
    15 Files
  • 16
    Mar 16th
    0 Files
  • 17
    Mar 17th
    0 Files
  • 18
    Mar 18th
    10 Files
  • 19
    Mar 19th
    0 Files
  • 20
    Mar 20th
    0 Files
  • 21
    Mar 21st
    0 Files
  • 22
    Mar 22nd
    0 Files
  • 23
    Mar 23rd
    0 Files
  • 24
    Mar 24th
    0 Files
  • 25
    Mar 25th
    0 Files
  • 26
    Mar 26th
    0 Files
  • 27
    Mar 27th
    0 Files
  • 28
    Mar 28th
    0 Files
  • 29
    Mar 29th
    0 Files
  • 30
    Mar 30th
    0 Files
  • 31
    Mar 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2022 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close