Twenty Year Anniversary

6kbbs 7.1 / 8.0 Weak Cryptography

6kbbs 7.1 / 8.0 Weak Cryptography
Posted Jun 11, 2015
Authored by Jing Wang

6kbbs versions 7.1 and 8.0 suffer from a weak cryptography implementation due to using md5.

tags | advisory
MD5 | 29ee208ba72305cc7d9ca01647878d0c

6kbbs 7.1 / 8.0 Weak Cryptography

Change Mirror Download
*6kbbs v8.0 Weak Encryption Cryptography Security Vulnerabilities*


Exploit Title: 6kbbs Weak Encryption Web Security Vulnerabilities
Vendor: 6kbbs
Product: 6kbbs
Vulnerable Versions: v7.1 v8.0
Tested Version: v7.1 v8.0
Advisory Publication: June 08, 2015
Latest Update: June 10, 2015
Vulnerability Type: Inadequate Encryption Strength [CWE-326]
CVE Reference: *
CVSS Severity (version 2.0):
Discover and Reporter: Wang Jing [School of Physical and Mathematical
Sciences (SPMS), Nanyang Technological University (NTU), Singapore]
(@justqdjing)






*Recommendation Details:*


*(1) Vendor & Product Description:*


Vendor:
6kbbs



*Product & Vulnerable Versions:*
6kbbs
v7.1
v8.0



*Vendor URL & download:*
6kbbs can be gain from here,
http://www.6kbbs.com/download.html




*Product Introduction Overview:*
"6kbbs V8.0 is a PHP + MySQL built using high-performance forum, has the
code simple, easy to use, powerful, fast and so on. It is an excellent
community forum program. The program is simple but not simple; fast, small;
Interface generous and good scalability; functional and practical pursuing
superior performance, good interface, the user's preferred utility
functions. Forum Technical realization (a) interface : using XHTML + CSS
structure, so the structure of the page , easy to modify the interface ;
save the transmission static page code , greatly reducing the amount of
data transmitted over the network ; improve the interface scalability ,
more in line with WEB standards, support Internet Explorer, FireFox, Opera
and other major browsers. (b) Program : The ASP + ACCESS mature technology
, the installation process is extremely simple , the environment is also
very common."


"(1) PHP version : (a) 6kbbs V8.0 start using PHP + MySQL architecture. (b)
Currently ( July 2010 ) is still in the testing phase , 6kbbs V8.0 is the
latest official release. (2) ASP Version: 6kbbs (6k Forum) is an excellent
community forum process . The program is simple but not simple ; fast ,
small ; interface generous and good scalability ; functional and practical
. pursue superiority , good interface , practical functions of choice for
subscribers."





*(2) Vulnerability Details:*
6kbbs web application has a computer security problem. It can be exploited
by weak encryption attacks. The software stores or transmits sensitive data
using an encryption scheme that is theoretically sound, but is not strong
enough for the level of protection required. A weak encryption scheme can
be subjected to brute force attacks that have a reasonable chance of
succeeding using current attack methods and resources.


Several 6kbbs products 0-day web cyber bugs have been found by some other
bug hunter researchers before. 6kbbs has patched some of them. "The Full
Disclosure mailing list is a public forum for detailed discussion of
vulnerabilities and exploitation techniques, as well as tools, papers,
news, and events of interest to the community. FD differs from other
security lists in its open nature and support for researchers' right to
decide how to disclose their own discovered bugs. The full disclosure
movement has been credited with forcing vendors to better secure their
products and to publicly acknowledge and fix flaws rather than hide them.
Vendor legal intimidation and censorship attempts are not tolerated here!"
A great many of the web securities have been published here.




Source Code:
<?php
if(empty($row)){
$extrow=$db->row_select_one("users","username='{$username}'");
if(!empty($extrow) && !empty($extrow['salt'])){

if(md5(md5($userpass).$extrow['salt'])==$extrow['userpass']){
$row=$extrow;
$new_row["userpass"]=$userpass_encrypt;
$new_row["salt"]="";

$db->row_update("users",$new_row,"id={$extrow['id']}");
}
}
}
?>



Source Code From:
http://code.google.com/p/6kbbs/source/browse/trunk/convert/discuz72/loginext.php?r=16


We can see that "userpass" stored in cookie was encrypted using "$userpass"
user password directly. And there is no "HttpOnly" attribute at all. Since
md5 is used for the encryption, it is easy for hackers to break the
encrypted message.


"The MD5 message-digest cryptography algorithm is a widely used
cryptographic hash function producing a 128-bit (16-byte) hash value,
typically expressed in text format as a 32 digit hexadecimal number. Papers
about it have been published on Eurocrypt, Asiacrypt and Crypto. Meanwhile,
researchers focusing on it spread in Computer Science, Computer
Engineering, IEEE and Mathematics. MD5 has been utilized in a wide variety
of cryptographic applications, and is also commonly used to verify data
integrity. MD5 was designed by Ronald Rivest in 1991 to replace an earlier
hash function, MD4. The source code in RFC 1321 contains a "by attribution"
RSA license." (Wikipedia)








*References:*
http://tetraph.com/security/weak-encryption/6kbbs-v8-0-weak-encryption/
http://securityrelated.blogspot.com/2015/06/6kbbs-v80-weak-encryption-cryptography.html
https://vulnerabilitypost.wordpress.com/2015/06/11/6kbbs-v8-0-weak-encryption/
http://www.inzeed.com/kaleidoscope/computer-security/6kbbs-v8-0-weak-encryption/
http://marc.info/?l=full-disclosure&m=142821698311838&w=4
http://permalink.gmane.org/gmane.comp.security.fulldisclosure/1820
http://whitehatpost.blog.163.com/blog/static/24223205420155115152896/
http://seclists.org/fulldisclosure/2015/Apr/13
https://packetstormsecurity.com/files/131290/6kbbs-8.0-Cross-Site-Request-Forgery.html
http://lists.openwall.net/full-disclosure/2015/04/05/6






--
Wang Jing,
Division of Mathematical Sciences (MAS),
School of Physical and Mathematical Sciences (SPMS),
Nanyang Technological University (NTU),
Singapore.
http://www.tetraph.com/wangjing/
https://twitter.com/justqdjing


Comments

RSS Feed Subscribe to this comment feed

No comments yet, be the first!

Login or Register to post a comment

Want To Donate?


Bitcoin: 18PFeCVLwpmaBuQqd5xAYZ8bZdvbyEWMmU

File Archive:

June 2018

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Jun 1st
    14 Files
  • 2
    Jun 2nd
    1 Files
  • 3
    Jun 3rd
    3 Files
  • 4
    Jun 4th
    18 Files
  • 5
    Jun 5th
    21 Files
  • 6
    Jun 6th
    8 Files
  • 7
    Jun 7th
    16 Files
  • 8
    Jun 8th
    18 Files
  • 9
    Jun 9th
    5 Files
  • 10
    Jun 10th
    2 Files
  • 11
    Jun 11th
    21 Files
  • 12
    Jun 12th
    32 Files
  • 13
    Jun 13th
    15 Files
  • 14
    Jun 14th
    16 Files
  • 15
    Jun 15th
    4 Files
  • 16
    Jun 16th
    1 Files
  • 17
    Jun 17th
    2 Files
  • 18
    Jun 18th
    15 Files
  • 19
    Jun 19th
    15 Files
  • 20
    Jun 20th
    15 Files
  • 21
    Jun 21st
    15 Files
  • 22
    Jun 22nd
    0 Files
  • 23
    Jun 23rd
    0 Files
  • 24
    Jun 24th
    0 Files
  • 25
    Jun 25th
    0 Files
  • 26
    Jun 26th
    0 Files
  • 27
    Jun 27th
    0 Files
  • 28
    Jun 28th
    0 Files
  • 29
    Jun 29th
    0 Files
  • 30
    Jun 30th
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2018 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close