[INetCop Security Advisory] zeroboard IP session bypass XSS vulnerability
========================================
INetCop Security Advisory #2006-0x82-029
========================================
* Title: zeroboard IP session bypass XSS vulnerability
0x01. Description
Zeroboard is a popular web notice board used in Korea.
INetCop Security found XSS vulnerability in the latest zeroboard version 4.1 pl
7 (2005. 4. 4).
Basically, zeroboard uses the following algorithm so that session may not be
abused
by the attack related with cookie. (e.g: cookie spoofing, sniffing)
After login, is part that handle session: --
bbs/login_check.php:
...
24 // 회원로그인이 성공하였을 경우 세션을 생성하고 페이지를 이동함
25 if($member_data[no]) {
26
27 if($auto_login) {
28 makeZBSessionID($member_data[no]);
29 }
30
31 // 4.0x 용 세션 처리
32 $zb_logged_no = $member_data[no];
33 $zb_logged_time = time();
34 $zb_logged_ip = $REMOTE_ADDR; <--- Recording IP address
35 $zb_last_connect_check = '0';
36
37 session_register("zb_logged_no");
38 session_register("zb_logged_time");
39 session_register("zb_logged_ip");
40 session_register("zb_last_connect_check");
41
--
If IP address is different from present session user's, connection terminates:
--
bbs/lib.php:
94 // 세션 값을 체크하여 로그인을 처리
95 } elseif($HTTP_SESSION_VARS["zb_logged_no"]) {
96
97 // 로그인 시간이 지정된 시간을 넘었거나 로그인
아이피가 현재 사용자의 아이피와 다를 경우 로그아웃 시킴
98 if(time()-$HTTP_SESSION_VARS["zb_logged_time"]>
$_zbDefaultSetup["login_time"]||$HTTP_SESSION_VARS["zb_logged_ip"]!=$REMOTE_ADDR)
{
99
100 $zb_logged_no=""; // session
initialization
101 $zb_logged_time="";
102 $zb_logged_ip="";
103 session_register("zb_logged_no");
104 session_register("zb_logged_ip");
105 session_register("zb_logged_time");
106 session_destroy();
107
108 // 유효할 경우 로그인 시간을 다시 설정
109 } else {
--
This seems to be intercepting cookie hacking.
But, if we take advantage of IP session disablement technique, session
bypassing may be possible.
Detailed explanation about the way to exploit this vulnerability is found at
the following reference.
URL: http://x82.inetcop.org/h0me/papers/iframe_tag_exploit.txt (Korean)
As a result, hacker through administrator's web browser exploit code workably
become.
--
0x02. Vulnerable Packages
Vendor site: http://www.nzeo.com/
Low versions including Zeroboard 4.1 pl 7 (2005. 4. 4) version.
-zb41pl7.tar.Z
Disclosure Timeline:
2003-04.??: Vulnerabilities found.
2006-02.17: 1st vendor contact. (didn't respond)
2006-02.22: 2nd vendor contact. (didn't respond)
2006-02.25: Vendor responded, patch released.
2006-03.12: Public disclosure.
0x03. Exploit
We have 2 `Proof-of-Concept' exploit about this vulnerability.
This XSS vulnerability happens in memo box title and user email, homepage
information input.
When administrator logins and checks a user information page, attack code can
be achieved,
and there is another way, which injects an attack code in memo title.
After exploit, an attacker can inject PHP code through an administrator web
page function.
Through this PHP code injection, the attacker(normal user) can change the
password of
administrator, and take administrator's privilege
To prevent the abuse of this vulnerabilty, INetCop Security will not publish
POC code.
0x04. Patch
INetCop Security released temporary patch:
INetCop Security Patch URL:
http://inetcop.net/upfiles/Zeroboard-4.1_pl7_patch.tgz
And vendor's patch after INetCop Security advisory:
Vendor Patch URL: http://www.nzeo.com/bbs/zboard.php?id=cgi_bugreport2&no=5406
--
Thank you.
P.S: I give thanks to Securityproof that suffer translation.
Korean Advisory URL:
http://www.inetcop.org/upfiles/33INCSA.2006-0x82-029-zeroboard.pdf
--
By "dong-houn yoU" (Xpl017Elz), in INetCop(c) Security.
MSN & E-mail: szoahc(at)hotmail(dot)com,
xploit(at)hackermail(dot)com
INetCop Security Home: http://www.inetcop.org
My World: http://x82.inetcop.org
GPG public key: http://x82.inetcop.org/h0me/pr0file/x82.k3y
--
--
_______________________________________________
Get your free email from http://www.hackermail.com