Deciphering the PHP-Nuke Capthca

To: bugtraq@xxxxxxxxxxxxxxxxx
Subject: Deciphering the PHP-Nuke Capthca
From: Michael.Brooks.SPAM@xxxxxxxxxxxxxxxxxxxxx
Date: 19 Apr 2008 23:18:05 -0000
List-help: <mailto:bugtraq-help@securityfocus.com>
List-id: <bugtraq.list-id.securityfocus.com>
List-post: <mailto:bugtraq@securityfocus.com>
List-subscribe: <mailto:bugtraq-subscribe@securityfocus.com>
List-unsubscribe: <mailto:bugtraq-unsubscribe@securityfocus.com>
Mailing-list: contact bugtraq-help@xxxxxxxxxxxxxxxxx; run by ezmlm

The Capthca used in the current version 8.1 of PHP Nuke can be deciphered with
100% accuracy. more information can be found her:
http://www.rooksecurity.com/blog/?p=6

Exploit Code: http://www.rooksecurity.com/exploits/php_nuke_captcha.zip

What is so interesting about this captcha is that it is incredibly wide spread.
Variants of this captcha are being used by big names like Paypal. This
particular captcha is used for the forgotten password feature. There are few
differences between this captcha and the one i broke. For one the background is
a different image. The captcha is also using alpha-numeric which would mean
36^5 = 60466176 possibilities

My attack against PHP-Nuke is taking advantage of the fact that there are only
10^6 or a 1,000,000 possible combinations of this captcha. It only takes a few
minuets to calculate all possibilities. I am storing the results in as a md5
hash in a SQL database for speed. The entire SQL table needed to crack this
captcha with 100% accuracy takes up less than 43 megabytes. After the table is
generated it take only a few seconds to crack a captcha. This is a time-memory
trade off very similar to Rainbow Crack. Let me be very clear that I am not
relying on MD5 for security and in fact a faster and much less secure message
digest function like Tiger is better suited for this task. MD5 is being used as
an attack tool because it saves a lot of space and time verses storing the
entire image in the database.

I created this list manually making sure that I checked the latest version.
This is by no means a complete list.

PHP-Nuke v8.1 FINAL
http://phpnuke.org/
./html/mainfile.php starting on line 1574

PHP-Nuke v7.0
download:
http://sourceforge.net/project/showfiles.php?group_id=7511&package_id=7622&release_id=213152
in:
./html/admin.php line 111 in funciton gfx()
and:
./modules/Your_Account/index.php line 489 in funciton gfx()

123tkshop v0.9.1
download:
http://sourceforge.net/project/showfiles.php?group_id=41061
file: admin.php
line: 142
function gfx($random_num)

phpMyBitTorrent v1.2.2
Download:
http://sourceforge.net/project/showfiles.php?group_id=129993&package_id=142566&release_id=522280
file:
./html/gfxgen.php (the entire file)

torrentflux v 2.3
download:
http://sourceforge.net/project/showfiles.php?group_id=123961
file:
./html/login.php starting on line 40

e107 V0.7.11
download:
http://sourceforge.net/project/showfiles.php?group_id=63748&package_id=60754&release_id=565243
This one is a bit spread out, but the actual vulnerable captcha is being
created on line 147 in:
./e107_handlers/secure_img_render.php

webze v 0.5.9
Download:
http://sourceforge.net/project/showfiles.php?group_id=88820
./index.php about line 92

Opendb v 1.5.0b4
download:
http://sourceforge.net/project/showfiles.php?group_id=37089&package_id=29402&release_id=573315
in ./functions/secretimage.php in the function secretimage() starting on line 35

Labgab v1.1
download:
http://sourceforge.net/project/showfiles.php?group_id=173453
./core/code.php starting on line 31

Prev by Date: SyScan'08 Singapore - Call for Paper
Next by Date: [ MDVSA-2008:090 ] - Updated OpenOffice.org packages fix vulnerabilities
Previous by thread: SyScan'08 Singapore - Call for Paper
Next by thread: [ MDVSA-2008:090 ] - Updated OpenOffice.org packages fix vulnerabilities
Index(es):
- Date
- Thread