CXSecurity WLB-2015040034 6kbbs v8.0 Multiple CSRF (Cross-Site Request Forgery) Web Security Vulnerabilities

stock-footage-digital-code-binary-computer-background-series-version-from-to
 

CXSecurity WLB-2015040034 6kbbs v8.0 Multiple CSRF (Cross-Site Request Forgery) Web Security Vulnerabilities

 

Exploit Title: 6kbbs Multiple CSRF (Cross-Site Request Forgery) Security Vulnerabilities

Vendor: 6kbbs

Product: 6kbbs

Vulnerable Versions: v7.1 v8.0

Tested Version: v7.1 v8.0

Advisory Publication: April 02, 2015

Latest Update: April 02, 2015

Vulnerability Type: Cross-Site Request Forgery (CSRF) [CWE-352]

CVE Reference: *

CXSecurity Reference: WLB-2015040034

Impact CVSS Severity (version 2.0):

CVSS v2 Base Score: 6.8 (MEDIUM) (AV:N/AC:M/Au:N/C:P/I:P/A:P) (legend)

Impact Subscore: 6.4

Exploitability Subscore: 8.6

CVSS Version 2 Metrics:

Access Vector: Network exploitable; Victim must voluntarily interact with attack mechanism

Access Complexity: Medium

Authentication: Not required to exploit

Impact Type: Allows unauthorized disclosure of information; Allows unauthorized modification; Allows disruption of service

Writer and Reporter: Jing Wang, Division of Mathematical Sciences (MAS), School of Physical and Mathematical Sciences (SPMS), Nanyang Technological University (NTU), Singapore. (@justqdjing)

 

 

 

Suggestion Details:



(1) Vendor & Product Description:



Vendor:

6kbbs

 

Product & Vulnerable Versions:

6kbbs

v7.1

v8.0

 

Vendor URL & download:

6kbbs can be gain from here,

http://www.6kbbs.com/download.html

http://en.sourceforge.jp/projects/sfnet_buzhang/downloads/6kbbs.zip/

 

Product Introduction Overview:

“6kbbs V8.0 is a PHP + MySQL built using high-performance forum, has the code simple, easy to use, powerful, fast and so on. It is an excellent community forum program. The program is simple but not simple; fast, small; Interface generous and good scalability; functional and practical pursuing superior performance, good interface, the user’s preferred utility functions.”

“1, using XHTML + CSS architecture, so that the structure of the page, saving transmission static page code, but also easy to modify the interface, more in line with WEB standards; 2, the Forum adopted Cookies, Session, Application and other technical data cache on the forum, reducing access to the database to improve the performance of the Forum. Can carry more users simultaneously access; 3, the data points table function, reduce the burden on the amount of data when accessing the database; 4, support for multi-skin style switching function; 5, the use of RSS technology to support subscriptions forum posts, recent posts, user’s posts; 6, the display frame mode + tablet mode, the user can choose according to their own preferences to; 7. forum page optimization keyword search, so the forum more easily indexed by search engines; 8, extension, for our friends to provide a forum for a broad expansion of space services; 9, webmasters can add different top and bottom of the ad, depending on the layout; 10, post using HTML + UBB way the two editors, mutual conversion, compatible with each other; …”

 

 

 

(2) Vulnerability Details:

6kbbs web application has a computer cyber security bug problem. It can be exploited by CSRF (Cross-Site Request Forgery) attacks. This may allow an attacker to trick the victim into clicking on the image to take advantage of the trust relationship between the authenticated victim and the application. Such an attack could trick the victim into creating files that may then be called via a separate CSRF attack or possibly other means, and executed in the context of their session with the application, without further prompting or verification.

Several 6kbbs products 0-day vulnerabilities have been found by some other bug hunter researchers before. 6kbbs has patched some of them. Open Sourced Vulnerability Database (OSVDB) is an independent and open-sourced database. The goal of the project is to provide accurate, detailed, current, and unbiased technical information on security vulnerabilities. The project promotes greater, open collaboration between companies and individuals. It has published suggestions, advisories, solutions details related to csrf vulnerabilities.

 

(2.1) The first code programming flaw occurs at “/portalchannel_ajax.php?” page with “&id” and &code” parameters in HTTP $POST.

(2.2) The second code programming flaw occurs at “/admin.php?” page with “&fileids” parameter in HTTP $POST.

 

 

 

 

Related Articles:
http://cxsecurity.com/issue/WLB-2015040034
http://lists.openwall.net/full-disclosure/2015/04/05/7
http://www.intelligentexploit.com/view-details.html?id=21071
http://permalink.gmane.org/gmane.comp.security.fulldisclosure/1819
https://www.mail-archive.com/fulldisclosure@seclists.org/msg01902.html
http://seclists.org/fulldisclosure/2015/Apr/13
http://www.tetraph.com/security/csrf-vulnerability/6kbbs-v8-0-csrf
http://essayjeans.blog.163.com/blog/static/237173074201551435316925/
https://itinfotechnology.wordpress.com/2015/04/14/6kbbs-crsf/

http://frenchairing.blogspot.fr/2015/06/6kbbs-crsf.html
http://tetraph.blog.163.com/blog/static/234603051201551444917365/
http://diebiyi.com/articles/security/6kbbs-v8-0-csrf
http://securityrelated.blogspot.com/2015/04/6kbbs-v80-multiple-csrf-cross-site.html
https://hackertopic.wordpress.com/2015/04/02/6kbbs-v8-0-multiple-csrf
http://www.inzeed.com/kaleidoscope/computer-web-security/6kbbs-v8-0-csrf

 

 

 

Microsoft Live Online Service OAuth 2.0 Covert Redirect Web Security Bugs (Information Leakage & Open Redirect)

logo_msHotmailVertical_web

 

Microsoft Live Online Service OAuth 2.0 Covert Redirect Web Security Bugs (Information Leakage & Open Redirect)




(1) Domain:
live.com

 

 

 

 

(2) Vulnerability Description:

Live web application has a computer security problem. Hacker can exploit it by Covert Redirect cyber attacks.



The vulnerabilities can be attacked without user login. Tests were performed on Microsoft IE (10.0.9200.16750) of Windows 8, Mozilla Firefox (34.0) & Google Chromium 39.0.2171.65-0 ubuntu0.14.04.1.1064 (64-bit) of Ubuntu (14.04),Apple Safari 6.1.6 of Mac OS X Lion 10.7.

 

 


(2.1) Vulnerability Detail:

Live’s OAuth 2.0 system is susceptible to Attacks. More specifically, the authentication of parameter “&redirct_uri” in OAuth 2.0 system is insufficient. It can be misused to design Open Redirect Attacks to Live.

 

It increases the likelihood of successful Open Redirect Attacks to third-party websites, too.

 

The vulnerability was reported to Microsoft. Microsoft replies “We have completed our investigation and concluded that the vulnerability exists in idp.plane.edu.au and not login.live.com. I would recommend reporting this issue to plane.edu.au. We will be closing this case.”

 

 

The vulnerabilities occurs at page “/oauth20_authorize.srf?” with parameter “&redirect_uri”, e.g.
https://login.live.com/oauth20_authorize.srf?client_id=0000000040069047&scope=wl.basic&response_type=code&redirect_uri=http%3A%2F%2Fidp.plane.edu.au%2Fsimplesaml%2Fmodule.php%2Fmultiauth%2Fselectsource.php%3FAuthState%3D_c96d1f2d80c2dd6116e61ac3f08a7fa4c9b4454d4b%253Ahttp%253A%252F%252Fwww.tetraph.com%252Fessayjeans%252Fpoems%252Ffish_water.html [1]

 

 

 

Before acceptance of third-party application:

When a logged-in Live user clicks the URL ([1]) above, he/she will be asked for consent as in whether to allow a third-party website to receive his/her information. If the user clicks OK, he/she will be then redirected to the URL assigned to the parameter “&redirect_uri”.

 

If a user has not logged onto Live and clicks the URL ([1]) above, the same situation will happen upon login.

 

After acceptance of third-party application:

 

A logged-in Live user would no longer be asked for consent and could be redirected to a webpage controlled by the attacker when he/she clicks the URL ([1]).

 

For a user who has not logged in, the attack could still be completed after a pop-up page that prompts him/her to log in.

 

 

 

 

(2.1.1) Live would normally allow all the URLs that belong to the domain of an authorized third-party website. However, these URLs could be prone to manipulation. For example, the “&redirect_uri” parameter in the URLs is supposed to be set by the third-party websites, but an attacker could change its value to make Attacks.

 

Hence, a user could be redirected from Live to a vulnerable URL in that domain first and later be redirected from this vulnerable site to a malicious site unwillingly. This is as if the user is redirected from Live directly. The number of Live’s OAuth 2.0 client websites is so huge that such Attacks could be commonplace.

 

Before acceptance of the third-party application, Live’s OAuth 2.0 system makes the redirects appear more trustworthy and could potentially increase the likelihood of successful Open Redirect Attacks of third-party website.

 

Once the user accepts the application, the attackers could completely bypass Live’s authentication system and attack more easily.

 

It might be of Live’s interest to patch up against such attacks.

 

 

 

(2.2) Used one of webpages for the following tests. The webpage is “http://lifegrey.tumblr.com/“. Can suppose it is malicious.

 

Below is an example of a vulnerable third-party domain:
idp.plane.edu.au

 

 

Vulnerable URL in this domain:
http://idp.plane.edu.au/simplesaml/module.php/multiauth/selectsource.php?AuthState=_c96d1f2d80c2dd6116e61ac3f08a7fa4c9b4454d4b%3Ahttp%3A%2F%2Fwww.tetraph.com%2Fessayjeans%2Fpoems%2Ffish_water.html

 

 

Vulnerable URL from Live that is related to idp.plane.edu.au:
https://login.live.com/oauth20_authorize.srf?client_id=0000000040069047&scope=wl.basic&response_type=code&redirect_uri=http%3A%2F%2Fidp.plane.edu.au

 

 

POC:
https://login.live.com/oauth20_authorize.srf?client_id=0000000040069047&scope=wl.basic&response_type=code&redirect_uri=http%3A%2F%2Fidp.plane.edu.au%2Fsimplesaml%2Fmodule.php%2Fmultiauth%2Fselectsource.php%3FAuthState%3D_c96d1f2d80c2dd6116e61ac3f08a7fa4c9b4454d4b%253Ahttp%253A%252F%252Fwww.tetraph.com%252Fessayjeans%252Fpoems%252Ffish_water.html

 

 

 

(2.3) The following URLs have the same vulnerabilities.
https://oauth.live.com/authorize?client_id=0000000044072822&scope=wl.basic%20wl.offline_access%20wl.signin%20wl.birthday%20wl.emails%20wl.phone_numbers%20wl.postal_addresses%20wl.share%20wl.work_profile&response_type=code&redirect_uri=http://www.denglu.cc/dl_receiver.php&state=31482_windowslive_284401

 


POC Video:
https://www.youtube.com/watch?v=z3Eq6GJsHWI

 

Blog Detail:
http://tetraph.blogspot.com/2014/05/microsoft-lives-oauth-20-covert.html



(3) What is Covert Redirect?

Covert Redirect is a class of security bugs disclosed in May 2014. It is an application that takes a parameter and redirects a user to the parameter value without sufficient validation. This often makes use of Open Redirect and XSS (Cross-site Scripting) vulnerabilities in third-party applications.

 

Covert Redirect is also related to single sign-on. It is known by its influence on OAuth and OpenID. Hacker may use it to steal users’ sensitive information. Almost all OAuth 2.0 and OpenID providers worldwide are affected. Covert Redirect can work together with CSRF (Cross-site Request Forgery) as well. After Covert Redirect was published, it is kept in some common databases such as SCIP, OSVDB, Bugtraq, and X-Force. Its scipID is 13185, while OSVDB reference number is 106567. Bugtraq ID: 67196. X-Force reference number is 93031.

 

Discover and Reporter:
Wang Jing, Division of Mathematical Sciences (MAS), School of Physical and Mathematical Sciences (SPMS), Nanyang Technological University (NTU), Singapore.
(@justqdjing)
http://tetraph.com/wangjing/









Related Articles:
http://tetraph.com/security/covert-redirect/microsoft-lives-oauth-2-0-covert-redirect-vulnerablity/
https://twitter.com/tetraphibious/status/559168921534603264
https://tetraph.wordpress.com/2014/09/06/microsoft-live-vulnerability/
http://computerobsess.blogspot.com/2014/07/microsoft-live-exploit.html
http://webcabinet.tumblr.com/post/119496963567/securitypost
http://tetraph.blog.163.com/blog/static/2346030512014440315992/
http://securityrelated.blogspot.com/2014/07/microsoft-live-exploit.html
http://www.inzeed.com/kaleidoscope/covert-redirect/microsoft-lives-oauth-2-0-covert-redirect-vulnerablity/
http://whitehatpost.lofter.com/post/1cc773c8_706b622
https://computertechhut.wordpress.com/2014/09/02/microsoft-live-vulnerability/