EvilZone
Hacking and Security => Hacking and Security => : zediwon October 18, 2014, 05:44:35 PM
-
Hi,
I haven't been here for a while, one because I fought with one of the *reputated* admins and another because I have been busy with school. meh, anyway, I just came back to Evilzone today and tried resetting my password and see whats been up in ~year (since i forgot it) then notice a very lame password reset logical flaw.
when you reset your password, evilzone will mail you a link similar to,
https://evilzone.org/reminder/?sa=setpassword;u=13473;code=5c24bf48ba
I haven't done a perfect cryptanalysis but so far I have noticed the url contains my userid (13473) and the reset code.
But if you notice carefully, the reset code is a substr version of MD5 value of some random hash and the worst part being, it have a constant length (10).
So taking that, we can construct all the possible values of that password reset hash.
md5 is hexadecimal, meaning there are 0-F characters. (abcdef0123456789), that is 10 numbers, 6 letters, 16 total characters. since its always 10 constact length, its 16^10, that is equvallent to
1,099,511,627,776 possible values. and thats very small, so I wrote a final python script to have all the possible password reset URL's
Now, all we got to do is reset the user (https://evilzone.org/reminder/) then all we got to do is know the userid, (simply by going to the user profile and clicking on personal message, the URLcontains the user ID, like https://evilzone.org/pm/?sa=send;u=13473) so the password reset pseudo would look like
https://evilzone.org/reminder/?sa=setpassword;u=USERID;code=HASH
then after making a simple python script to send all the requests, we can takeover ALL Evilzone accounts. :) Have zombies? Makes things even easier!
Enjoy!
-
That is easy. the only time i ever tried changing my pass, my email too was gone so i ended up not noticing.
I wonder if there is a limit and the member will be emailed or something. Any control to the bruteforcing attempt would be nice.
-
"Controling of the brutefoce would be nice" isnt the right mitigation technique (considering there are always zombies, so limiting by IP, useragent... is next to impossible)
However, strengthening the hash to a bigger length and not letting it have the userid, but as if encoded (having all possible symboles, chars, and numbers) would help. I think(?) :-D
-
Thank you zediwon! It's good that you reported the bug but releasing it as a hacktool without first notifying the admins is not a good way and if you released it a few hours earlier it could have ruined the forum.
I disabled the functionality and i am currently looking into it.
-
"Controling of the brutefoce would be nice" isnt the right mitigation technique (considering there are always zombies, so limiting by IP, useragent... is next to impossible)
However, strengthening the hash to a bigger length and not letting it have the userid, but as if encoded (having all possible symboles, chars, and numbers) would help. I think(?) :-D
1) Bruteforce mitigation by account would be effective against any number of devices brute forcing the hash.
2) Encoding the account uid would be pointless. Security through obscurity rarely holds, and would also require the changes to be secret. I think the uid could be removed entirely by selecting the user where the reminder code is equal to the one in the url.
I think the underlying reminder generation algorithm may be insecure:
17:14 <+Fur> It would seem that the hashes are generated by a func. called
generateValidationCode in Sources/Subs-Members.php. The hash is
sha1(microtime() . mt_rand() . $dbRand . $modSettings['rand_seed'])).
$dbRand seems to just be a SELECT RAND() query. Still looking for when a
new code is generated so the attacker can predict the time, which I think
mt_rand and RAND() uses as a seed.
Also, even when trying 1000 hashes per seconds, wouldn't it take about 12725 days? 1099511627776 / 1000 would be how many seconds it takes if 1k were tried each second, then divided by 60 would give minutes, divided by 60 again would give hours, then divided by 24 would give days. Or is my mathematical reasoning incorrect?
-
well other SMF forums should be vulnerable. I personally have no time for that crap but i know when google finds this, some people are gonna have a field day.
-
Zediwon, did you try it? Because there is build in brute force protection on that piece of code. Anyhow, for the sake of security i heightened the security by making the code longer and using a stronger hashing algo(not that makes a bunch of difference).
Flood control:
https://github.com/SimpleMachines/SMF2.1/blob/release-2.1/Sources/Reminder.php#L251
-
I remember fackie making a thread about the introduction of brute force protection. I assumed it was for the login page only. Didn't know it went this far.
-
I disabled the functionality and i am currently looking into it.
Have no fear, reading might save you from a heart attack next time ;) .
-
Factionwars, I am confused about the fix.
https://evilzone.org/reminder/?sa=setpassword;u=13473;code=5c24bfdeaf or
https://evilzone.org/reminder/?sa=setpassword;u=13473;code=whatever still results a update page, I am confused, is this right?
-
nevermind, I liked the new fix. Its confusing to write a script that understands if the page "really reseting" or just showing up an "Invalid page" this way, its not possible to enumerate accounts :)
-
nevermind, I liked the new fix. Its confusing to write a script that understands if the page "really reseting" or just showing up an "Invalid page" this way, its not possible to enumerate accounts :)
It's really not hard to make a check for that.
-
Btw Factionwars, Just wondering, did somebody removed my python script I made as a PoC to enumurate all the possibilites?
-
Btw Factionwars, Just wondering, did somebody removed my python script I made as a PoC to enumurate all the possibilites?
Faction took it to the dungeons. Either format it or remove it. EZ wasn't fixed yet. no chances of kids plying around.
-
Uhm, I know I'm late to the party but bruteforcing a weburl with, assuming it's halfway through the solution set... 500,000,000 requests isn't groundbreaking. That's a small DoS attack and I don't think an admin exists that wouldn't notice it. Even if you did throttle it back to a conservative rate :p
and here is your PoC lel
for n in range(0,68719476735):
print hex(n).zfill(6).replace("x", "")
^props if anyone actually runs that/makes it lel, it is purely satirical and may make your computer explode
-
and here is your PoC lel
for n in range(0,68719476735):
print hex(n).zfill(6).replace("x", "")
Every possibility from 0 to "holy fuck" would be pretty kek.
-
...That's a small DoS attack and I don't think an admin exists that wouldn't notice it. Even if you did throttle it back to a conservative rate :p
Actually, there just needs to be one successful bruteforce attempt against one Super-Admin and everything will be over. if you can do that attack with <10 mins, with rented zombies or whatever, it means that, you can take over the whole EZ. :/
I have faced similar problem with Facebook. http://paulosyibelo.blogspot.com/2014/08/ow-facebook-taking-over-random-accounts.html
-
Actually, there just needs to be one successful bruteforce attempt against one Super-Admin and everything will be over. if you can do that attack with <10 mins, with rented zombies or whatever, it means that, you can take over the whole EZ. :/
I have faced similar problem with Facebook. http://paulosyibelo.blogspot.com/2014/08/ow-facebook-taking-over-random-accounts.html
Wrong. Getting access to our forum account only gives you access over the forum. The server and the IRC network are hidden under other accounts/usernames/passwords.
-
and ^ there you have some info to look for more info, LOL. thanks Phage :P and still RCE in Forums is enough to infect more users and escalate the attack to more worse scenarios, very worse (I leave that to your imaginations)
-
and ^ there you have some info to look for more info, LOL. thanks Phage :P and still RCE in Forums is enough to infect more users and escalate the attack to more worse scenarios, very worse (I leave that to your imaginations)
How would you turn an admin account into remote code execution?
And there's not really any info to it. It's basic, read BASIC, security to not use the same password on every service. It should only be expected.
-
How would you turn an admin account into remote code execution?
Well Phage, I am pretty sure someone will manage something out once being Admin? I am sure it isn't that complex. even if I can write Javascript, it won't be that hard afterwards. :/
-
Well Phage, I am pretty sure someone will manage something out once being Admin? I am sure it isn't that complex. even if I can write Javascript, it won't be that hard afterwards. :/
I know the admin panel, and there's no way you could do that.
-
I know the admin panel, and there's no way you could do that.
It is very easily possible. Though that would require being admin which is only given to people who would need access to do updates etc anyway.
-
It is very easily possible. Though that would require being admin which is only given to people who would need access to do updates etc anyway.
…