Taking over your Evilzone account - The easy way.

[zediwon]

Hi,

I haven't been here for a while, one because I fought with one of the *reputated* admins and another because I have been busy with school. meh, anyway, I just came back to Evilzone today and tried resetting my password and see whats been up in ~year (since i forgot it) then notice a very lame password reset logical flaw.

when you reset your password, evilzone will mail you a link similar to,

https://evilzone.org/reminder/?sa=setpassword;u=13473;code=5c24bf48ba

I haven't done a perfect cryptanalysis but so far I have noticed the url contains my userid (13473) and the reset code.

But if you notice carefully, the reset code is a substr version of MD5 value of some random hash and the worst part being, it have a constant length (10).

So taking that, we can construct all the possible values of that password reset hash.

md5 is hexadecimal, meaning there are 0-F characters. (abcdef0123456789), that is 10 numbers, 6 letters, 16 total characters. since its always 10 constact length, its 16^10, that is equvallent to
1,099,511,627,776 possible values. and thats very small, so I wrote a final python script to have all the possible password reset URL's



Now, all we got to do is reset the user (https://evilzone.org/reminder/) then all we got to do is know the userid, (simply by going to the user profile and clicking on personal message, the URLcontains the user ID, like https://evilzone.org/pm/?sa=send;u=13473) so the password reset pseudo would look like

https://evilzone.org/reminder/?sa=setpassword;u=USERID;code=HASH

then after making a simple python script to send all the requests, we can takeover ALL Evilzone accounts. Have zombies? Makes things even easier!

Enjoy!

[kenjoe41]

That is easy. the only time i ever tried changing my pass, my email too was gone so i ended up not noticing.
I wonder if there is a limit and the member will be emailed or something. Any control to the bruteforcing attempt would be nice.

[zediwon]

"Controling of the brutefoce would be nice" isnt the right mitigation technique (considering there are always zombies, so limiting by IP, useragent... is next to impossible)

However, strengthening the hash to a bigger length and not letting it have the userid, but as if encoded (having all possible symboles, chars, and numbers) would help. I think(?) :-D

[Stackprotector]

Thank you zediwon! It's good that you reported the bug but releasing it as a hacktool without first notifying the admins is not a good way and if you released it a few hours earlier it could have ruined the forum.

I disabled the functionality and i am currently looking into it.

[Fur]

"Controling of the brutefoce would be nice" isnt the right mitigation technique (considering there are always zombies, so limiting by IP, useragent... is next to impossible)

However, strengthening the hash to a bigger length and not letting it have the userid, but as if encoded (having all possible symboles, chars, and numbers) would help. I think(?) :-D

1) Bruteforce mitigation by account would be effective against any number of devices brute forcing the hash.
2) Encoding the account uid would be pointless. Security through obscurity rarely holds, and would also require the changes to be secret. I think the uid could be removed entirely by selecting the user where the reminder code is equal to the one in the url.

I think the underlying reminder generation algorithm may be insecure:

17:14 <+Fur> It would seem that the hashes are generated by a func. called
             generateValidationCode in Sources/Subs-Members.php. The hash is
             sha1(microtime() . mt_rand() . $dbRand . $modSettings['rand_seed'])).
             $dbRand seems to just be a SELECT RAND() query. Still looking for when a
             new code is generated so the attacker can predict the time, which I think
             mt_rand and RAND() uses as a seed.

Also, even when trying 1000 hashes per seconds, wouldn't it take about 12725 days? 1099511627776 / 1000 would be how many seconds it takes if 1k were tried each second, then divided by 60 would give minutes, divided by 60 again would give hours, then divided by 24 would give days. Or is my mathematical reasoning incorrect?

[kenjoe41]

well other SMF forums should be vulnerable. I personally have no time for that crap but i know when google finds this, some people are gonna have a field day.

[Stackprotector]

Zediwon, did you try it? Because there is build in brute force protection on that piece of code. Anyhow, for the sake of security i heightened the security by making the code longer and using a stronger hashing algo(not that makes a bunch of difference).

Flood control:
https://github.com/SimpleMachines/SMF2.1/blob/release-2.1/Sources/Reminder.php#L251

[Pak_Track]

I remember fackie making a thread about the introduction of brute force protection. I assumed it was for the login page only. Didn't know it went this far.

[TheWormKill]

I disabled the functionality and i am currently looking into it.

Have no fear, reading might save you from a heart attack next time .

[zediwon]

Factionwars, I am confused about the fix.

https://evilzone.org/reminder/?sa=setpassword;u=13473;code=5c24bfdeaf or
https://evilzone.org/reminder/?sa=setpassword;u=13473;code=whatever still results a update page, I am confused, is this right?

[zediwon]

nevermind, I liked the new fix. Its confusing to write a script that understands if the page "really reseting" or just showing up an "Invalid page" this way, its not possible to enumerate accounts

[Phage]

nevermind, I liked the new fix. Its confusing to write a script that understands if the page "really reseting" or just showing up an "Invalid page" this way, its not possible to enumerate accounts

It's really not hard to make a check for that.

[zediwon]

Btw Factionwars, Just wondering, did somebody removed my python script I made as a PoC to enumurate all the possibilites?

[kenjoe41]

Btw Factionwars, Just wondering, did somebody removed my python script I made as a PoC to enumurate all the possibilites?

Faction took it to the dungeons. Either format it or remove it. EZ wasn't fixed yet. no chances of kids plying around.

[HTH]

Uhm, I know I'm late to the party but bruteforcing a weburl with, assuming it's halfway through the solution set... 500,000,000 requests isn't groundbreaking. That's a small DoS attack and I don't think an admin exists that wouldn't notice it. Even if you did throttle it back to a conservative rate :p


and here is your PoC lel

Code: [Select]

for n in range(0,68719476735):
  print hex(n).zfill(6).replace("x", "")



^props if anyone actually runs that/makes it lel, it is purely satirical and may make your computer explode