IPB (Invision Power Board) all versions (1.x? / 2.x / 3.x) Admin account Takeover leading to code execution

[0] Application description & Deployment estimation

From wikipedia.org:
Invision Power Board (abbreviated IPB, IP.Board or IP Board) is an Internet forum software produced by Invision Power Services, Inc. It is written in PHP and primarily uses MySQL as a database management system, although support for other database engines is available. While Invision Power Board is a commercially sold product, there is a large modding community and many of these modifications are free. In addition, many groups offer the download or design of free and paid skins.

—-

This software is deployed on very popular websites such as: NASA, EMI, NHL, NBC, O’Reilly, Evernote, …

You can easily find tens of thousands of deployed instances using Google dorks such as: “inurl:index.php?app=core” or “powered by Invision Power Board”.

[I] Logic Flaw

A) Overview

IPB harbors a sanitization flaw in its registration form and user control panel (accessible once logged in). Incorrect e-mail address validation code allows an attacker to take over the admin account without prompting any alert but preventing the real admin to login afterwards. After a successful takeover, the attacker can plant a PHP backdoor using IPB’s templating system. Thorough administrators will inspect total file system after they recover their hacked account, while other administrators might assume they are dealing with a bug, receive their new password using “Password recovery” system and leave the backdoor intact. Attacker may also use the “Retrieve password” process to mislead the admin into thinking their account was locked due to unsuccessful login attempts and not investigating further, thus preserving the backdoor.

B) Required data

1) Administrator’s login name

The admin login is easily found by clicking on “The moderating Team” link on recent IPB’s footer, or using the URL below: index.php?app=forums&module=extras&section=stats&do=leaders

2) Administrator’s e-mail

Obtaining the admin e-mail may be more complicated as there is no automated way to get it. The attacker can get it through:

– using whois on domain.tld to get registrar informations
– looking up a prospective e-mail on Facebook and see if a matching profile shows up
– using Gravatar (Gravatar is a personal avatar you can find on most blogs, forum, etc comments based on user e-mail address). Attacker can create a script to retrieve an email based on an avatar. For example mine is: http://www.john-jean.com/gravapwnd.php?zboob=john@wargan.com
– do sourcing using FB, G+, Twitter, Google SERP, …
– use SE methods, such as faked e-mail catcher; or use XSSs on known websites consulted by the target.

C) Explanation

This vulnerability is grounded on both a mistake in MySQL knowledge and bad sanitization of the $email variable.

First of all, let’s summarize how MySQL works:

– Truncating while INSERT

During an INSERT query, if the string exceeds the field size defined when creating the table, the string will be truncated. E.g.:

However, the string is not truncated during SELECT queries. The following query will not return any result:

MySQL use permissive SELECT:
SELECT ignores spaces at the end of strings. Let’s INSERT some datas:

Thus the following query will yield the 5 records inserted before:

Now, let’s have a look at the checkEmailAddress function of admin/source/base/core.php:

As you may know, trim only removes whitespace (and some others) characters BEFORE and AFTER the string, that is why IPB core team also use str_replace to remove space chars IN the email string. However, this treatment is performed to change the email address to the correct format. This is done to ensure the next steps of the check, but there will be no condition returning false if string has been trim or if str_replace has been used. This function checks an email validity format used in the register form and the change email form.

Let’s take a look at a another function called load( $member_key, $extra_tables=’all’, $key_type=” ) in admin/sources/base/ipsMember.php

As you can see, this function does not perform any verification on the length of $member_key & $v. We will exploit that in the next part.

D) Exploitation

Previously, on this adviso: we saw that $email is not rejected if it contains spurious whitespace, and that $member_key & $v length is not checked. We also saw some MySQL use-cases. Let’s see how we can exploit that:

The e-mail field from the ‘members’ table in IPB is declared as a varchar(150).
Upon registration, we fill the mail member (or admin) for which we want to steal the account to which we add a padding space for the size of the string exceeds 150. Then we add any character after the space one. It is necessary to bypass ajax’s validator, feel free to use Burp Suite or Tamperdata.

For example (scroll to right):

The SELECT query checking existing e-mails will not yield any result (scroll right):

The new account is successfully created. Our account is now using the e-mail address below (scroll right):

AAAA has been deleted by MySQL: string exceeding 150 characters are truncated.

At this stage, we have two users with very similar e-mail addresses (scroll right):

POST HTTP request looks like (on registration page):

We now can change our password. The profile corresponding to our session’s e-mail will be used. As already stated, spaces are not taken in consideration. The query will thus actually return the first matching e-mail result: the real administrator account. We will have actually changed the password of the administrator profile.

This flaw is usable both on the registration page and on the user control panel (index.php?app=core&module=usercp&tab=core&area=email).

E) Backdooring

Once the attacker has got access to the administrator’s backend, all he needs to do is go to /admin/index.php?adsess=000&app=core&module=templates&section=templates&do=list&setID=1 and add some code to the defaultHeader template:

<php> & </php> markups are used by the IPB’s templating system to add inline PHP code. characters in PHP are used to do system calls.
Once such a backdoor has been planted, any part of public_html can be compromised and it may also lead to privilege escalation on a dedicated server or LAN.

[II] Mitigation

A) Patch party !

These are two quick & dirty patches, but they work.

admin/source/base/core.php should be:

Enforces the e-mail variable to be shorter than 150 characters.

admin/source/base/ipsMember.php should be:

This will truncate the string to 140 characters.

Patching 1st or 2nd file fixes the bug.

B) Common sense

– Never use a known email-adress for your application deployment, monitoring, supervision, … You may use catch-all, or even better, another domain.tld than your own.
– Never deploy applications you do not completely trust (no one ?) or you did not code review on shared hosting with other projects or applications that are not on that same network. Especially forums that expose a wide attack surface to malicious users.
– Use mitigation systems such as IDS (which can be evaded depending on your attacker skills).
– Blacklist dangerous php functions (using http://www.hardened-php.net/suhosin/configuration.html#suhosin.executor.func.blacklist ?)
php_admin_value open_basedir /home/ipb/:/usr/share/php/
php_admin_value suhosin.executor.func.blacklist exec,dl,fpassthru,move_uploaded_file,phpinfo,passthru,shell_exec,system,proc_open,popen,curl,
curl_exec,curl_multi_exec,parse_ini_file,show_source, …
– Use a chrooted environment
– …

[III] Recommendations

The vendor has released a patch which fixes these vulnerabilities. It is strongly recommended to upgrade your software version: http://community.invisionpower.com/topic/385207-ipboard-32x-33x-and-34x-critical-security-update/

[IV] Timeline

[V] Author

John JEAN is a French security researcher working at Wargan Solutions – http://www.wargan.com
Follow him on twitter @johnjean

[VI] PGP

Partagez cet article !

    5 commentaires sur “IPB (Invision Power Board) all versions (1.x? / 2.x / 3.x) Admin account Takeover leading to code execution

    1. Nicolas dit :

      Good Job ;)

    2. Paulichon dit :

      JE SUIS FAN !!

    3. Crim3R dit :

      Thats a Good finding man
      i loved it , so Clever :)

      thanks for submitting it

    4. Versus71 dit :

      Hi. My video exploitation vulnerability:
      youtube.com/watch?v=ml3l1Pendh4

      What is wrong?

    5. Dallas mendenhal dit :

      We are a gaggle of volunteers and starting a brand new scheme in our community.
      Your web site provided us with useful info
      to work on. You have performed an impressive job and our entire group might be thankful to you.

    Laisser un commentaire

    Votre adresse de messagerie ne sera pas publiée. Les champs obligatoires sont indiqués avec *

    Vous pouvez utiliser ces balises et attributs HTML : <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code class="" title="" data-url=""> <del datetime=""> <em> <i> <q cite=""> <s> <strike> <strong> <pre class="" title="" data-url=""> <span class="" title="" data-url="">