pub

CVE-2014-2022 - vbulletin 4.x - SQLi in breadcrumbs via xmlrpc API (post-auth)

Overview

date    :  10/12/2014   
cvss    :  7.1 (AV:N/AC:H/Au:S/C:C/I:C/A:C) base
cwe     :  89   

vendor  : vBulletin Solutions
product : vBulletin 4
versions affected :  latest 4.x (to date); verified <= 4.2.2
		* vBulletin 4.2.2     (verified)  
		* vBulletin 4.2.1     (verified)  
		* vBulletin 4.2.0 PL2 (verified)  
					
exploitability :
		* remotely exploitable
		* requires authentication (apikey)
			
patch availability (to date) :  None

Abstract

vBulletin 4 does not properly sanitize parameters to breadcrumbs_create allowing
an attacker to inject arbitrary SQL commands (SELECT).

risk:  rather low - due to the fact that you the api key is required
	   you can probably use CVE-2014-2023 to obtain the api key

Details

vulnerable component: 
	./includes/api/4/breadcrumbs_create.php
vulnerable argument:
	conceptid

which is sanitized as TYPE_STRING which does not prevent SQL injections.

Proof of Concept (PoC)

see https://github.com/tintinweb/pub/tree/master/pocs/cve-2014-2022


1) prerequisites
1.1) enable API, generate API-key
	 logon to AdminCP
	 goto "vBulletin API"->"API-Key" and enable the API interface, generate key
2) run PoC
	 edit PoC to match your TARGET, APIKEY (, optionally DEBUGLEVEL)
	 provide WWW_DIR which is the place to write the php_shell to (mysql must have permissions for that folder)
	 Note: meterpreter_bind_tcp is not provided
	 run PoC, wait for SUCCESS! message
	 Note: poc will trigger meterpreter shell
	 
meterpreter PoC scenario requires the mysql user to have write permissions 
which may not be the case in some default installations.

Timeline

2014-01-14: initial vendor contact, no response
2014-02-24: vendor contact, no response
2014-10-13: public disclosure

Contact

tintinweb - https://github.com/tintinweb/pub/tree/master/pocs/cve-2014-2022

(0x721427D8)