Full Disclosure mailing list archives

By Date By Thread CVE-2014-2023 - Tapatalk for vBulletin 4.x - multiple blind sql injection (pre-auth) From: "oststrom \(public\)" <pub () oststrom com>

Date: Mon, 13 Oct 2014 22:43:16 +0200

-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 *Preliminary VulnNote* CVE-2014-2023 - Tapatalk for vbulletin 4.x - multiple blind sql injection (pre-auth) ============================================================================ ======== Overview - -------- date : 10/12/2014 cvss : 7.8 (AV:N/AC:L/Au:N/C:C/I:N/A:N) base cwe : 89 vendor : Tapatalk Inc product : Tapatalk for vBulletin 4.x versions affected: latest (to date) 5.2.1 (verified) 4.9.0 (verified) exploitability : * remotely exploitable * NO authentication required * NO user interaction required * NO special configuration required (default settings) Abstract - --------- Tapatalk for vBulletin 4.x does not properly sanitize some xmlrpc calls allowing unauthenticated users to inject arbitrary SQL commands. risk: high !! Note !! - this is a preliminary VulnNote. The full PoC / Description will be made available within the next 7 days (see contact) to allow mobiquo to fix this. googledork: see PoC code Details - -------- vulnerable component: * stripped // see full VulnNote - (contact) xmlrpc request is decoded, decoded attacker provided values are directly being used in sql query. Proof of Concept (PoC) - ---------------------- see https://github.com/tintinweb/pub/cve-2013-2023 1) prerequesites vBulletin 4.x with Tapatalk for vBulletin 4.x installed 2) run PoC edit PoC to match your TARGET (, optionally DEBUG=True) (optionally) edit your query to extract specific database values Note: PoC will try to detect tapatalk on that host run PoC by default extracts * mysql root hash (in case vBulletin db user has permissions to do so) * vbulletin db record fields (apikey) - perfectly chains with CVE-2014-2023 only limited by the vBulletin db_user access permissions Timeline - -------- 2014-01-14: initial vendor contact, no response 2014-02-24: vendor contact, no response 2014-10-13: public disclosure Contact - -------- tintinweb - https://github.com/tintinweb/pub/cve-2013-2023 (0x721427D8) -----BEGIN PGP SIGNATURE----- iQIcBAEBAgAGBQJUPDjXAAoJEBgB43t1YjbLV+8P/0PiBwY4VL1PRzOaczzG3nX5 EEWIT/qNU9btlZ+aLiU3fpp7a5FIOMoAVcmGHDduVLifQe6WHmS7FdDfYgBDl0uT b4L5zjPK1rDFHVxIWtRM5P4NpahE4ZItPQ1SMLmsAl6k3Vc7tM/ylHzh/Re/IuzM xxLe3yXlMq7AV4u04MxxLNH/qc+pn2HLM+Q16tQvxLXHPXelwQ33BmAQdimUSg46 KVe2SZG37XAi7eR5HUnpykTVz57ZmqZBya6+VKXdO6Y1RuUYfmUjH1UzdHU1mV6K KPr6PKeeVXBMf9QshLcSaEI33piYVqyk+Z1CtablfCtPemNBazTWRdKaorgrbpIT pWoN9LpuJqRZLDmYfPf76KoxqeFjZKUnBwCyeNLJbAoxf+O8ZVMSf4Ig4oGTEgsc l3y1XxYKpfwfuu4MxS9pyFPBAugdPXxd7JjRRhLot96/ZtH256nkgzLS0KkiqDSI 7AHNEQPhiZTAwf+Y1upRip2ZY4eTF1xPMNqrAUZtZXhqiDHZ1C8+pMI/baUcHsQc 4mMyVoISCyFUHEmqdM25rkCZNFj5PooFRKRgZJIqrzOXp5EqZ0kAmMOakvFeP76f vGBpRhjbr0+7m50Q9beC86Dx/4nMTwaksMY4e09T/0WrNkVXjs4Wh83czK3SFR1E n48luoNydVPisxHGQpRS =Zjgy -----END PGP SIGNATURE----- _______________________________________________ Sent through the Full Disclosure mailing list http://nmap.org/mailman/listinfo/fulldisclosure Web Archives & RSS: http://seclists.org/fulldisclosure/ By Date By Thread Current thread: CVE-2014-2023 - Tapatalk for vBulletin 4.x - multiple blind sql injection (pre-auth) oststrom (public) (Oct 13)