Skip to content
master
Switch branches/tags

Name already in use

A tag already exists with the provided branch name. Many Git commands accept both tag and branch names, so creating this branch may cause unexpected behavior. Are you sure you want to create this branch?
pub/pocs/cve-2014-2022/
pub/pocs/cve-2014-2022/

Latest commit

 

Git stats

Files

Permalink
Failed to load latest commit information.
Type
Name
Latest commit message
Commit time
 
 

CVE-2014-2022 - vbulletin 4.x - SQLi in breadcrumbs via xmlrpc API (post-auth)

Overview

date    :  10/12/2014   
cvss    :  7.1 (AV:N/AC:H/Au:S/C:C/I:C/A:C) base
cwe     :  89   

vendor  : vBulletin Solutions
product : vBulletin 4
versions affected :  latest 4.x (to date); verified <= 4.2.2
		* vBulletin 4.2.2     (verified)  
		* vBulletin 4.2.1     (verified)  
		* vBulletin 4.2.0 PL2 (verified)  
					
exploitability :
		* remotely exploitable
		* requires authentication (apikey)
			
patch availability (to date) :  None

Abstract

vBulletin 4 does not properly sanitize parameters to breadcrumbs_create allowing
an attacker to inject arbitrary SQL commands (SELECT).

risk:  rather low - due to the fact that you the api key is required
	   you can probably use CVE-2014-2023 to obtain the api key

Details

vulnerable component: 
	./includes/api/4/breadcrumbs_create.php
vulnerable argument:
	conceptid

which is sanitized as TYPE_STRING which does not prevent SQL injections.

Proof of Concept (PoC)

see https://github.com/tintinweb/pub/tree/master/pocs/cve-2014-2022


1) prerequisites
1.1) enable API, generate API-key
	 logon to AdminCP
	 goto "vBulletin API"->"API-Key" and enable the API interface, generate key
2) run PoC
	 edit PoC to match your TARGET, APIKEY (, optionally DEBUGLEVEL)
	 provide WWW_DIR which is the place to write the php_shell to (mysql must have permissions for that folder)
	 Note: meterpreter_bind_tcp is not provided
	 run PoC, wait for SUCCESS! message
	 Note: poc will trigger meterpreter shell
	 
meterpreter PoC scenario requires the mysql user to have write permissions 
which may not be the case in some default installations.

Timeline

2014-01-14: initial vendor contact, no response
2014-02-24: vendor contact, no response
2014-10-13: public disclosure

Contact

tintinweb - https://github.com/tintinweb/pub/tree/master/pocs/cve-2014-2022

(0x721427D8)