XMB - eXtreme Message Board Weak Crypto

1. [+] Credits: John Page aka hyp3rlinx
2.  
3. [+] Website: hyp3rlinx.altervista.org
4.  
5. [+] Source: http://hyp3rlinx.altervista.org/advisories/XMB-WEAK-CRYPTO.txt
6.  
7.  
8.  
9. Vendor:
10. ==============
11. xmbforum2.com
12.  
13.  
14. Product:
15. ======================================
16. XMB - eXtreme Message Board v1.9.11.13
17. XMB forum software is open source and runs PHP scripts with a MySQL database backend.
18.  
19.  
20. Vulnerability Type:
21. =======================================
22. Weak Crypto / Insecure Password Storage
23.  
24.  
25.  
26. Vulnerability Details:
27. =====================
28.  
29. 1) Weak Crypto
30.  
31. XMB Forum uses weak MD5 hashing algorithm and no salt, the unsalted passwords are then stored in a browser cookie and also in the 'xmb_members'
32. table of the XMB database. Using weak cryptographic one-way hash functions like MD5 without using salt for storing user passwords allows attackers
33. that gain access to this data ability to conduct password cracking attacks using pre-computed dictionaries, e.g. rainbow tables.
34.  
35. 2) Insecure Storage
36.  
37. Storing user passwords in unsalted MD5 hash form leaves them vulnerable both online and offline. I noticed XMB has no session timeout/logout mechanism
38. for if a user is inactive for a certain period of time and does not logout, leaving thier MD5 unsalted passwords stored in cookies on disc. This further
39. allows thier passwords to be vulnerable to theft if their local machine is compromised. However, even if the user logs out and XMB cookies are cleared
40. the passwords are still in the MySQL database on the server unsalted and MD5 hashed.
41.  
42.  
43. POC:
44. =====
45.  
46. Example XMB cookie ...
47.  
48. MD5 password of 'abc123' ----> 'e99a18c428cb38d5f260853678922e03'
49.  
50. "xmblva=1453182891; xmblvb=1453178920; xmbuser=admin; xmbpw=e99a18c428cb38d5f260853678922e03; xmblva=1453091894;
51.  
52.  
53. On disc ---> %APPDATA%\Roaming\Mozilla\Firefox\Profiles in the 'cookies.sqlite' database file used by Firefox.
54.  
55. e.g.
56.  
57. localhostxmbpwe99a18c428cb38d5f260853678922e03localhost/XMB-1.9.11.13/files
58.  
59. In "member.php" on line 493 under files/ dir of XMB application we see hashing of user password using weak MD5 hashing function, then being stored
60. in the MySQL database.
61.  
62. $password = md5($password);
63.  
64.  
65.  
66. if ($SETTINGS['regoptional'] == 'off') {
67.  
68. $db->query("INSERT INTO ".X_PREFIX."members (username, password, regdate, postnum, email, ....
69.  
70. etc....
71.  
72. In 'member.php' line 599 we see it stored in cookie ---> put_cookie("xmbpw", $password, $currtime, $cookiepath, $cookiedomain);
73.  
74.  
75. Disclosure Date:
76. ====================================
77. Vendor Notification: NA
78. January 23, 2016 : Public Disclosure
79.  
80.  
81.  
82. [+] Disclaimer
83. Permission is hereby granted for the redistribution of this advisory, provided that it is not altered except by reformatting it, and that due credit is given. Permission is explicitly given for insertion in vulnerability databases and similar, provided that due credit is given to the author.
84. The author is not responsible for any misuse of the information contained herein and prohibits any malicious use of all security related information or exploits by the author or elsewhere.
85.  
86. by hyp3rlinx (c) 2015