Analysis of new vulnerabilities in BBS3000 users

Introduction: The BBS3000 is a forum program for text formats developed by Yuzi et al..

Due to the incompleteness of the user's cookie verification, illegal person can be confirmed by constructing a special request, so that any one of the user names can be illegally registered (of course, someone has been registered, is no longer registered again). Regardless of whether the forum is prohibited from registering, or forbidden to register a user name, the vulnerability is still applicable. The biggest problem is that the forum administrator cannot detect the registered personnel data until a new user join the forum.

Furthermore, the vulnerability leads to the forum to be utilized by remote attackers, making multiple user registration, which affects the space size of the forum, and finally can cause saturation of spatial data.

Program file with security issues is Photo2.cgi, the following is the code that there is a problem

----------- Code start -------------

$ username = $ cookies {username}; open (PSD, / "$ filepath / yhzl / $ usrname.cgi /"); $ line = ; chomp ($ line); Close (PSD); ($ RDPASSWORD, $ RDNAME, $ RLAST, $ RDQM, $ RD ***, $ RDWORK, $ RDCITY, $ RDLOVE, $ RY, $ RHF, $ TU, $ JIAO, $ IEWIN, $ qq, $ photo , $ savecookie, $ level, $ levelstar, $ lastlytime, $ lastlytopic, $ realname, $ birthday, $ shengxiao, $ blood, $ constellation, $ character, $ belief, $ marital, $ education, $ college) = split (/ // t /, $ line); Open (PSD, / "> $ filepath / yhzl / $ usrname.cgi /"); Print PSD $ rdpassword ./"/ t / "of" rdname./"//t / "$$.//t/".//t/".//t/".rlast./"//t/".rdqm./"//t/".rd* **. / "// T /" $ rdwork./"//t/".rdcity./"//t/".1 # $ l. ..//t/".- /t/". $$$$////t/". $jiao./"//t/".#env{ '}./"// T / "$ qq./"//t/". #". $ sAVECOOKIE. /" 1//t/".11./"//t/". $velstar ./"//t/".//t/"./" ''lastlytopic//t/".- * $ a / "/... t "$ SHENGXIAO. /" $ / / / / b b $ $ ion "ion ion........... $... "//t/". ($$.///t/". $EDUCATION. /", "@EDuCation./"/t/". #coll Ege; Close (PSD);

----------- Code end -------------

First, we submit cookies, which is username = ToruneOpen (PSD, / "$ filepath / yhzl / $ usrname.cgi /");

# Code Transformation into Open (PSD, / "$ FilePath / YHzl / Torune.cgi /"); Open a file name to Torune.cgi # If the file is opened successfully, return a non-zero value, otherwise returns zero. In the default, it means opening this file and read its content.

$ LINE = ; Chomp ($ Line); Close (PSD); ($ RDPassword, $ RDNAME, $ RDMAIL, $ RDHOME, $ RLAST, $ RDQM, $ RD ***, $ RDWORK, $ RDCITY, $ RDLOVE, $ RFY, $ RHF, $ TU, $ JIAO, $ IEWIN, $ qq, $ photo, $ SAVELSTAR, $ LastlyTime, $ Lastlytopic, $ RealName, $ BIRTHDAY, $ SHENGXIAO, $ BLOOD, $ CONSTELATION, $ Character, $ Belief, $ Marital, $ Education, $ college) = split (/// t /, $ line);

# Normally, after the user logs in forum, the value of the username in his cookie has been set up # who, Torune users have not registered, and the Torune.cgi under the YHzl directory does not exist # is due to file open Failure, the return value is zero, then the segment program is already slightly

# Next section of the code, is the core of this vulnerability

Open (PSD, / "> $ filepath / yhzl / $ usrname.cgi /");

# 代 转 转 为 打 打 中 号 号 ((((((((号 号 个 于 于 号 号 号 号 于 号 号 号 号 号 号 号 于 于 号 号 号 号 号, /"> File.txt/ "# Add content to the end of the existing file, use two larger than the number #, for example, Open (file, /">file.txt/); # here, perhaps yuzi The purpose is just to cover the file, very strange that this photo2.cgi can be merged into photo.cgi to # and these code can be more simplified, but do not know what the author is.

Print PSD

# 文件 写 字 字, PSD writes the following content in torune.cgi

$ rdpassword ./"// T / "$ rdname./"//t/".rdmail./"//t/". $ rdhome./"//t/". $ Rlast./"/ /t/". $$$.//t/".rdwork.//t/".rdwork./"//t/".-rdcity./"//t/ "$ rdlove ./"// T /" "$ rfy./"//t/". $ rhf./"//t/"./ia"//t/"./iAo./ "//t/".#User_Agent'}./"//t/". $ q.. /" o. q q. q q q T // "" "$ $ $" in "@" in "@//t/"./t/". ({$time./"//t/"./" ''lastlytopy//t/" RealName./"//t/". * "$" $ ". / "//t/". $blood./"//t/". ////> T / "$ character./"/t/". ($$$$///t/"."./iducation./"//t/". #college Close (PSD); # Since we cannot define other functions, such as $ RDPassword, $ RDNAME, etc. This is very fortunate. # If you can define, the remote attacker can write a WebShell to control the remote host #, let's take a look at Yhzl's permission settings # In installation, the install.cgi file has set this directory to 777, also It means this directory, readable, writable, executable # [MKDIR (/ "$ filepath / yhzl /", 0777);]

# He here, we have successfully created a file called Torune.cgi # Since the function is not defined, but still written // is the TAB # 光 这 光 组 成 组 成成 也 组 也 也 也 是 一 的 一 的 文件 的

Since a file has been successfully established, the next analysis and analysis, how we newly established users log in to the forum

Login file login.cgi

----------- Code start -------------

Sub login {ix ($ username eq / "/") {& errorview (/ "Please enter your user name /");

# If the user entered is empty, please enter your user name.

IF (-e / "$ filepath / yhzl / $ usrname.cgi /") {

# Check if the user name entered. CGI exists

Open (PSD, / "$ filepath / yhzl / $ usrname.cgi /");

# Open the user name .cgi file

$ line = ; Close (PSD); ($ RDPASSWORD) = Split (/// T /, $ LINE); if ($ UserPSD NE / "$ RDPassword /") {& ErrorView (/ "Your password error ! / ");}} Else {

# If the input password is inconsistent with the password of the user, you prompt your password error!

& ErrorView (/ "This username has not been registered in this community! /"); exit;} ----------- Code end -------------

First, let's take a look at the IF (-e /" $filepath/yhzl/ $ $er) Submit username = Torune, and we successfully built Torune.cgi files due to the above vulnerability, /" $FILEPATH/YHzl/- (lypath/yhzl/ - $ $erername.cgi/ "for true

IF ($ Userpsd Ne / "$ RDPassword /") {& ErrorView (/ "Your Password Error! /");}} else {# Because we can't define the value of the function $ RDPassword, it means $ RDPassword to NULL. Empty) # and the program (login.cgi) does not correspond ($ Password EQ / "/") {& ErrorView (/ "Please enter your password /");} # there is a successful landing forum forum Torune

Since the remote attacker is not registered with yhreg.cgi, the user does not appear on the new registered user, and there will be no new number of records in Data / NewMember.

Vulnerability patches:

Photo2.cgi

Find $ TTTNAME = $ form {'tttname'};? * Shake?

----------- Code start -------------

$ username = ~ s /// | //. //////g; # this can add $ yhzluRl = / "$ filepath / yhzl / $ usrname.cgi /"; if (-e / "$ yhzlurl /") {Open (PSD, / "$ yhzlurl /"); $ LINES = ; Close (PSD); ($ Password) = Split (/// T /, $ LINESS; IF ( $ Password NE $ Cookies {PASSWORD}) {& ErrorView (/ "Sorry, your password is incorrect! /");}} else {& errorview (/ "Sorry, this username has not registered! /")

$ TTTNAME = $ form {'tttname'};

----------- Code end -------------

Login.cgi

Find if IF in this program ($ username eq / "/") {& errorview (/ "Please enter your user name /");}? * Shake?

----------- Code start -------------

IF ($ username eq / "/") {& errorview (/ "Please enter your user name /");} if ($ userpsd eq / "/") {& errorview (/ "Please enter your password /"); }

----------- Code end -------------