Recent Filelist.ro exploit

[Mihai]

This post is a technical description of the security issue that allowed a joker to escalate his rank to SysOp and send spam email from our tracker earlier this week. The hole is present in tbdev based sites and does not seem to be patched in the latest available tbdev.net source (2009 Final release 2010-02-27).

The main problem (privilege escalation) is in the modtask.php file, that receives the form submit whenever an user profile is changed, and which allows any staffer (Mod+) to update the class of any user to an arbitrary value, for example a moderator can create SysOps by simply POSTing such a request.

Read the rest here

Or if you don't have an account here:

Spoiler 1:

To fix the main problem search for:

modtask.php wrote:

// Set class

if ((isset($_POST['class'])) && (($class = $_POST['class']) != $user['class']))
{
if (($CURUSER['class'] < UC_SYSOP) && ($user['class'] >= $CURUSER['class'])) die ();



or:
modtask.php wrote:

// Set class

if ((isset($_POST['class'])) && (($class = $_POST['class']) != $user['class']))
{
if (($CURUSER['class'] < UC_SYSOP) && ($user['class'] >= $CURUSER['class'])) stderr("{$lang['modtask_user_error']}", "{$lang['modtask_try_again']}" );



and replace the red line with:
modtask.php wrote:

// can't make sysops, can't promote user to your rank or higher, can't edit users at your rank or higher
if ($class >= UC_SYSOP || ($class >= $CURUSER['class']) || ($user['class'] >= $CURUSER['class'])) die();



The secondary problem is that even after this check, valid actions are still vulnerable to CSRF issues, for example someone might trick an a Admin to click a link and unknowingly promote him to Moderator - this is how our attacker exploited the privilege escalation issue without being a staffer. Since it's legal for Admins to create Mods, the check above is not sufficient, and we must make sure they create them knowingly.
To mitigate CSRF holes there are many available solutions, ex. captchas, referrer checking, session tokens etc. Bellow is our solution that we believe is portable, non-intrusive and makes minimal assumptions about the run-time environment.

Add the red lines to your userdetails.php:
userdetails.php wrote:

begin_frame("Edit User", true);
print("<form method=post action=modtask.php>\n" );
require "validator.php";
print(validatorForm("ModTask_$user[id]" ));



Add the red lines to your modtask.php:
modtask.php wrote:

// and verify...
if (!is_valid_id($userid)) stderr("Error", "Bad user ID." );

// Handle CSRF (modtask posts form other domains, especially to update class)
require "validator.php";
if (!validate($_POST[validator], "ModTask_$userid" )) die ("Invalid" );



validator.php wrote:

<?
function validator($context){
global $CURUSER;
$timestamp=time();
$hash=hash_hmac("sha1", $CURUSER[secret], $context.$timestamp);
return substr($hash, 0, 20).dechex($timestamp);
}
function validatorForm($context){
return "<input type=\"hidden\" name=\"validator\" value=\"".validator($context)."\"/>";
}

function validate($validator, $context, $seconds=0){
global $CURUSER;
$timestamp=hexdec(substr($validator, 20));
if($seconds && time() > $timestamp + $seconds)
return False;
$hash=substr(hash_hmac("sha1", $CURUSER[secret], $context.$timestamp), 0, 20);
if (substr($validator, 0, 20) != $hash)
return False;
return True;
}
?>

Really big shit if you ask me.And even a bigger problem for them is that it's on every tbdev tracker.

[anon]

And even a bigger problem for them is that it's on every tbdev tracker.

Something even bigger would be users covertly promoting themselves to admins and taking advantage of that. Thanks to this idiot, now they know about the bug and how to fix it.

[Mihai]

That idiot is GOD , the big BOSS at Filelist.ro

[anon]

I was talking about this idiot:

This post is a technical description of the security issue that allowed a joker to escalate his rank to SysOp and send spam email from our tracker earlier this week.

[Mihai]

I was talking about this idiot:

Got it now.Here's a pic with what I think is the guy who hacked the tracker:

[SBfreak]

I received several PM's from that dude too.
He was promoting his new tracker.

[Mihai]

Strange I didn't received anything...or not counting the fact that I have more power than GOD itself:muhahahahahaha:

[C3PO]

I didn't recieve a thing, either....