('binary' encoding is not supported, stored as-is) PaintBBS Server v1.2 Advisory Author: John Bissell A.K.A. HighT1mes Vulnerable: PaintBBS Server Ver.1.2 Build 010514 Impact: PaintBBS Server 0wn3d Release Date: January, 22, 2002 Contact: blumorphoat_private Vendor Homepage: http://www.ax.sakura.ne.jp/~aotama/ --------------------------------------------------------------------- --------------------- Introduction: PaintBBS Server v.1.2 is a cool WWW app that allows people to draw pictures as well leave messages like a normal BBS. A few days ago I learned about this app and decided to test some of it's security for fun. Since the documentation is in Japanese it took a little time to figure out what files did what. The main file to be aware of is oekakibbs.conf. Anyone can read this file by default and it contains the encrypted password to the PaintBBS Server. The other problem is that the permissions of the /oekaki/ folder is 777 allowing all hell to break loose by anyone. So if I don't know what the .conf file is named I can go to that folder from a web browser and see. I haven't tested any other version of this software yet. PaintBBS Server is actually up to v2.40. So if anyone wants to continue the investigation have fun! :p Problem Description: This is one of those default configuration problems. A malicious person can read the oekaki config file from the web then find the encrypted password then crack it. Thus giving them admin access to the server. As an example if I wanted to remotely take over http://www.victim.com/oetaki/oetaki.cgi I would first go to the config file located in the /oetaki/ dir by default at http://www.victim.com/oetaki/oekakibbs.conf. If that didn't work then I could set my web browser to the /oetaki/ folder then see what the .conf files are named and access them. Once I could view the config file I would see something like this... password=m8kl78sKTixvs ... etc Now that I have the encrypted password I would take a standerd DES password cracking program (I prefer John the Ripper) since PaintBBS uses the crypt() function and get the goods. If you use John the Ripper put the encrypted password into a unix type /etc/passwd.txt file format and run John. Now that I have the cracked password then I would go over to one of the following admin url's to have some fun.. http://www.victim.com/oekaki/oekaki.cgi? mode=administration http://www.victim.com/oekaki/oekaki.cgi? mode=deleteUserCommentView Solution: To solve this security problem first you should change the /oekaki/ folder from 777 to something more secure like 333 using the chmod command. Next you will want to rename the oekakibbs.conf file so no one can get easy access to that file. If you have the right web server you should also change the permissions of the file so not everyone can read it. Have a good day! --------------------------------------------------------------------- --------------------- Thank you to Chris_Judah and Hiroshi :)
This archive was generated by hypermail 2b30 : Wed Jan 23 2002 - 14:58:57 PST