[waraxe-2007-SA#056] - Another Sql Injection in NukeSentinel 2.5.11

[waraxe-2007-SA#056] - Another Sql Injection in NukeSentinel 2.5.11

Author: Janek Vind "waraxe"
Date: 27. September 2007
Location: Estonia, Tartu
Web: http://www.waraxe.us/advisory-56.html

Target software description:

Developer: http://www.nukescripts.net

NukeSentinel is anti-hacking sofware, used for protection phpnuke against various security-related attacks.

Vulnerabilities: Critical Sql Injection in "nukesentinel.php"

Let's look at script "includes/nukesentinel.php" source code:

Do you need help?

In addition to our free technical library, Pantek provides professional IT services to companies who utilize Open Source software: Learn more about Pantek's Technical Support offerings Place an order for 24/7/365 Technical Support here Learn more about Pantek, who we are, and what we do Chat with a Live Operator Related securityfocus.com Links bugtraq certification focus-bsd focus-ids focus-ih focus-linux focus-ms focus-sun focus-unix-other focus-virus forensics incidents libnet linux-secnews ms-secnews pen-test secpapers secprog sectools secureshell security-basics securityjobs sf-news vuln-dev webappsec Request more information about Pantek

------------>[source code]<------------

function is_god($axadmin) {
  global $db, $prefix, $aname;

  $tmpadm = base64_decode($axadmin);
  $tmpadm = explode(":", $tmpadm);
  $aname = $tmpadm[0];
  $apwd = $tmpadm[1];

    $aname = trim($aname);
    $apwd = trim($apwd);
    $admrow = $db->sql_fetchrow($db->sql_query("SELECT * FROM
 `".$prefix."_authors` WHERE `aid`='$aname'"));

------------>[/source code]<-----------

So as seen in code snippet above, data from "base64_decode()" function is used in sql query without any sanityze. Now is the question, which part of the code uses this function. Here is the answer:

------------>[source code]<------------

// AUTHOR Protection
$blocker_row = $blocker_array[5];
if($blocker_row['activate'] > 0) {

  if(isset($op) AND ($op=="mod_authors" OR $op=="modifyadmin" OR
 $op=="UpdateAuthor" OR $op=="AddAuthor" OR $op=="deladmin2" OR 
$op=="deladmin" OR $op=="assignstories" OR $op=="deladminconf")

    block_ip($blocker_row);
  }
}
}

------------>[/source code]<-----------

Do you need more help?

In addition to our free technical library, Pantek provides professional IT services to companies who utilize Open Source software: Learn more about Pantek's Technical Support offerings Place an order for 24/7/365 Technical Support here Learn more about Pantek, who we are, and what we do Chat with a Live Operator Related securityfocus.com Links bugtraq certification focus-bsd focus-ids focus-ih focus-linux focus-ms focus-sun focus-unix-other focus-virus forensics incidents libnet linux-secnews ms-secnews pen-test secpapers secprog sectools secureshell security-basics securityjobs sf-news vuln-dev webappsec Request more information about Pantek

It's easy to see, that $_COOKIE['admin'] variable will be used as argument for "is_god()" function. And we have another critical sql injetion in place. I have written proof-of-concept blind injection exploit for this specific case and it's working flawlessly.
Happy news to potential victims - developer has allready patched this security hole in NukeSentinel with releasing new version - 2.5.12

//-----> See ya soon and have a nice day ;) <-----//

How to fix:

NukeSentinel's new version 2.5.12 is patched, so download it A.S.A.P.

http://www.nukescripts.net/modules.php?name=Downloads&op=getit&lid=1063

Greetings:

Greets to ToXiC, LINUX, y3dips, Sm0ke, Heintz, slimjim100, Chb and anyone else who know me!
Greetings to Raido Kerna.
Tervitusi Torufoorumi rahvale!

Contact:

Can we help you?

In addition to our free technical library, Pantek provides professional IT services to companies who utilize Open Source software: Learn more about Pantek's Technical Support offerings Place an order for 24/7/365 Technical Support here Learn more about Pantek, who we are, and what we do Chat with a Live Operator Related securityfocus.com Links bugtraq certification focus-bsd focus-ids focus-ih focus-linux focus-ms focus-sun focus-unix-other focus-virus forensics incidents libnet linux-secnews ms-secnews pen-test secpapers secprog sectools secureshell security-basics securityjobs sf-news vuln-dev webappsec Request more information about Pantek

come2waraxe@yahoo.com
Janek Vind "waraxe"

Homepage: http://www.waraxe.us/

Shameless advertise:

Geology readings - http://geology.oldreadings.com/ Biography Database - http://www.biosaxe.com/

• [ EOF ] ----------------------------