[waraxe-2007-SA#058] - Critical Sql Injection in NukeSentinel 2.5.12

[waraxe-2007-SA#058] - Critical Sql Injection in NukeSentinel 2.5.12

Author: Janek Vind "waraxe"
Date: 27. September 2007
Location: Estonia, Tartu
Web: http://www.waraxe.us/advisory-58.html

Target software description:

Developer: http://www.nukescripts.net

NukeSentinel is anti-hacking sofware, used as additional security layer around well-known-for-security-holes-as-swiss-cheese phpnuke CMS.

Vulnerabilities: Critical Sql Injection in "includes/nukesentinel.php"

NukeSentinel 2.5.12 is latest update with multiple security holes pathed, still there are possibilities to conduct sql injection attacks and compromise underlying website.

Do you need help?

In addition to our free technical library, Pantek provides professional IT services to companies who utilize Open Source software: Learn more about Pantek's Technical Support offerings Place an order for 24/7/365 Technical Support here Learn more about Pantek, who we are, and what we do Chat with a Live Operator Related securityfocus.com Links bugtraq certification focus-bsd focus-ids focus-ih focus-linux focus-ms focus-sun focus-unix-other focus-virus forensics incidents libnet linux-secnews ms-secnews pen-test secpapers secprog sectools secureshell security-basics securityjobs sf-news vuln-dev webappsec Request more information about Pantek

Let's look at script "includes/nukesentinel.php" source code:

------------>[source code]<------------

function write_ban($banip, $htip, $blocker_row) {   global $ab_config, $nuke_config, $db, $prefix, $user_prefix,  $admin, $nsnst_const;
  if(isset($_COOKIE['admin']) && !empty($_COOKIE['admin'])) {

    $abadmin = base64_decode($_COOKIE['admin']);
    $abadmin = explode(":", $abadmin);
    $a_aid = "$abadmin[0]";

------------>[/source code]<-----------

and next is presented "abget_admin()" source code:

------------>[source code]<------------

function abget_admin($author){
  global $prefix, $db;
  $adminresult = $db->sql_query("SELECT * FROM `".$prefix."_nsnst_admins`  WHERE `aid`='$author'");
  $admin_row = $db->sql_fetchrow($adminresult);   return $admin_row;
}

------------>[/source code]<-----------

Do you need more help?

In addition to our free technical library, Pantek provides professional IT services to companies who utilize Open Source software: Learn more about Pantek's Technical Support offerings Place an order for 24/7/365 Technical Support here Learn more about Pantek, who we are, and what we do Chat with a Live Operator Related securityfocus.com Links bugtraq certification focus-bsd focus-ids focus-ih focus-linux focus-ms focus-sun focus-unix-other focus-virus forensics incidents libnet linux-secnews ms-secnews pen-test secpapers secprog sectools secureshell security-basics securityjobs sf-news vuln-dev webappsec Request more information about Pantek

As we can witness, incoming "$_COOKIE['admin']" variable is used in base64 decoding and produced string is not sanitized at all before using it in sql query. Result is classical sql injection case, which can be exploited as blind sql injection.
Proof of concept exploit has been written by me and can retrieve any data from database within short time. By stealing phpnuke admin password md5 hash it is possible to gain administrative privileges and compromise all the website.

//-----> See ya soon and have a nice day ;) <-----//

How to fix:

Waiting for new NukeSentinel version :))

Greetings:

Greets to ToXiC, LINUX, y3dips, Sm0ke, Heintz, slimjim100, Chb and anyone else who know me!
Greetings to Raido Kerna.
Tervitusi Torufoorumi rahvale!

Contact:

come2waraxe@yahoo.com
Janek Vind "waraxe"

Can we help you?

In addition to our free technical library, Pantek provides professional IT services to companies who utilize Open Source software: Learn more about Pantek's Technical Support offerings Place an order for 24/7/365 Technical Support here Learn more about Pantek, who we are, and what we do Chat with a Live Operator Related securityfocus.com Links bugtraq certification focus-bsd focus-ids focus-ih focus-linux focus-ms focus-sun focus-unix-other focus-virus forensics incidents libnet linux-secnews ms-secnews pen-test secpapers secprog sectools secureshell security-basics securityjobs sf-news vuln-dev webappsec Request more information about Pantek

Homepage: http://www.waraxe.us/

Shameless advertise:

User Manuals - http://user-manuals.waraxe.us/ Chemistry Books - http://chemistry.oldreadings.com/

• [ EOF ] ----------------------------