Old bugs: YaBB

I decided to write up on some old and funny bugs I found a while back. Starting today with ‘remote’ code execution in YaBB version 2.2 the problem is fixed in 2.4 (or so it seems at first glance)

YaBB (yet another bulletin board) is as the name says a bulletin board. Its written in perl which is nice since I do work a lot with perl making it easier for me to rush through the code for problems.
YaBB doesn’t use a database, but it saves all information in plain text files. Every user has a text file with his/her user data, and every other data is stored in text files as well.

YaBB pages are actually perl code that gets executed and the resulting html is then parsed again for special tags. So if we can find a way to edit those templates we can run perl code with the rights of the webuser.
The easiest way to edit templates is the be or become the/an Admin of the board, and then you can simply alter any template in the Admin settings.

I found a few way of elevating your rights from a normal user to an admin user. The funniest one was this:

  1. Request a new password for the/an Admin user
  2. Get hold of the ID you need in order to get a new randomly created password.
  3. Visit the page that shows you the new admin password

Step 1 is easy, just goto the Login page, press the ‘Forgot Password?’ button and you’ll end up on ‘YaBB.pl?action=reminder’
We’ll asume the default admin account is still available, if not, just find another admin account in the memberlist, or check the forum moderators.
(ps: on 2.2(still beta by the time I found this hole) accountnames are ‘cloaked’, but is a silly easy to reverse method, so this will also work on 2.2, not that you need it because the name ‘admin’ will be enough).
anyway, enter the name ‘admin’ into the forgot password field, this will create an new ID (not password) for the user admin in a file: Members/forgotten.passes

this file will look something like:

$pass{"admin"} = '0LVxwCpy';
1;

the admin will receive a mail with a link to finalize the process of getting a new password, so you better hurry now.
The link is:

YaBB.pl?action=resetpass;ID=0LVxwCpy;user=admin

if you follow that link you will see the new password on the screen, wich makes it rather easy to login with ‘admin’/newpassword

the file: Members/forgotten.passes has all the info we need, so we only need to able to read it.

Step 2, reading the forgotten.passes file.
This will actually describe a method that can be used for other purposes as well (ie: local file inclusion, only contents tho, no execution)
When YaBB processes an request it will parse a perl template which holds various variables like the username of the person that made a post, etc etc. In the end it will hold a preparsed template in a single variable, I believe it was called $yymain or something and lots of other data in variables like $yytitle etc etc. It will pass through a template parser and finaly it will be shown to the visitor.
The interresting part is that the template parser reads certain html alike tags and replaces them with something else.
for example:

<includefile="Members/forgotten.passes">

will result in the the contents of the file Members/forgotten.passes rather then just that string.

see: Sources/Subs.pl:383

$curline =~ s~~${\(IncludeFile($1))}~g;

sub IncludeFile opens the file and returns the content.

in other words: if we can find what would normally be a XSS hole, we can find a way to include local file contents on the page shown to us.
I found one in the Poll part of YaBB, but there might be more.
The flaw in the Poll section requires you to login (or register) and create a new Poll.
One of the Poll Answers needs to be your XSS/include data: <includefile=”Members/forgotten.passes”>, you need at least 2 answers, and a question and maybe some more.
Post the Poll, and answer it yourself by selecting the ‘<includefile=”Members/forgotten.passes”>’ option. When you end up on the results page you will see the contents of the file Members/forgotten.passes

now all you need to do is create the correct URL, type it in your browser and you’ll be presented with a new password for user admin.
Login with the new password and Voila, we’re done.

The technic described in Step 2 can also be use to read other files, but having the power to execute your own perl code is much more usefull so that was what I was aiming for.

I also remember there was a hole in YaBB version 1 that was quick funny. I that version they saved your user password plain text on the server and put a crypted version in your cookie. If you visited the forum with a yabb cookie, it read your username from the cookie, read the crypted password, went to your userinfo textfile in the webserver to fetch your uncrypted cookie and then did roughly this:

if(crypt($PlainPassWordFromServer, $CryptedPassWordFromCookie) eq $CryptedPassWordFromCookie) $LoggedIn = true;

The interresing part here is that they used the crpyted password as the salt to crypt the plain text password.
But a little know issue with the crypt in perl (and maybe other languages) is the when using \00\00 as a salt, the result is alway \00 so all you had to do was put %00%00%00 as you crypted passwd in your cookie, added the username admin in the right place and you were admin of the forum :)

Anyways: all problems seem to be fixed now so its safe the write about them. But I might take a closer look again soon, just to see if I sill have the hang of speed checking perl code for potential problems.

Peter Vreugdenhil

Leave a comment

Your comment

Spam protection by WP Captcha-Free