By exploitdb papers bot•July 11, 2005•

papers

BlogTorrent 0.92 - Remote Password Disclosure Explained

What this paper is

This paper describes a vulnerability in BlogTorrent version 0.92 that allows an attacker to remotely discover user passwords. The vulnerability is due to the way BlogTorrent stores user credentials.

Simple technical breakdown

BlogTorrent 0.92 stores user information, including usernames and their corresponding MD5-hashed passwords, in a file. This file is accessible via HTTP. The vulnerability lies in the fact that the file containing this sensitive information is not properly protected and can be accessed directly by an attacker. By requesting a specific URL, an attacker can retrieve the content of this file, which includes the MD5 hashes of the usernames and passwords.

Complete code and payload walkthrough

The provided "code" is not executable code in the traditional sense but rather a demonstration of how to exploit the vulnerability. It consists of a URL pattern and an example of the data format found in the vulnerable file.

URL Pattern: http://test/path_of_blog/data/newusers
- Practical Purpose: This is the target URL that an attacker would request.
  - http://test/: Represents the base URL of the vulnerable BlogTorrent installation.
  - path_of_blog/: The specific path where BlogTorrent is installed on the web server.
  - data/newusers: The specific file path within the BlogTorrent installation that contains user data.
Example Data Format: d40:14ae696abdca1688dd577fe486c3981f331457b0d7:Createdi1120957648e5:Email17:email@email4:Hash40:d7b82821fe725305bded2fab9e91ed1e0e6fd93bee
- Practical Purpose: This line shows the structure of a single user entry within the newusers file. The fields are separated by colons (:).
- Breakdown of fields:
  - d40: This part is not explicitly explained in the paper, but it appears to be a prefix or identifier for the user record.
  - 14ae696abdca1688dd577fe486c3981f331457b0d7: This is the MD5 hash of the username.
  - Createdi1120957648e5: This appears to be related to the user's creation timestamp or an internal identifier. The exact meaning is not explicitly stated.
  - Email17: This seems to be a prefix for the email address.
  - email@email4: This is the user's email address.
  - Hash40: This is a prefix for the password hash.
  - d7b82821fe725305bded2fab9e91ed1e0e6fd93bee: This is the MD5 hash of the user's password.
Key Revelations:
- "Username (crypt in md5) -> 14ae696abdca1688dd577fe486c3981f331457b0d7"
  - Practical Purpose: Confirms that the second field in the data line is the MD5 hash of the username.
- "Password (crypt in md5) -> d7b82821fe725305bded2fab9e91ed1e0e6fd93bee"
  - Practical Purpose: Confirms that the last field in the data line is the MD5 hash of the password.

Payload/Shellcode Segment: There is no executable shellcode or payload in this paper. The "exploit" is simply the act of accessing a publicly readable file containing sensitive information.

Execution Stages:

Reconnaissance: Identify a BlogTorrent 0.92 installation and its web server path.
Direct Access: Construct the URL http://[target]/[path]/data/newusers.
Data Retrieval: Make an HTTP GET request to the constructed URL.
Password Hash Extraction: Parse the returned file content to extract the MD5 password hashes.
Offline Cracking (Optional but implied): Use offline tools to attempt to crack the MD5 password hashes.

Practical details for offensive operations teams

Required Access Level: No elevated privileges are required on the target system itself. The vulnerability is exposed via the web server.
Lab Preconditions:
- A vulnerable BlogTorrent 0.92 instance must be set up.
- The web server hosting BlogTorrent must be accessible over HTTP.
- The data/newusers file must exist and be readable by the web server process.
- The data/newusers file must not be protected by authentication or proper file permissions.
Tooling Assumptions:
- A web browser or an HTTP client (e.g., curl, wget) to make requests.
- Tools for MD5 hash cracking (e.g., John the Ripper, Hashcat) if password recovery is desired.
Execution Pitfalls:
- Incorrect URL: The path to the data/newusers file might vary depending on the installation.
- File Not Present/Readable: The data/newusers file might not exist, or its permissions might prevent web server access.
- Version Mismatch: The vulnerability is specific to BlogTorrent 0.92. Newer versions are likely patched.
- No Passwords Stored: If no users have been created, the newusers file might be empty or not contain password hashes.
- Strong Passwords: Even if hashes are retrieved, they might be difficult or impossible to crack if users chose strong, complex passwords.
Telemetry Considerations:
- Web Server Logs: An attacker's HTTP requests to the data/newusers file will be logged. This can reveal the source IP address, timestamp, and the specific file accessed.
- Network Traffic: Unencrypted HTTP traffic can be intercepted, revealing the file content.

Where this was used and when

Context: This vulnerability was likely exploited by individuals or groups looking to gain unauthorized access to BlogTorrent installations. The primary goal would be to obtain user credentials for further compromise of the blog or associated systems.
Approximate Years/Dates: The paper was published on 2005-07-11. Therefore, exploitation would have occurred around this time, or shortly thereafter, before patches were applied or the software was updated.

Defensive lessons for modern teams

Secure File Permissions: Ensure that sensitive configuration and data files are not world-readable or accessible via web requests. Use appropriate file system permissions and web server configurations (e.g., .htaccess, Nginx location blocks) to restrict access.
Avoid Storing Sensitive Data in Web-Accessible Directories: User credentials, configuration files, and other sensitive data should never reside in directories that can be served by a web server.
Regular Software Updates: Keep all web applications and their dependencies updated to the latest secure versions. Vendors typically patch such vulnerabilities.
Input Validation and Sanitization: While not directly applicable to this specific file access vulnerability, it's a general principle. Ensure that user inputs and configurations do not lead to unintended file access or data leakage.
Principle of Least Privilege: The web server process should only have read access to files it absolutely needs.

ASCII visual (if applicable)

This vulnerability is a direct file access issue, so a complex architecture diagram isn't strictly necessary. However, a simple representation of the interaction can be illustrative:

+-----------------+       HTTP Request       +-----------------+
| Attacker's Host | ----------------------> | Web Server      |
|                 |                          | (BlogTorrent)   |
+-----------------+                          |                 |
                                             | +-------------+ |
                                             | | data/       | |
                                             | | newusers    | |
                                             | +-------------+ |
                                             +-----------------+
                                                      |
                                                      | HTTP Response (File Content)
                                                      v
                                             +-----------------+
                                             | Attacker's Host |
                                             | (Receives Hashes) |
                                             +-----------------+

Source references

Paper ID: 1097
Paper Title: BlogTorrent 0.92 - Remote Password Disclosure
Author: LazyCrs
Published: 2005-07-11
Keywords: PHP, webapps
Paper URL: https://www.exploit-db.com/papers/1097
Raw URL: https://www.exploit-db.com/raw/1097

Original Exploit-DB Content (Verbatim)

# Edited for easy info. /str0ke

Software:    BlogTorrent 0.92 <=
Vendor:      http://www.blogtorrent.com/
Author:      LazyCrs && pjphem
Date:        10/07/2005
Type:        Remote/Local User Password Disclosure

#0x03 - POC

http://test/path_of_blog/data/newusers
=
d40:14ae696abdca1688dd577fe486c3981f331457b0d7:Createdi1120957648e5:Email17:email@email4:Hash40:d7b82821fe725305bded2fab9e91ed1e0e6fd93bee

Username (crypt in md5) ->  14ae696abdca1688dd577fe486c3981f331457b0d7
Password  (crypt in md5) ->  d7b82821fe725305bded2fab9e91ed1e0e6fd93bee

#LazyCrs[AT]GMail[DOT]com - pjphem[AT]mybox[DOT]it
#FREE RAFA! FREE RAFA! FREE RAFA!

# milw0rm.com [2005-07-11]

Simple technical breakdown

Complete code and payload walkthrough

URL Pattern: http://test/path_of_blog/data/newusers

Practical Purpose: This is the target URL that an attacker would request.
- http://test/: Represents the base URL of the vulnerable BlogTorrent installation.
- path_of_blog/: The specific path where BlogTorrent is installed on the web server.
- data/newusers: The specific file path within the BlogTorrent installation that contains user data.

Example Data Format: d40:14ae696abdca1688dd577fe486c3981f331457b0d7:Createdi1120957648e5:Email17:email@email4:Hash40:d7b82821fe725305bded2fab9e91ed1e0e6fd93bee

Practical Purpose: This line shows the structure of a single user entry within the newusers file. The fields are separated by colons (:).
Breakdown of fields:
- d40: This part is not explicitly explained in the paper, but it appears to be a prefix or identifier for the user record.
- 14ae696abdca1688dd577fe486c3981f331457b0d7: This is the MD5 hash of the username.
- Createdi1120957648e5: This appears to be related to the user's creation timestamp or an internal identifier. The exact meaning is not explicitly stated.
- Email17: This seems to be a prefix for the email address.
- email@email4: This is the user's email address.
- Hash40: This is a prefix for the password hash.
- d7b82821fe725305bded2fab9e91ed1e0e6fd93bee: This is the MD5 hash of the user's password.

Key Revelations:

"Username (crypt in md5) -> 14ae696abdca1688dd577fe486c3981f331457b0d7"
- Practical Purpose: Confirms that the second field in the data line is the MD5 hash of the username.
"Password (crypt in md5) -> d7b82821fe725305bded2fab9e91ed1e0e6fd93bee"
- Practical Purpose: Confirms that the last field in the data line is the MD5 hash of the password.

Payload/Shellcode Segment: There is no executable shellcode or payload in this paper. The "exploit" is simply the act of accessing a publicly readable file containing sensitive information.

Execution Stages:

Reconnaissance: Identify a BlogTorrent 0.92 installation and its web server path.

Direct Access: Construct the URL http://[target]/[path]/data/newusers.

Data Retrieval: Make an HTTP GET request to the constructed URL.

Password Hash Extraction: Parse the returned file content to extract the MD5 password hashes.

Offline Cracking (Optional but implied): Use offline tools to attempt to crack the MD5 password hashes.

Practical details for offensive operations teams

Required Access Level: No elevated privileges are required on the target system itself. The vulnerability is exposed via the web server.

Lab Preconditions:

A vulnerable BlogTorrent 0.92 instance must be set up.
The web server hosting BlogTorrent must be accessible over HTTP.
The data/newusers file must exist and be readable by the web server process.
The data/newusers file must not be protected by authentication or proper file permissions.

Tooling Assumptions:

A web browser or an HTTP client (e.g., curl, wget) to make requests.
Tools for MD5 hash cracking (e.g., John the Ripper, Hashcat) if password recovery is desired.

Execution Pitfalls:

Incorrect URL: The path to the data/newusers file might vary depending on the installation.
File Not Present/Readable: The data/newusers file might not exist, or its permissions might prevent web server access.
Version Mismatch: The vulnerability is specific to BlogTorrent 0.92. Newer versions are likely patched.
No Passwords Stored: If no users have been created, the newusers file might be empty or not contain password hashes.
Strong Passwords: Even if hashes are retrieved, they might be difficult or impossible to crack if users chose strong, complex passwords.

Telemetry Considerations:

Web Server Logs: An attacker's HTTP requests to the data/newusers file will be logged. This can reveal the source IP address, timestamp, and the specific file accessed.
Network Traffic: Unencrypted HTTP traffic can be intercepted, revealing the file content.

Where this was used and when

Context: This vulnerability was likely exploited by individuals or groups looking to gain unauthorized access to BlogTorrent installations. The primary goal would be to obtain user credentials for further compromise of the blog or associated systems.

Approximate Years/Dates: The paper was published on 2005-07-11. Therefore, exploitation would have occurred around this time, or shortly thereafter, before patches were applied or the software was updated.

Defensive lessons for modern teams

Secure File Permissions: Ensure that sensitive configuration and data files are not world-readable or accessible via web requests. Use appropriate file system permissions and web server configurations (e.g., .htaccess, Nginx location blocks) to restrict access.

Avoid Storing Sensitive Data in Web-Accessible Directories: User credentials, configuration files, and other sensitive data should never reside in directories that can be served by a web server.

Regular Software Updates: Keep all web applications and their dependencies updated to the latest secure versions. Vendors typically patch such vulnerabilities.

Input Validation and Sanitization: While not directly applicable to this specific file access vulnerability, it's a general principle. Ensure that user inputs and configurations do not lead to unintended file access or data leakage.

Principle of Least Privilege: The web server process should only have read access to files it absolutely needs.

ASCII visual (if applicable)

This vulnerability is a direct file access issue, so a complex architecture diagram isn't strictly necessary. However, a simple representation of the interaction can be illustrative:

+-----------------+ HTTP Request +-----------------+ | Attacker's Host | ----------------------> | Web Server | | | | (BlogTorrent) | +-----------------+ | | | +-------------+ | | | data/ | | | | newusers | | | +-------------+ | +-----------------+ | | HTTP Response (File Content) v +-----------------+ | Attacker's Host | | (Receives Hashes) | +-----------------+

Original Exploit-DB Content (Verbatim)

# Edited for easy info. /str0ke Software: BlogTorrent 0.92 <= Vendor: http://www.blogtorrent.com/ Author: LazyCrs && pjphem Date: 10/07/2005 Type: Remote/Local User Password Disclosure #0x03 - POC http://test/path_of_blog/data/newusers = d40:14ae696abdca1688dd577fe486c3981f331457b0d7:Createdi1120957648e5:Email17:email@email4:Hash40:d7b82821fe725305bded2fab9e91ed1e0e6fd93bee Username (crypt in md5) -> 14ae696abdca1688dd577fe486c3981f331457b0d7 Password (crypt in md5) -> d7b82821fe725305bded2fab9e91ed1e0e6fd93bee #LazyCrs[AT]GMail[DOT]com - pjphem[AT]mybox[DOT]it #FREE RAFA! FREE RAFA! FREE RAFA! # milw0rm.com [2005-07-11]