Understanding Invision Power Board Backup Vulnerability (CVE-2009-4563)

What this paper is

This paper describes a vulnerability in Invision Power Board (IPB) Trial version 2.0.4. The vulnerability allows an attacker to create a backup of the board's database. The exploit provided is a URL that, when accessed, triggers the backup functionality.

Simple technical breakdown

The vulnerability lies in how the IPB software handles requests to create database backups. Specifically, it seems that certain parameters in the URL can be manipulated to force the application to create a backup file. The provided exploit URL targets a specific script (admin.php) and uses parameters like act=mysql, code=dosafebackup, and create_tbl=1 to initiate this backup process.

Complete code and payload walkthrough

The provided "exploit" is not traditional code in the sense of a compiled program or a complex script. Instead, it's a specially crafted URL that leverages a vulnerability in the web application.

Exploit URL:
http://127.0.0.1/Invision/admin.php?adsess=c35b4de23cd409abd16ba2f90348b484&act=mysql&code=dosafebackup&create_tbl=1&addticks=&skip=1&enable_gzip=1

Let's break down the components of this URL:

http://127.0.0.1/Invision/admin.php: This is the target URL.
- http://: The protocol used for web communication.
- 127.0.0.1: The loopback IP address, indicating the server is running on the local machine. This implies the attacker would need to have some form of local access or be able to proxy requests to the target server.
- /Invision/admin.php: This is the administrative interface of the Invision Power Board. Accessing this script is typically restricted.
?: This character separates the URL path from the query string parameters.
Query String Parameters: These are key-value pairs that are sent to the server to control the application's behavior.
- adsess=c35b4de23cd409abd16ba2f90348b484:
  - adsess: This parameter likely represents a session identifier or a security token.
  - c35b4de23cd409abd16ba2f90348b484: This is a hexadecimal string. In a real attack, this would need to be a valid session ID for an authenticated administrator. The exploit assumes a valid session is already established or can be bypassed.
  - Practical Purpose: This parameter is crucial for authentication. Without a valid session, the admin.php script would likely deny access.
- act=mysql:
  - act: This parameter likely specifies the action or module to be executed within admin.php.
  - mysql: This value suggests that the action relates to database operations.
  - Practical Purpose: Directs the application to a section handling MySQL database tasks.
- code=dosafebackup:
  - code: This parameter likely specifies a sub-action or a specific function within the mysql module.
  - dosafebackup: This value is the key to the vulnerability. It instructs the application to perform a "safe backup" operation. The vulnerability likely stems from how this backup function is implemented, allowing it to be triggered without proper sanitization or authorization checks beyond the session.
  - Practical Purpose: Initiates the database backup process.
- create_tbl=1:
  - create_tbl: This parameter likely controls whether to create new tables during the backup process or if it's an existing table backup.
  - 1: A value of 1 typically signifies "true" or "enabled."
  - Practical Purpose: Instructs the backup function to create the necessary table structures for the backup.
- addticks=:
  - addticks: The purpose of this parameter is not explicitly clear from the URL alone. It might be related to adding specific delimiters or markers, or it could be an unused parameter in this specific exploit.
  - Practical Purpose: Unknown, potentially unused or for a different backup scenario.
- skip=1:
  - skip: This parameter might control whether certain steps or checks are skipped during the backup process.
  - 1: A value of 1 likely means "true" or "enabled," indicating that some part of the process should be skipped.
  - Practical Purpose: Potentially bypasses a validation or confirmation step within the backup routine.
- enable_gzip=1:
  - enable_gzip: This parameter likely controls whether the backup file should be compressed using gzip.
  - 1: A value of 1 means "true" or "enabled."
  - Practical Purpose: Ensures the backup file is compressed, which is a common feature for large database backups.

Payload/Shellcode:
There is no explicit shellcode or payload bytes in this exploit paper. The "payload" is the result of triggering the vulnerability: a database backup file being created. The attacker's goal would then be to gain access to this backup file.

Mapping of Code Fragment/Block to Practical Purpose:

| Code Fragment/Block | Practical Purpose

Original Exploit-DB Content (Verbatim)

========================================================================================                  
| # Title    : Invision Power Board(Trial) v2.0.4 Backup Vulnerability                 |
| # Author   : indoushka                                                               |
| # email    : indoushka@hotmail.com                                                   |
| # Home     : Souk Naamane - 04325 - Oum El Bouaghi - Algeria -(00213771818860)       |                                                               
| # Verified :                                                                         |
| # Web Site : www.iq-ty.com                                                           |
| # Published:                                                                         |
| # Script   : Powered by Invision Power Board(Trial) v2.0.4 &#65533; 2009  IPS, Inc.         |
| # Tested on: windows SP2 Fran&#65533;ais V.(Pnx2 2.0) + Lunix Fran&#65533;ais v.(9.4 Ubuntu)       |
| # Bug      : Backup                                                                  | 
======================      Exploit By indoushka       =================================
| # Exploit  : 
| 
| 1- http://127.0.0.1/Invision/admin.php?adsess=c35b4de23cd409abd16ba2f90348b484&act=mysql&code=dosafebackup&create_tbl=1&addticks=&skip=1&enable_gzip=1
|  
================================   Dz-Ghost Team   ========================================
Greetz : Exploit-db Team (loneferret+Exploits+dookie2000ca)
all my friend * Dos-Dz * Snakespc * His0k4 * Hussin-X * Str0ke * Saoucha * Star08 * www.hackteach.org
Rafik (Tinjah.com) * Yashar (sc0rpion.ir) * Silitoad * redda * mourad (dgsn.dz) * www.cyber-mirror.org
www.albasrah-forums.com * www.amman-dj.com * www.forums.ibb7.com * www.maker-sat.com * www.owned-m.com
www.vb.7lanet.com * www.3kalam.com * Stake (v4-team.com) * www.3kalam.com * www.dev-chat.com  
www.al7ra.com * Cyb3r IntRue (avengers team) * www.securityreason.com * www.packetstormsecurity.org
www.sazcart.com * www.best-sec.net * www.app.feeddigest.com * www.forum.brg8.com * www.zone-h.net
www.m-y.cc * www.hacker.ps * no-exploit.com * www.bug-blog.de * www.gem-flash.com * www.soqor.org
www.h4ckf0ru.com * www.bawassil.com * www.host4ll.com * www.hacker-top.com * www.xp10.me 
www.forums.soqor.net * www.alkrsan.net * blackc0der (www.forum.aria-security.com)  
SoldierOfAllah (www.m4r0c-s3curity.cc)www.arhack.net * www.google.com * www.np-alm7bh.com 
www.lyloo59.skyrock.com * www.sec-eviles.com * www.snakespc.com * www.kadmiwe.net * www.syrcafe.com 
www.mriraq.com * www.dzh4cker.l9l.org * www.goyelang.cn * www.h-t.cc * www.arabic-m.com * www.74ck3r.com 
r1z (www.sec-r1z.com) * omanroot.com * www.bdr130.net * www.zac003.persiangig.ir * www.0xblackhat.ir
www.mormoroth.net * www.securitywall.org * www.sec-code.com *
-------------------------------------------------------------------------------------------

Simple technical breakdown

Complete code and payload walkthrough

The provided "exploit" is not traditional code in the sense of a compiled program or a complex script. Instead, it's a specially crafted URL that leverages a vulnerability in the web application.

Exploit URL:

http://127.0.0.1/Invision/admin.php?adsess=c35b4de23cd409abd16ba2f90348b484&act=mysql&code=dosafebackup&create_tbl=1&addticks=&skip=1&enable_gzip=1

Let's break down the components of this URL:

http://127.0.0.1/Invision/admin.php: This is the target URL.

http://: The protocol used for web communication.
127.0.0.1: The loopback IP address, indicating the server is running on the local machine. This implies the attacker would need to have some form of local access or be able to proxy requests to the target server.
/Invision/admin.php: This is the administrative interface of the Invision Power Board. Accessing this script is typically restricted.

?: This character separates the URL path from the query string parameters.

Query String Parameters: These are key-value pairs that are sent to the server to control the application's behavior.

adsess=c35b4de23cd409abd16ba2f90348b484:
- adsess: This parameter likely represents a session identifier or a security token.
- c35b4de23cd409abd16ba2f90348b484: This is a hexadecimal string. In a real attack, this would need to be a valid session ID for an authenticated administrator. The exploit assumes a valid session is already established or can be bypassed.
- Practical Purpose: This parameter is crucial for authentication. Without a valid session, the admin.php script would likely deny access.
act=mysql:
- act: This parameter likely specifies the action or module to be executed within admin.php.
- mysql: This value suggests that the action relates to database operations.
- Practical Purpose: Directs the application to a section handling MySQL database tasks.
code=dosafebackup:
- code: This parameter likely specifies a sub-action or a specific function within the mysql module.
- dosafebackup: This value is the key to the vulnerability. It instructs the application to perform a "safe backup" operation. The vulnerability likely stems from how this backup function is implemented, allowing it to be triggered without proper sanitization or authorization checks beyond the session.
- Practical Purpose: Initiates the database backup process.
create_tbl=1:
- create_tbl: This parameter likely controls whether to create new tables during the backup process or if it's an existing table backup.
- 1: A value of 1 typically signifies "true" or "enabled."
- Practical Purpose: Instructs the backup function to create the necessary table structures for the backup.
addticks=:
- addticks: The purpose of this parameter is not explicitly clear from the URL alone. It might be related to adding specific delimiters or markers, or it could be an unused parameter in this specific exploit.
- Practical Purpose: Unknown, potentially unused or for a different backup scenario.
skip=1:
- skip: This parameter might control whether certain steps or checks are skipped during the backup process.
- 1: A value of 1 likely means "true" or "enabled," indicating that some part of the process should be skipped.
- Practical Purpose: Potentially bypasses a validation or confirmation step within the backup routine.
enable_gzip=1:
- enable_gzip: This parameter likely controls whether the backup file should be compressed using gzip.
- 1: A value of 1 means "true" or "enabled."
- Practical Purpose: Ensures the backup file is compressed, which is a common feature for large database backups.

Mapping of Code Fragment/Block to Practical Purpose:

| Code Fragment/Block | Practical Purpose

Original Exploit-DB Content (Verbatim)

======================================================================================== | # Title : Invision Power Board(Trial) v2.0.4 Backup Vulnerability | | # Author : indoushka | | # email : indoushka@hotmail.com | | # Home : Souk Naamane - 04325 - Oum El Bouaghi - Algeria -(00213771818860) | | # Verified : | | # Web Site : www.iq-ty.com | | # Published: | | # Script : Powered by Invision Power Board(Trial) v2.0.4 � 2009 IPS, Inc. | | # Tested on: windows SP2 Fran�ais V.(Pnx2 2.0) + Lunix Fran�ais v.(9.4 Ubuntu) | | # Bug : Backup | ====================== Exploit By indoushka ================================= | # Exploit : | | 1- http://127.0.0.1/Invision/admin.php?adsess=c35b4de23cd409abd16ba2f90348b484&act=mysql&code=dosafebackup&create_tbl=1&addticks=&skip=1&enable_gzip=1 | ================================ Dz-Ghost Team ======================================== Greetz : Exploit-db Team (loneferret+Exploits+dookie2000ca) all my friend * Dos-Dz * Snakespc * His0k4 * Hussin-X * Str0ke * Saoucha * Star08 * www.hackteach.org Rafik (Tinjah.com) * Yashar (sc0rpion.ir) * Silitoad * redda * mourad (dgsn.dz) * www.cyber-mirror.org www.albasrah-forums.com * www.amman-dj.com * www.forums.ibb7.com * www.maker-sat.com * www.owned-m.com www.vb.7lanet.com * www.3kalam.com * Stake (v4-team.com) * www.3kalam.com * www.dev-chat.com www.al7ra.com * Cyb3r IntRue (avengers team) * www.securityreason.com * www.packetstormsecurity.org www.sazcart.com * www.best-sec.net * www.app.feeddigest.com * www.forum.brg8.com * www.zone-h.net www.m-y.cc * www.hacker.ps * no-exploit.com * www.bug-blog.de * www.gem-flash.com * www.soqor.org www.h4ckf0ru.com * www.bawassil.com * www.host4ll.com * www.hacker-top.com * www.xp10.me www.forums.soqor.net * www.alkrsan.net * blackc0der (www.forum.aria-security.com) SoldierOfAllah (www.m4r0c-s3curity.cc)www.arhack.net * www.google.com * www.np-alm7bh.com www.lyloo59.skyrock.com * www.sec-eviles.com * www.snakespc.com * www.kadmiwe.net * www.syrcafe.com www.mriraq.com * www.dzh4cker.l9l.org * www.goyelang.cn * www.h-t.cc * www.arabic-m.com * www.74ck3r.com r1z (www.sec-r1z.com) * omanroot.com * www.bdr130.net * www.zac003.persiangig.ir * www.0xblackhat.ir www.mormoroth.net * www.securitywall.org * www.sec-code.com * -------------------------------------------------------------------------------------------