SMF 2.0.x Remote Code Execution 0day Exploit

Started by House, January 24, 2016, 09:57:50 AM

Previous topic - Next topic

House

Hello,
According to the comments on this page this exploit is working on the current SMF version 2.0.11, anyone checked it?

Thanks.

http:// hxxp:es.0day.today/exploit/description/23252 [nonactive]

JBlaze

This particular exploit never worked. It's a fake. There are no currently known security vulnerabilities in the latest 1.1.x and 2.0.x versions.
Jason Clemons
Former Team Member 2009 - 2012

qc

Just for the record, how sure are you about this exploit being a fake? Would it be worth the time checking for possible attack vectors which enable an attacker to - from what we can see in the video demo - access the admin session stored in the database?
Playing quizduell? Having quizduell questions? Our german quizduell forum quizcommunity.de is looking for quiz freaks to come and play quizduell with us :)

Kindred

although you have noted some stuff recently (Thanks) -- we are virtually certain that this "demo" is a complete fake...


Besides the fact that -- if you have the admin session, you have complete access to everything anyway - there is absolutely no point in a hackish complicated method of doing something which requires admin access to do in the first place.
Слaва
Украинi

Please do not PM, IM or Email me with support questions.  You will get better and faster responses in the support boards.  Thank you.

"Loki is not evil, although he is certainly not a force for good. Loki is... complicated."

qc

Quote from: Kindred on May 08, 2016, 07:25:56 PM
Besides the fact that -- if you have the admin session, you have complete access to everything anyway - there is absolutely no point in a hackish complicated method of doing something which requires admin access to do in the first place.
According to the demo, only a default user account is required to hijack the admin session.
Playing quizduell? Having quizduell questions? Our german quizduell forum quizcommunity.de is looking for quiz freaks to come and play quizduell with us :)

Arantor

We watched the demo, no one could figure out what they were doing where they didn't already have admin credentials in the first place.

qc

Quote from: Arantor on May 08, 2016, 11:36:57 PM
We watched the demo, no one could figure out what they were doing where they didn't already have admin credentials in the first place.
From the demo video, we can see that the alleged exploit needs to be given the name and password of a default member (user1). Then the exploit does some exploity exploiting and delivers the stored admin session.

My initial conclusion:
There is either a) an SQL injection issue within the code of SMF functions accessible to logged-in members or b) the exploit is fake.

We could now start backtracking all 'raw' database queries from aforementioned SMF functions to make sure there is no SQL injection issue... which is very time consuming. Therefore my question about how you come to the conclusion that this exploit is indeed fake.
Playing quizduell? Having quizduell questions? Our german quizduell forum quizcommunity.de is looking for quiz freaks to come and play quizduell with us :)

vbgamer45

Well if I was that person who made the exploit I would go after a big target like this site here and either gain access or post information.
Community Suite for SMF - Take your forum to the next level built for SMF, Gallery,Store,Classifieds,Downloads,more!

SMFHacks.com -  Paid Modifications for SMF

Mods:
EzPortal - Portal System for SMF
SMF Gallery Pro
SMF Store SMF Classifieds Ad Seller Pro

Arantor

I spent a day trying to backtrack it, and got nowhere.

Advertisement: