Announcement

Collapse
No announcement yet.

Ways to prevent being hacked in this method.

Collapse
X
 
  • Filter
  • Time
  • Show
Clear All
new posts

  • Ways to prevent being hacked in this method.

    I have a really determined hacker who likes to hijack our vbulletin sessions. He will obtain a session in the most insane ways. For example, he has posted standard .jpg images which display real output. Though on his server end, the .jpg file is an asp/php script that obtains the users session data/cookies then displays the the jpg file as usual. This guy is good! I am good too

    Recently I believe he is using the encrypted passwords obtained by the session/cookies and has created a rainbow table that includes our customer id salt. Yes, a rainbow table just for us. Now instead of hijacking the sessions, he can just log right in.

    Is there any fix for this?

    Note to all, these methods are pretty much exploitable on every forum application.
    http://www.tamparacing.com - Floridas #1 Automotive Community
    http://www.tampaforums.com - Tampa's #1 Place for Shennanigans

  • #2
    I'm not aware of that being possible with the default vB 3.6.4. Please see this thread on how to make your vBulletin more secure:

    http://www.vbulletin.com/forum/showthread.php?t=172234
    Steve Machol, former vBulletin Customer Support Manager (and NOT retired!)
    Change CKEditor Colors to Match Style (for 4.1.4 and above)

    Steve Machol Photography


    Mankind is the only creature smart enough to know its own history, and dumb enough to ignore it.


    Comment


    • #3
      That's interesting..
      Are you using Complex passwords for the admin's and mods? That would make it almost impossible for him to get those accounts
      Webmaster in charge of technical stuff and taking out the trash. www.disboards.com, www.wdwinfo.com
      www.dreamsunlimitedtravel.com and a few others I am forgetting!

      Comment


      • #4
        From what I gather, this is how the password hash is created:
        md5(md5(md5(password) . salt) . 'abcd1234')

        password is the userpassword, salt is the per-user salt, and abcd1234 is your vbulletin customer id.

        The per user salt does not change when you change your password. If you have someone who is obtaining session info, and has your customer id, he can then create a rainbow table utilizing the both the userpassword and customer id salts.

        Even if you change your password, both salts are the same, thus the rainbow table is still good !

        This could all be avoided if the user password salt changed when you change your password.

        As it is now, I know for a fact you can obtain the encrypted passwords and per-user salt, then run them against a rainbow table. As for how you obtain the encrypted password is debatable, but easily possible if you have dynamic url for img tags enabled or a webserver configured to execture .jpg/.gif as cgi on the remote side.

        For example, a remote webserver configured to execute .jpgs/.gifs as php scripts:

        hackme.jpg would actually be a php script doing the following:

        1)Get cookie/session
        2)Output content-type image/jpg headers
        3)Output binary for image

        Now just link to hackme.jpg within img tags in a post.


        The easiest fix:

        Change the user password salt each time someone changes their password.


        I know this is possible as I was just hacked with this method the other day. I know it sounds very complex and time consuming to create these large rainbow tables. It probably takes weeks or months. This guy is very determined, has a lot of time on his hands, a little bit of a sociopath, and it can happen to anyone.
        Last edited by Zate; Sun 31 Dec '06, 5:54am.
        http://www.tamparacing.com - Floridas #1 Automotive Community
        http://www.tampaforums.com - Tampa's #1 Place for Shennanigans

        Comment


        • #5
          That is really intesting. From what I read here:
          http://en.wikipedia.org/wiki/Rainbow_table

          A long complicated password can make it VERY difficult. Also changing your password regularly
          Webmaster in charge of technical stuff and taking out the trash. www.disboards.com, www.wdwinfo.com
          www.dreamsunlimitedtravel.com and a few others I am forgetting!

          Comment


          • #6
            Originally posted by alexi View Post
            That is really intesting. From what I read here:
            http://en.wikipedia.org/wiki/Rainbow_table

            A long complicated password can make it VERY difficult. Also changing your password regularly

            Agreed, though I cant control how complex/long user passwords are, can I ? One of the reasons salts came to be was to defend against rainbow tables. Though we have two salts that never change on a per user basis.

            This guy would be just as happy to hack into a standard users account to make them mad, and to show his power, then to have an admin account. Sociopath to the extreme.
            http://www.tamparacing.com - Floridas #1 Automotive Community
            http://www.tampaforums.com - Tampa's #1 Place for Shennanigans

            Comment


            • #7
              OH boy...
              yea I was thinking of admin accounts, at least you can protect those...
              Webmaster in charge of technical stuff and taking out the trash. www.disboards.com, www.wdwinfo.com
              www.dreamsunlimitedtravel.com and a few others I am forgetting!

              Comment

              widgetinstance 262 (Related Topics) skipped due to lack of content & hide_module_if_empty option.
              Working...
              X