Ci-Bonefire v0.7.1-dev Reinstall Admin Account Vulnerability Analysis & Exploit

Hello

Ci-Bonefire is another Codeigniter based-on open source application. I’ve been analyzing application which based-on codeigniter  since I found some weakness of Codeigniter. This write-up we will see that what can cause failure of code design.

Bonefire Installer index()

When you’ve done installation of Bonefire, it will create installed.txt file under the application/config instead of delete installer files. I will check out installed.txt file when you try to call installer again.

Following codes belongs to installer controller.

Installer controller tries to check out that installation has been done before or not ? In order to do that controller calls $this->installer_lib->is_installed() method.

is_installed function checks out installed.txt via following codes.

APPATH returns ../application/ . That means Bonfire tries to check out ../application/config/installed.txt.

But locate path of installer_lib.php is Bonfire-master/bonfire/libraries/installer_lib.php

Local path of installed.txt file is Bonfire-master/application/config/installed.txt.

So when installer_lib.php try to check out installed.txt via above coded, it actually try to check out that path = Bonfire-master/bonfire/libraries/../application/installed.txt

As you see, it try to reach wrong path! Consequently, this codes always returns FALSE!

Bonefire Installer do_install()

index() method of installer is not responsible to start installation process. Initialization of install process has been taking care of by do_install() method.

First trouble that we realized is do_install() is public method of controller and does not check out installation has been done before. As an attacker we can easily call that method via HTTP GET request. But we’ve learned that even do_install check out installation has been done or not, we could bypass it anyway because of failed local path definition.

Line 10 : Load database.

Line 55 : Create default administrator via following information.

email : admin@mybonefire.com

username : admin

password : password (Defined by Line 70 )

and other stuff.

EXPLOITATION

In order to gain administrator rights, we need to call do_install() method of installer controller. Calling do_install is really easy!

Bonefire will response for that request like following screenshot.

bonefire

Now we are able to login via following credentials = > 

Username : admin@mybonefire.com 

password : password

 TIMELINE

21 Apr 2014 14:00 – Vulnerability found.

23 Apr 2014 21:20 – Analysis and write-up completed.

23 Apr 2014 21:29 – First contact with lead developer of Bonfire

23 Apr 2014 21:33 – Response from lead developer.

23 Apr 2014 21:52 – Vulnerability confirmed by lead developer.

23 Apr 2014 22:55 – Vulnerability has been patched via following commit.
https://github.com/ci-bonfire/Bonfire/commit/9cb76c66babf89952c3d48279b026c59e198f46e