Kemana Directory 1.5.6 (qvc_init()) Cookie Poisoning CAPTCHA Bypass Exploit

Title: Kemana Directory 1.5.6 (qvc_init()) Cookie Poisoning CAPTCHA Bypass Exploit
Advisory ID: ZSL-2014-5175
Type: Local/Remote
Impact: Security Bypass
Risk: (2/5)
Release Date: 25.03.2014
Summary
Experience the ultimate directory script solution with Kemana. Create your own Yahoo or Dmoz easily with Kemana. Unique Kemana's features including: CMS engine based on our qEngine, multiple directories support, user friendly administration control panel, easy to use custom fields, unsurpassed flexibility.
Description
The CAPTCHA function for Kemana Directory is prone to a security bypass vulnerability that occurs in the CAPTCHA authentication routine. The function 'qvc_init()' in '/includes/function.php' sets a cookie with a SHA1-based hash value in the Response Header which can be replaced by a random SHA1 computed hash value using Cookie Poisoning attack. Successful exploit will allow attackers to bypass the CAPTCHA-based authentication challenge and perform brute-force attacks.

--------------------------------------------------------------------------------

/includes/function.php:
-------------

1774: /*------- ( QVC - VISUAL CONFIRMATION FUNCTIONS aka CAPTCHA ) ------- */
1775:
1776:
1777: // qVC - the simplest visual confirmation engine yet
1778: // use qvc_init() --> <img src="visual.php"> --> compare qvc_value() == sha1 (strtolower($user_input) )?
1779: // qVC uses db to communicate with visual.php, then set user cookie using sha1, then db not used!
1780: // $num = either 3 or 5, 3 => only 0-9, 5 => 0-F
1781: function qvc_init ($num = 5)
1782: {
1783: if ($num == 3)
1784: $value = mt_rand (100, 999);
1785: else
1786: $value = random_str (5);
1787: ip_config_update ('visual', $value);
1788: setcookie ('qvc_value', sha1 ($value), 0, '/');
1789: }
1790:
1791:
1792: // return qvc value (it's sha1'd, so be sure to compare with sha1'd value)
1793: function qvc_value ()
1794: {
1795: $correct_val = cookie_param ('qvc_value');
1796:
1797: // block browser BACK
1798: qvc_init ();
1799: return $correct_val;
1800: }

--------------------------------------------------------------------------------

Vendor
C97net - http://www.c97.net
Affected Version
1.5.6
Tested On
Microsoft Windows 7 Professional SP1 (EN)
Apache/2.4.7 (Win32)
PHP/5.5.6
MySQL 5.6.14
Vendor Status
[07.03.2014] Vulnerability discovered.
[10.03.2014] Vendor contacted.
[11.03.2014] Vendor responds asking more details.
[11.03.2014] Sent details to the vendor.
[12.03.2014] Working with the vendor.
[13.03.2014] Vendor working on a new version.
[21.03.2014] Asked vendor for status update.
[21.03.2014] Vendor promises patch release in April.
[25.03.2014] Public security advisory released.
PoC
ketchup.pl
Credits
Vulnerability discovered by Gjoko Krstic - <gjoko@zeroscience.mk>
References
[1] http://packetstormsecurity.com/files/125872
[2] http://www.exploit-db.com/exploits/32510
[3] http://cxsecurity.com/issue/WLB-2014030200
[4] http://www.securityfocus.com/bid/66436
[5] http://www.c97.net/news/security-issues-with-qengine-family.php
[6] http://osvdb.org/show/osvdb/105110
Changelog
[25.03.2014] - Initial release
[26.03.2014] - Added reference [1], [2] and [3]
[27.03.2014] - Added reference [4] and [5]
[31.03.2014] - Added reference [6]
Contact
Zero Science Lab

Web: http://www.zeroscience.mk
e-mail: lab@zeroscience.mk