www.ExploitDevelopment.com - 2012-WEB-001 - AjaXplorer Version 4.0.3 and Older Web-Based File Manager Allows Attackers to Log In to the Application Using Only the Username and Encrypted Password Hash

www.ExploitDevelopment.com Member Vulnerability Advisories

--------------------------------------------------------------------------
www.ExploitDevelopment.com 2012-WEB-001
--------------------------------------------------------------------------

TITLE:
AjaXplorer Version 4.0.3 and Older Web-Based File Manager Allows Attackers to Log In to the Application Using Only the Username and Encrypted Password Hash

SUMMARY AND IMPACT:
A vulnerability was found in the AjaXplorer Web-Based File Manager that allows attackers to log in to the application using only the username and password hash. The password hash is stored in the administrator's browser cookies if elected during the login process. If an attacker is able to retrieve the admin's password hash through cookie stealing, application compromise will be possible without knowing the administrator's password. Once this password hash has been retrieved, the attacker can combine the password seed value found on the login page and the password hash to create the correct login hash required for login to the application. An unauthenticated attacker can steal the AjaXplorer password file by using my other reported vulnerability, 2012-WEB-002.

DETAILS:
Use the following steps to exploit this vulnerability.
Attacker steals the Administrator's AjaXplorer Login Cookie using any method. The attacker may also have compromised the users.ser file that contains the password hashes
Reuse of the Cookie does not work due to a flaw in the way AjaXplorer handles the cookie login function
Find the password hash here: ajxp_remember={"user": "admin", "pass": "MD5PASSWORDHASH"}
Using Mozilla Firefox and Burp Suite Proxy access the AjaXplorer application
Turn on Intercept on Burp Proxy
Click the login button on the file manager
Intercept the "Seed" value and take note
Create a PHP webpage on your own server and use the following code. "adminhashseedvalue" is the actual user hashed password and the seed value together
echo md5('adminhashseedvalue');
?>
Access your PHP script to retrieve the MD5 value the application requires for login.
On the login page, use the username "admin" and any value for the password. Ensure that Burp Proxy is Intercepting
Replace the POST password value with the value that you generated in step 8
Forward the request
You are now logged in to the AjaXplorer web application as an administrator

VULNERABLE PRODUCTS:
AjaXplorer Version 4.0.3 and Older

REFERENCES AND ADDITIONAL INFORMATION:
N/A

CREDITS:
StenoPlasma (at) ExploitDevelopment.com

TIMELINE:
Discovery: N/A
Vendor Notified: Feb 24, 2012
Vendor Fixed: Feb 24, 2012
Vendor Notified of Disclosure: Feb 24, 2012
Disclosure to CERT: Feb 24, 2012

VENDOR URL:
http://www.ajaxplorer.info

ADVISORY URL:
http://www.exploitdevelopment.com/Vulnerabilities/2012-WEB-001.html
http://www.kb.cert.org/vuls/id/504019

VENDOR ADVISORY URL:
http://ajaxplorer.info/ajaxplorer-4-0-4/