2.0.16 hacked via worm PLEASE READ

This is an archive of the phpBB 2.0.x support forum. Support for phpBB2 has now ended.
Forum rules
Following phpBB2's EoL, this forum is now archived for reference purposes only.
Please see the following announcement for more information: viewtopic.php?f=14&t=1385785
HaqDiesel
Registered User
Posts: 75
Joined: Sun Dec 12, 2004 4:00 am

2.0.16 hacked via worm PLEASE READ

Post by HaqDiesel » Tue Jul 19, 2005 4:23 pm

I don't know exactly how they did it, but my board running phpbb 2.0.16 has been hacked twice in the last 2 days. I have no evidence that it's not coming through a mod, but it doesn't look like it at this point.

Just a head's up. I'll update with any details.
Last edited by HaqDiesel on Tue Jul 19, 2005 5:59 pm, edited 1 time in total.

fumbalah
Registered User
Posts: 2000
Joined: Sat Jan 24, 2004 3:02 pm
Location: Lexington, Kentucky
Contact:

Post by fumbalah » Tue Jul 19, 2005 4:25 pm

There's a security bug in the BBCode system of phpBB 2.0.16 and lower. A patch is being worked on at the moment.

HaqDiesel
Registered User
Posts: 75
Joined: Sun Dec 12, 2004 4:00 am

Post by HaqDiesel » Tue Jul 19, 2005 4:28 pm

Then I guess it might be a good time to tell people to TURN OFF BBCODE UNTIL THE UPDATE IS RELEASED SO YOU DON'T GET OWNED LIKE I DID.

By "2.0.16 and lower," you mean "every available version" pretty much, right?

igeoffi
Registered User
Posts: 153
Joined: Wed Jun 01, 2005 10:39 pm

Post by igeoffi » Tue Jul 19, 2005 4:57 pm

yes
it does mean that

thedopefish
Registered User
Posts: 1
Joined: Tue Jul 19, 2005 5:25 pm

Actual exploit found (not BBcode related)

Post by thedopefish » Tue Jul 19, 2005 5:32 pm

Well one of these guys attempting to hack into my site left his perl exploit lying around in /tmp. After some analysis of the exploit code and phpBB code, I've found the vulnerability they're exploiting.

It has to do with the 'highlight' feature of phpBB. Specifically, the disgusting mess that does the string replaces to enable highlighting of a post (viewtopic.php line 1140, from phpBB 2.0.16). The line right below the comment stating "This was shamelessly 'borrowed' from volker at multiartstudio dot de via php.net's annotated manual".

This is a serious vulnerability, that looks like it can be used to execute arbitrary system commands. I can provide more details as necessary.

nemesisjp
I've Been Banned!
Posts: 2
Joined: Tue Jul 19, 2005 5:39 pm

Post by nemesisjp » Tue Jul 19, 2005 5:43 pm

I run a hosting company, and as I was trying to hunt down why there were several zombie servers being run by Apache and connecting out to IRC, while infecting other phpBB2 installs via google, I came across the "Hosts banning phpBB2.0" post on your main page.

psoTFX stated that "This is unfortunate for everyone and seems largely to be based on FUD." You guys can fuck yourselves and release vulnerability announcements in a timely manner, especially when the fix is a simple "comment out this line".

I can't believe you guys were using code you ripped from someone else that is ridiculously difficult to read and that you obviously don't understand. Over the last two days, my server has been broken into about 5 distinct times with 3-4 different variants of this worm. My suggestion is to release a fix soon or make a highly visible announcement.

User avatar
Techie-Micheal
Security Consultant
Posts: 19511
Joined: Sun Oct 14, 2001 12:11 am
Location: In your servers

Post by Techie-Micheal » Tue Jul 19, 2005 5:47 pm

I want to make something very clear. Listen carefully because I will say it only once. Are you ready?

The XSS that people are referring to will not allow Perl injection or PHP injection or Python injection or anything of that sort. It only works on IE, and will only attempt to steal cookies under certain conditions.

Furthermore, obviously people don't understand what exactly is happening, because the fix is much more involved than just "comment this out" or "use this temp fix."

If something else has happened to your server, make sure you are up to date for phpBB, no MODs and them make sure your server is up to date, because I hate to be the one to say it, but phpBB is not the only point of entry. Of course, a web host should know this before they go blaming something without providing proof.
Proven Offensive Security Expertise. OSCP - GXPN

nemesisjp
I've Been Banned!
Posts: 2
Joined: Tue Jul 19, 2005 5:39 pm

Post by nemesisjp » Tue Jul 19, 2005 5:55 pm

Techie-Michael: you clearly are a dickhead.

That said, you listen carefully. I have a demonstrable hack that will own phpBB (latest version and .10) through any browser. This is NOT an XSS vulnerability. This is NOT browser dependant. You CLEARLY DID NOT READ ANYTHING ABOUT THE EXPLOIT.

This was just exploited under firefox on linux, firefox on windows, and IE on windows.

Fuck you, fuck you, fuck you.

Keva
Registered User
Posts: 101
Joined: Mon Mar 28, 2005 12:21 pm
Contact:

Post by Keva » Tue Jul 19, 2005 5:59 pm

if there is a security flaw i hope a fix is released soon :?

User avatar
Flaming_cows
Registered User
Posts: 761
Joined: Sat Jul 05, 2003 1:43 am
Contact:

Post by Flaming_cows » Tue Jul 19, 2005 5:59 pm

nemesisjp wrote: Techie-Michael: you clearly are a dickhead.

That said, you listen carefully. I have a demonstrable hack that will own phpBB (latest version and .10) through any browser. This is NOT an XSS vulnerability. This is NOT browser dependant. You CLEARLY DID NOT READ ANYTHING ABOUT THE EXPLOIT.

This was just exploited under firefox on linux, firefox on windows, and IE on windows.

*beep* you, *beep* you, *beep* you.

I'd like to see this amazing trick of yours that allows arbitrary system command execution through a 2.0.16 board through highlighting. Besides, if you have this exploit, you should be submitting it to the security tracker, not complaining about how there is no fix yet. And since you seem to look down on the phpBB group for [alledgedly] not comprehending some PHP code, why don't you go fix it yourself and post the fix instead of complaining?

arod-1
Registered User
Posts: 1327
Joined: Mon Sep 20, 2004 1:33 pm

Post by arod-1 » Tue Jul 19, 2005 6:25 pm

nemesisjp wrote: I run a hosting company, and as I was trying to hunt down why there were several zombie servers being run by Apache and connecting out to IRC, while infecting other phpBB2 installs via google, I came across the "Hosts banning phpBB2.0" post on your main page.

psoTFX stated that "This is unfortunate for everyone and seems largely to be based on FUD." You guys can *beep* yourselves and release vulnerability announcements in a timely manner, especially when the fix is a simple "comment out this line".

I can't believe you guys were using code you ripped from someone else that is ridiculously difficult to read and that you obviously don't understand. Over the last two days, my server has been broken into about 5 distinct times with 3-4 different variants of this worm. My suggestion is to release a fix soon or make a highly visible announcement.
i do believe that the exploit you are describing is the one blocked by 2.0.16
are you sure you use the latest code?
unfortunately, once a system was hacked, it is not enough to update the phpbb code. once a system have been broken into, it has to be sanitized, which can be a non-trivial affair.

Hundeforum
Registered User
Posts: 64
Joined: Tue Jul 19, 2005 12:06 am
Contact:

Post by Hundeforum » Tue Jul 19, 2005 6:38 pm

Might it be related to this (just asking)?

http://www.phpbb.com/phpBB/viewtopic.php?t=308092

espicom
Registered User
Posts: 17905
Joined: Wed Dec 22, 2004 1:14 am
Location: Woodstock, IL

Post by espicom » Tue Jul 19, 2005 6:49 pm

I hate to say it, but yes, there is a way into .16 through the ever-vulnerable highlight code, which allows arbitrary execution of PHP commands. A simple MOD_REWRITE rule blocks it, disabling the PHP system() and exec() calls defang it, and removing the other security issues found in most sites makes it useless.

What are the other security issues?
  • writeable temporary or other file areas that allow command execution
    web server user allowed access to wget and other file fetching tools
    web server user allowed to write executable files anywhere
I tested exploit code that was reported here last week. It did manage to get through PHPBB to attempt to execute malicious code on the test server. That server doesn't have any of the issues listed above, so it did not succeed in doing anything more than make log entries.

The exploit has been reported to the security tracker. I'm sure it is being worked on, but it's one of those "how to fix it so that it doesn't break everything else" things. Personally, I'd disable the highlight code completely, and ignore any attempt to use it, but some people desparately need it.
Jeff
Fixing 1016/1030/1034 Errors | (obsolete link) | MySQL 4.1/5.x Client Error | phpBBv2 Logo in ACP
Support requests via PM are ignored!
"To be fully alive is to feel that everything is possible." - Eric Hoffer

User avatar
Techie-Micheal
Security Consultant
Posts: 19511
Joined: Sun Oct 14, 2001 12:11 am
Location: In your servers

Post by Techie-Micheal » Tue Jul 19, 2005 6:51 pm

nemesisjp wrote: Techie-Michael: you clearly are a dickhead.

That said, you listen carefully. I have a demonstrable hack that will own phpBB (latest version and .10) through any browser. This is NOT an XSS vulnerability. This is NOT browser dependant. You CLEARLY DID NOT READ ANYTHING ABOUT THE EXPLOIT.

This was just exploited under firefox on linux, firefox on windows, and IE on windows.

*beep* you, *beep* you, *beep* you.
And one person banned. Anybody else want to tick me off today?
Proven Offensive Security Expertise. OSCP - GXPN

User avatar
Techie-Micheal
Security Consultant
Posts: 19511
Joined: Sun Oct 14, 2001 12:11 am
Location: In your servers

Post by Techie-Micheal » Tue Jul 19, 2005 6:52 pm

espicom: Please PM me with details on this, because this is the first I've heard of something like this in .16.
Proven Offensive Security Expertise. OSCP - GXPN

Locked

Return to “2.0.x Support Forum”