Page 1 of 3

2.0.16 hacked via worm PLEASE READ

Posted: Tue Jul 19, 2005 4:23 pm
by HaqDiesel
I don't know exactly how they did it, but my board running phpbb 2.0.16 has been hacked twice in the last 2 days. I have no evidence that it's not coming through a mod, but it doesn't look like it at this point.

Just a head's up. I'll update with any details.

Posted: Tue Jul 19, 2005 4:25 pm
by fumbalah
There's a security bug in the BBCode system of phpBB 2.0.16 and lower. A patch is being worked on at the moment.

Posted: Tue Jul 19, 2005 4:28 pm
by HaqDiesel
Then I guess it might be a good time to tell people to TURN OFF BBCODE UNTIL THE UPDATE IS RELEASED SO YOU DON'T GET OWNED LIKE I DID.

By "2.0.16 and lower," you mean "every available version" pretty much, right?

Posted: Tue Jul 19, 2005 4:57 pm
by igeoffi
yes
it does mean that

Actual exploit found (not BBcode related)

Posted: Tue Jul 19, 2005 5:32 pm
by thedopefish
Well one of these guys attempting to hack into my site left his perl exploit lying around in /tmp. After some analysis of the exploit code and phpBB code, I've found the vulnerability they're exploiting.

It has to do with the 'highlight' feature of phpBB. Specifically, the disgusting mess that does the string replaces to enable highlighting of a post (viewtopic.php line 1140, from phpBB 2.0.16). The line right below the comment stating "This was shamelessly 'borrowed' from volker at multiartstudio dot de via php.net's annotated manual".

This is a serious vulnerability, that looks like it can be used to execute arbitrary system commands. I can provide more details as necessary.

Posted: Tue Jul 19, 2005 5:43 pm
by nemesisjp
I run a hosting company, and as I was trying to hunt down why there were several zombie servers being run by Apache and connecting out to IRC, while infecting other phpBB2 installs via google, I came across the "Hosts banning phpBB2.0" post on your main page.

psoTFX stated that "This is unfortunate for everyone and seems largely to be based on FUD." You guys can fuck yourselves and release vulnerability announcements in a timely manner, especially when the fix is a simple "comment out this line".

I can't believe you guys were using code you ripped from someone else that is ridiculously difficult to read and that you obviously don't understand. Over the last two days, my server has been broken into about 5 distinct times with 3-4 different variants of this worm. My suggestion is to release a fix soon or make a highly visible announcement.

Posted: Tue Jul 19, 2005 5:47 pm
by Techie-Micheal
I want to make something very clear. Listen carefully because I will say it only once. Are you ready?

The XSS that people are referring to will not allow Perl injection or PHP injection or Python injection or anything of that sort. It only works on IE, and will only attempt to steal cookies under certain conditions.

Furthermore, obviously people don't understand what exactly is happening, because the fix is much more involved than just "comment this out" or "use this temp fix."

If something else has happened to your server, make sure you are up to date for phpBB, no MODs and them make sure your server is up to date, because I hate to be the one to say it, but phpBB is not the only point of entry. Of course, a web host should know this before they go blaming something without providing proof.

Posted: Tue Jul 19, 2005 5:55 pm
by nemesisjp
Techie-Michael: you clearly are a dickhead.

That said, you listen carefully. I have a demonstrable hack that will own phpBB (latest version and .10) through any browser. This is NOT an XSS vulnerability. This is NOT browser dependant. You CLEARLY DID NOT READ ANYTHING ABOUT THE EXPLOIT.

This was just exploited under firefox on linux, firefox on windows, and IE on windows.

Fuck you, fuck you, fuck you.

Posted: Tue Jul 19, 2005 5:59 pm
by Keva
if there is a security flaw i hope a fix is released soon :?

Posted: Tue Jul 19, 2005 5:59 pm
by Flaming_cows
nemesisjp wrote: Techie-Michael: you clearly are a dickhead.

That said, you listen carefully. I have a demonstrable hack that will own phpBB (latest version and .10) through any browser. This is NOT an XSS vulnerability. This is NOT browser dependant. You CLEARLY DID NOT READ ANYTHING ABOUT THE EXPLOIT.

This was just exploited under firefox on linux, firefox on windows, and IE on windows.

*beep* you, *beep* you, *beep* you.

I'd like to see this amazing trick of yours that allows arbitrary system command execution through a 2.0.16 board through highlighting. Besides, if you have this exploit, you should be submitting it to the security tracker, not complaining about how there is no fix yet. And since you seem to look down on the phpBB group for [alledgedly] not comprehending some PHP code, why don't you go fix it yourself and post the fix instead of complaining?

Posted: Tue Jul 19, 2005 6:25 pm
by arod-1
nemesisjp wrote: I run a hosting company, and as I was trying to hunt down why there were several zombie servers being run by Apache and connecting out to IRC, while infecting other phpBB2 installs via google, I came across the "Hosts banning phpBB2.0" post on your main page.

psoTFX stated that "This is unfortunate for everyone and seems largely to be based on FUD." You guys can *beep* yourselves and release vulnerability announcements in a timely manner, especially when the fix is a simple "comment out this line".

I can't believe you guys were using code you ripped from someone else that is ridiculously difficult to read and that you obviously don't understand. Over the last two days, my server has been broken into about 5 distinct times with 3-4 different variants of this worm. My suggestion is to release a fix soon or make a highly visible announcement.
i do believe that the exploit you are describing is the one blocked by 2.0.16
are you sure you use the latest code?
unfortunately, once a system was hacked, it is not enough to update the phpbb code. once a system have been broken into, it has to be sanitized, which can be a non-trivial affair.

Posted: Tue Jul 19, 2005 6:38 pm
by Hundeforum
Might it be related to this (just asking)?

http://www.phpbb.com/phpBB/viewtopic.php?t=308092

Posted: Tue Jul 19, 2005 6:49 pm
by espicom
I hate to say it, but yes, there is a way into .16 through the ever-vulnerable highlight code, which allows arbitrary execution of PHP commands. A simple MOD_REWRITE rule blocks it, disabling the PHP system() and exec() calls defang it, and removing the other security issues found in most sites makes it useless.

What are the other security issues?
  • writeable temporary or other file areas that allow command execution
    web server user allowed access to wget and other file fetching tools
    web server user allowed to write executable files anywhere
I tested exploit code that was reported here last week. It did manage to get through PHPBB to attempt to execute malicious code on the test server. That server doesn't have any of the issues listed above, so it did not succeed in doing anything more than make log entries.

The exploit has been reported to the security tracker. I'm sure it is being worked on, but it's one of those "how to fix it so that it doesn't break everything else" things. Personally, I'd disable the highlight code completely, and ignore any attempt to use it, but some people desparately need it.

Posted: Tue Jul 19, 2005 6:51 pm
by Techie-Micheal
nemesisjp wrote: Techie-Michael: you clearly are a dickhead.

That said, you listen carefully. I have a demonstrable hack that will own phpBB (latest version and .10) through any browser. This is NOT an XSS vulnerability. This is NOT browser dependant. You CLEARLY DID NOT READ ANYTHING ABOUT THE EXPLOIT.

This was just exploited under firefox on linux, firefox on windows, and IE on windows.

*beep* you, *beep* you, *beep* you.
And one person banned. Anybody else want to tick me off today?

Posted: Tue Jul 19, 2005 6:52 pm
by Techie-Micheal
espicom: Please PM me with details on this, because this is the first I've heard of something like this in .16.