Easily and Remotely Pipe a Covert Shell on phpBB version 1.4.0 and below

From: kill-9@modernhackers.com
Date: 08/10/01


Date: 10 Aug 2001 07:20:48 -0000
Message-ID: <20010810072048.7771.qmail@securityfocus.com>
From: <kill-9@modernhackers.com>
To: bugtraq@securityfocus.com
Subject: Easily and Remotely Pipe a Covert Shell on phpBB version 1.4.0 and below

note to editors: please leave all links intact.
###########################################
########
Easily and Remotely Pipe a Covert Shell on phpBB
version 1.4.0 and below

found and written by: kill-9@modernhacker.com
http://www.modernhacker.com


phpBB, is an open source bulletin board created by
the phpBB group (phpbb.com) . Versions 1.4.0 and
below are vulnerable to an input validation attack that
will allow arbitray code to be executed by an attacker.
This will lead to disclosure of all user account
information, access to the admin panel, and a
simulated covert shell on the server running phpBB.
A user may then elevate his privileges in the system.

The problem is in the fact that in the prefs.php file,
phpBB does not properly check user input for the
language selection. The language selection for the
user is inputted through a drop-down box and then
saved in the database. The language selection is
then processed during execution of auth.php to
include the appropriate language file.

<example code from auth.php>

// Include the appropriate language file.
if(!strstr($PHP_SELF, "admin"))
{
   include('language/lang_'.$default_lang.'.'.$phpEx);
}
else
{
   if(strstr($PHP_SELF, "topicadmin")) {
     include('language/lang_'.$default_lang.'.'.$phpEx);
        } else {
     include
('../language/lang_'.$default_lang.'.'.$phpEx);
        }
}
</end example code>

If a user supplies an invalid language value, then no
language file will be included. This is very bad
becuase there are a few important variables that are
defined in the language file that are passed through
the eval() function. Therefore a user can supply his
value that will get eval'ed if no language file is included

In the page_header.php file such a situation exists
where if a registered user has a private message in
his box , then the $l_privnotify variable that is
supposed to be defined in the language file can be
processed as arbitrary php code becuase it passes
through the eval() function.


<example code from page_header.php>

if ($new_message != 0)
                        {
                                eval
($l_privnotify);
                                print
$privnotify;
                        }

</end example code>


I have provided code for testing purposes that will
pipe back a covert shell to a netcat listener. Use the
backdoor edition, and set the variable to l_privnotify.


Summary:

1. Register an account on phpBB 1.4.0 or any older
version and login.

2. Enter the following url to change the language to an
invalid one: prefs.php?HTTP_POST_VARS[save]
=1&save=1&viewemail=1&lang=../../

3. Send yourself a private message.

4. Set the first part of the vhak backdoor edition
to: "prefs.php?l_privnotify=" and you will gain an
interactive shell to the system. It can be found at:
http://www.modernhacker.com/vhak.php

You may only use vhak for the legal purpose of
testing your own board for this vulnerability.


Note: phpBB team has known about this vulnerability
and failed to alert the public. Their acknoledgement is
seen in the 1.4.1 source code comments.

###########################################
########