Re: Worm hitting PHPbb2 Forums

From: Chris Ess (securityfocus_at_cae.tokimi.net)
Date: 12/21/04

  • Next message: lists: "Re: Worm hitting PHPbb2 Forums" 
    Date: Tue, 21 Dec 2004 14:14:36 -0500 (EST)
To: lists <lists@innocence-lost.net>

    > Funny enough, I got a message from a former employer about this worm
    > yesterday- a box I had setup that had hardened php on it got hit hard by
    > this worm. I must've misread the advisory as I was under the impression
    > that the Hardened PHP patches protected PHP through canary values from
    > this bug? Or does it use more than just unserialize() (i.e. realpath() )

    This worm appears to have nothing to do with the bugs fixed in versions
    4.3.10 and 5.0.3 of PHP.

    The bug occurs in this line in viewtopic.php in phpBB2:
    (Formatting changed to make it look pretty. It's line 1109 in phpBB2
    2.0.10)

    $message = str_replace('\"', '"',
            substr(preg_replace('#(\>(((?>([^><]+|(?R)))*)\<))#se',
            "preg_replace('#\b(" . $highlight_match . ")\b#i',
            '<span style=\"color:#"
            . $theme['fontcolor3'] . "\"><b>\\\\1</b></span>', '\\0')", '>' .
            $message . '<'), 1, -1));

    The 'e' flag on the regex pattern tells it to interpret the statement as
    valid PHP code and run it. (Reference is:
    http://www.php.net/manual/en/reference.pcre.pattern.modifiers.php)

    The bug that is exploited works in such a way that it actually runs the
    command that is passed through the highlight GET variable. I'm not 100%
    sure how this works since I haven't had the chance to correlate the
    strings recorded in apache's access log with the above code.

    Sincerely,

    Chris Ess
    System Administrator / CDTT (Certified Duct Tape Technician)

  • Next message: lists: "Re: Worm hitting PHPbb2 Forums"

    Relevant Pages

    • Re: Linux worm crawls the web, what to do to protect our systems
      ... >> A strange worm is going around the web. ... >>some vulnerabilities in PHP. ... >>80 and the attack has been well documented by SANS. ...
      (Fedora)
    • Re: Worm hitting PHPbb2 Forums
      ... I got a message from a former employer about this worm ... yesterday- a box I had setup that had hardened php on it got hit hard by ... > Subject: Re: Worm hitting PHPbb2 Forums ... >> Just spotted two clients hit by this. ...
      (Incidents)
    • Re: Linux worm crawls the web, what to do to protect our systems
      ... > A strange worm is going around the web. ... >some vulnerabilities in PHP. ... > The worm exploits PHP based vulnerabilities ... >80 and the attack has been well documented by SANS. ...
      (Fedora)
    • Re: Worm hitting PHPbb2 Forums
      ... exploit code of the original bug can be found on k-otik.com ... > Subject: Re: Worm hitting PHPbb2 Forums ... >> yesterday- a box I had setup that had hardened php on it got hit hard by ... I must've misread the advisory as I was under the impression ...
      (Incidents)
    • Linux worm crawls the web, what to do to protect our systems
      ... A strange worm is going around the web. ... some vulnerabilities in PHP. ... The worm exploits PHP based vulnerabilities ... 80 and the attack has been well documented by SANS. ...
      (Fedora)