Re: Worm hitting PHPbb2 Forums

From: lists (lists_at_innocence-lost.net)
Date: 12/21/04

  • Next message: Barrie Dempster: "Re: Worm hitting PHPbb2 Forums"
    Date: Tue, 21 Dec 2004 12:21:04 -0700 (MST)
    To: Chris Ess <securityfocus@cae.tokimi.net>
    
    

    Yea good catch, after looking into it a little further I found that it
    wasn't related to that advisory, but rather to one from 11.13.04, the
    exploit code of the original bug can be found on k-otik.com

    Thanks for the info

    --
    There are only two choices in life. You either conform the truth to your desire,
    or you conform your desire to the truth. Which choice are you making?
    On Tue, 21 Dec 2004, Chris Ess wrote:
    > Date: Tue, 21 Dec 2004 14:14:36 -0500 (EST)
    > From: Chris Ess <securityfocus@cae.tokimi.net>
    > To: lists <lists@innocence-lost.net>
    > Cc: incidents@securityfocus.com
    > Subject: Re: Worm hitting PHPbb2 Forums
    >
    > > Funny enough, I got a message from a former employer about this worm
    > > yesterday- a box I had setup that had hardened php on it got hit hard by
    > > this worm. I must've misread the advisory as I was under the impression
    > > that the Hardened PHP patches protected PHP through canary values from
    > > this bug? Or does it use more than just unserialize() (i.e. realpath() )
    >
    > This worm appears to have nothing to do with the bugs fixed in versions
    > 4.3.10 and 5.0.3 of PHP.
    >
    > The bug occurs in this line in viewtopic.php in phpBB2:
    > (Formatting changed to make it look pretty.  It's line 1109 in phpBB2
    > 2.0.10)
    >
    > $message = str_replace('\"', '"',
    > 	substr(preg_replace('#(\>(((?>([^><]+|(?R)))*)\<))#se',
    > 	"preg_replace('#\b(" . $highlight_match . ")\b#i',
    > 	'<span style=\"color:#"
    > 	. $theme['fontcolor3'] . "\"><b>\\\\1</b></span>', '\\0')", '>' .
    > 	$message . '<'), 1, -1));
    >
    > The 'e' flag on the regex pattern tells it to interpret the statement as
    > valid PHP code and run it.  (Reference is:
    > http://www.php.net/manual/en/reference.pcre.pattern.modifiers.php)
    >
    > The bug that is exploited works in such a way that it actually runs the
    > command that is passed through the highlight GET variable.  I'm not 100%
    > sure how this works since I haven't had the chance to correlate the
    > strings recorded in apache's access log with the above code.
    >
    > Sincerely,
    >
    >
    > Chris Ess
    > System Administrator / CDTT (Certified Duct Tape Technician)
    >
    

  • Next message: Barrie Dempster: "Re: Worm hitting PHPbb2 Forums"

    Relevant Pages