Re: Worm hitting PHPbb2 Forums

> Funny enough, I got a message from a former employer about this worm
> yesterday- a box I had setup that had hardened php on it got hit hard by
> this worm. I must've misread the advisory as I was under the impression
> that the Hardened PHP patches protected PHP through canary values from
> this bug? Or does it use more than just unserialize() (i.e. realpath() )

This worm appears to have nothing to do with the bugs fixed in versions
4.3.10 and 5.0.3 of PHP.

The bug occurs in this line in viewtopic.php in phpBB2:
(Formatting changed to make it look pretty.  It's line 1109 in phpBB2
2.0.10)

$message = str_replace('\"', '"',
        substr(preg_replace('#(\>(((?>([^><]+|(?R)))*)\<))#se',
        "preg_replace('#\b(" . $highlight_match . ")\b#i',
        '<span style=\"color:#"
        . $theme['fontcolor3'] . "\"><b>\\\\1</b></span>', '\\0')", '>' .
        $message . '<'), 1, -1));

The 'e' flag on the regex pattern tells it to interpret the statement as
valid PHP code and run it.  (Reference is:
http://www.php.net/manual/en/reference.pcre.pattern.modifiers.php)

The bug that is exploited works in such a way that it actually runs the
command that is passed through the highlight GET variable.  I'm not 100%
sure how this works since I haven't had the chance to correlate the
strings recorded in apache's access log with the above code.

Sincerely,


Chris Ess
System Administrator / CDTT (Certified Duct Tape Technician)