Yea good catch, after looking into it a little further I found that it
wasn't related to that advisory, but rather to one from 11.13.04, the
exploit code of the original bug can be found on k-otik.com
Thanks for the info
--
There are only two choices in life. You either conform the truth to your desire,
or you conform your desire to the truth. Which choice are you making?
On Tue, 21 Dec 2004, Chris Ess wrote:
Date: Tue, 21 Dec 2004 14:14:36 -0500 (EST)
From: Chris Ess <securityfocus@cae.tokimi.net>
To: lists <lists@innocence-lost.net>
Cc: incidents@securityfocus.com
Subject: Re: Worm hitting PHPbb2 Forums
Funny enough, I got a message from a former employer about this worm
yesterday- a box I had setup that had hardened php on it got hit hard by
this worm. I must've misread the advisory as I was under the impression
that the Hardened PHP patches protected PHP through canary values from
this bug? Or does it use more than just unserialize() (i.e. realpath() )
This worm appears to have nothing to do with the bugs fixed in versions
4.3.10 and 5.0.3 of PHP.
The bug occurs in this line in viewtopic.php in phpBB2:
(Formatting changed to make it look pretty. It's line 1109 in phpBB2
2.0.10)
$message = str_replace('\"', '"',
substr(preg_replace('#(\>(((?>([^><]+|(?R)))*)\<))#se',
"preg_replace('#\b(" . $highlight_match . ")\b#i',
'<span style=\"color:#"
. $theme['fontcolor3'] . "\"><b>\\\\1</b></span>', '\\0')", '>' .
$message . '<'), 1, -1));
The 'e' flag on the regex pattern tells it to interpret the statement as
valid PHP code and run it. (Reference is:
http://www.php.net/manual/en/reference.pcre.pattern.modifiers.php)
The bug that is exploited works in such a way that it actually runs the
command that is passed through the highlight GET variable. I'm not 100%
sure how this works since I haven't had the chance to correlate the
strings recorded in apache's access log with the above code.
Sincerely,
Chris Ess
System Administrator / CDTT (Certified Duct Tape Technician)
