Security Incidents mailing list archives
Re: Worm hitting PHPbb2 Forums
From: lists <lists () innocence-lost net>
Date: Tue, 21 Dec 2004 12:21:04 -0700 (MST)
Yea good catch, after looking into it a little further I found that it wasn't related to that advisory, but rather to one from 11.13.04, the exploit code of the original bug can be found on k-otik.com Thanks for the info -- There are only two choices in life. You either conform the truth to your desire, or you conform your desire to the truth. Which choice are you making? On Tue, 21 Dec 2004, Chris Ess wrote:
Date: Tue, 21 Dec 2004 14:14:36 -0500 (EST) From: Chris Ess <securityfocus () cae tokimi net> To: lists <lists () innocence-lost net> Cc: incidents () securityfocus com Subject: Re: Worm hitting PHPbb2 ForumsFunny enough, I got a message from a former employer about this worm yesterday- a box I had setup that had hardened php on it got hit hard by this worm. I must've misread the advisory as I was under the impression that the Hardened PHP patches protected PHP through canary values from this bug? Or does it use more than just unserialize() (i.e. realpath() )This worm appears to have nothing to do with the bugs fixed in versions 4.3.10 and 5.0.3 of PHP. The bug occurs in this line in viewtopic.php in phpBB2: (Formatting changed to make it look pretty. It's line 1109 in phpBB2 2.0.10) $message = str_replace('\"', '"', substr(preg_replace('#(\>(((?>([^><]+|(?R)))*)\<))#se', "preg_replace('#\b(" . $highlight_match . ")\b#i', '<span style=\"color:#" . $theme['fontcolor3'] . "\"><b>\\\\1</b></span>', '\\0')", '>' . $message . '<'), 1, -1)); The 'e' flag on the regex pattern tells it to interpret the statement as valid PHP code and run it. (Reference is: http://www.php.net/manual/en/reference.pcre.pattern.modifiers.php) The bug that is exploited works in such a way that it actually runs the command that is passed through the highlight GET variable. I'm not 100% sure how this works since I haven't had the chance to correlate the strings recorded in apache's access log with the above code. Sincerely, Chris Ess System Administrator / CDTT (Certified Duct Tape Technician)
Current thread:
- Worm hitting PHPbb2 Forums L. Walker (Dec 21)
- Re: Worm hitting PHPbb2 Forums mark (Dec 21)
- Re: Worm hitting PHPbb2 Forums Chris Ess (Dec 21)
- Re: Worm hitting PHPbb2 Forums lists (Dec 21)
- Re: Worm hitting PHPbb2 Forums Chris Ess (Dec 21)
- Re: Worm hitting PHPbb2 Forums lists (Dec 21)
- Re: Worm hitting PHPbb2 Forums Barrie Dempster (Dec 21)
- Re: Worm hitting PHPbb2 Forums lists (Dec 21)
- <Possible follow-ups>
- RE: Worm hitting PHPbb2 Forums Christopher Adickes (Dec 21)
- RE: Worm hitting PHPbb2 Forums Mike (Dec 21)
- RE: Worm hitting PHPbb2 Forums M. Shirk (Dec 22)