|
Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com |
Re: Worm hitting PHPbb2 Forums
From: lists (lists
innocence-lost.net)
Date: Tue Dec 21 2004 - 13:21:04 CST
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
Yea good catch, after looking into it a little further I found that it
wasn't related to that advisory, but rather to one from 11.13.04, the
exploit code of the original bug can be found on k-otik.com
Thanks for the info
--
There are only two choices in life. You either conform the truth to your desire,
or you conform your desire to the truth. Which choice are you making?
On Tue, 21 Dec 2004, Chris Ess wrote:
> Date: Tue, 21 Dec 2004 14:14:36 -0500 (EST)
> From: Chris Ess <securityfocuscae.tokimi.net>
> To: lists <listsinnocence-lost.net>
> Cc: incidentssecurityfocus.com
> Subject: Re: Worm hitting PHPbb2 Forums
>
> > Funny enough, I got a message from a former employer about this worm
> > yesterday- a box I had setup that had hardened php on it got hit hard by
> > this worm. I must've misread the advisory as I was under the impression
> > that the Hardened PHP patches protected PHP through canary values from
> > this bug? Or does it use more than just unserialize() (i.e. realpath() )
>
> This worm appears to have nothing to do with the bugs fixed in versions
> 4.3.10 and 5.0.3 of PHP.
>
> The bug occurs in this line in viewtopic.php in phpBB2:
> (Formatting changed to make it look pretty. It's line 1109 in phpBB2
> 2.0.10)
>
> $message = str_replace('\"', '"',
> substr(preg_replace('#(\>(((?>([^><]+|(?R)))*)\<))#se',
> "preg_replace('#\b(" . $highlight_match . ")\b#i',
> '<span style=\"color:#"
> . $theme['fontcolor3'] . "\"><b>\\\\1</b></span>', '\\0')", '>' .
> $message . '<'), 1, -1));
>
> The 'e' flag on the regex pattern tells it to interpret the statement as
> valid PHP code and run it. (Reference is:
> http://www.php.net/manual/en/reference.pcre.pattern.modifiers.php)
>
> The bug that is exploited works in such a way that it actually runs the
> command that is passed through the highlight GET variable. I'm not 100%
> sure how this works since I haven't had the chance to correlate the
> strings recorded in apache's access log with the above code.
>
> Sincerely,
>
>
> Chris Ess
> System Administrator / CDTT (Certified Duct Tape Technician)
>
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]