Serious Virus phpBB Exploit

Discussion in 'OT Technology' started by Woodmaster, Jan 25, 2005.

  1. Woodmaster

    Woodmaster New Member

    Joined:
    Dec 25, 2002
    Messages:
    15,448
    Likes Received:
    0
    Location:
    Brasil
    Guys, one of my boxes was hacked into with a DOS attack today but the server admin caught it before any damage was done. Anywho, they got in because of an outdated phpbb we had in our cpanel. Below is more information but anyone that uses phpBB should update to the most current version imediately! Can this get a sticky?

    --------------------

    -----BEGIN PGP SIGNED MESSAGE-----
    Hash: SHA1

    Technical Cyber Security Alert TA04-356A
    Exploitation of phpBB highlight parameter vulnerability

    Original release date: December 21, 2004
    Last revised: --
    Source: US-CERT

    Systems Affected

    phpBB versions 2.0.10 and prior

    Overview

    The software phpBB contains an input validation problem in how it
    processes a parameter contained in URLs. An intruder can deface a
    phpBB website, execute arbitrary commands, or gain administrative
    privileges on a compromised bulletin board.

    I. Description

    phpBB is an open-source bulletin board application. It fails to
    properly perform an urldecode() on the "highlight" parameter supplied
    to viewtopic.php. This may allow a remote attacker to execute
    arbitrary commands on a vulnerable server.

    According to reports, this vulnerability is being actively exploited
    by the Santy.A worm. The worm appears to propogate by searching for
    the keyword "viewtopic.php" in order to find vulnerable sites.

    The worm writes itself to a file named "m1ho2of" on the compromised
    system. It then overwrites files ending with .htm, .php, .asp. shtm,
    .jsp, and .phtm replacing them with HTML content that defaces the web
    page. The worm then tries to use PERL to execute itself on the
    compromised system and propogate further.
    US-CERT is tracking this issue as:

    VU#497400 - phpBB viewtopic.php fails to properly sanitize input
    passed to the "highlight" parameter

    II. Impact

    A remote attacker may be able to deface a phpBB website and execute
    arbitrary commands on a compromised bulletin board.

    III. Solution

    Upgrade phpBB

    Upgrade to phpBB verison 2.0.11 to prevent exploitation.

    Appendix A. References

    * US-CERT Vulnerability Note VU#497400 -
    <http://www.kb.cert.org/vuls/id/497400>
    * phpBB Downloads - < http://www.phpbb.com/downloads.php>
    * phpBB Announcement -
    <http://www.phpbb.com/phpBB/viewtopic.php?f=14&t=240636>
    * Symantec Security Response - Perl.Santy -
    <http://securityresponse.symantec.co...data/perl.santy
    .html>
    * McAfee - Computer Virus Software and Internet Security -
    <http://us.mcafee.com/virusInfo/defa...iption&virus_k=
    130471>
    __________________________________________________ _______________

    This vulnerability was reported by the phpBB Development Team.
    __________________________________________________ _______________

    Feedback can be directed to the authors: Jeffrey Gennari and
    Jason Rafail
    __________________________________________________ _______________

    This document is available from:

    <http://www.us-cert.gov/cas/techalerts/TA04-356A.html>

    __________________________________________________ _______________

    Copyright 2004 Carnegie Mellon University.

    Terms of use: <http://www.us-cert.gov/legal.html>
    __________________________________________________ _______________

    Revision History

    Dec 21, 2004: Initial release

    Last updated December 21, 2004
    -----BEGIN PGP SIGNATURE-----
    Version: GnuPG v1.2.1 (GNU/Linux)

    iQEVAwUBQci1ihhoSezw4YfQAQLarQf/cyzsvhFzCnqDyzRRqccGx8yG+AUMLQnG
    C+eZ3oyfEntqJkMh4ApNb1er8F+7BkHNnhzvPeifqDQPMGwpjL rBnyPr4vSneG3v
    JBregSqACGHzR7/TDeDJ94kiBFPty77AS5r6eqsLe0ueaL2kA149lEEcbGjPGd+q
    P0my0Jxkal0DPOwGuPyFIcjdGBAYHXqyCbI0hl6DqGGj/vSRkuhjt5EY0K7ShOdV
    JaSmRWgkbM0vXtKj+sWCSOLFoDschFzlW+Egke17xf3bIZUwvx 5uNsw8AXZwCiaa
    CJNJcL+sI8JvXEQqC5xiAkYgUVDA+WzRGtKoVfkEJBpv8PS0My hX+Q==
    =ZLLn
    -----END PGP SIGNATURE-----
     
  2. Rob

    Rob OT Supporter

    Joined:
    Jul 6, 2002
    Messages:
    88,625
    Likes Received:
    40
    Location:
    Atlanta, GA
    This vulnerability was released quite a while ago. Everyone should be patched by now (except you :mamoru: ).
     
  3. CyberBullets

    CyberBullets I reach to the sky, and call out your name. If I c

    Joined:
    Nov 13, 2001
    Messages:
    11,865
    Likes Received:
    0
    Location:
    BC, Canada/Stockholm, Sweden
    ^^^

    :werd: only old versions were affected
     
  4. Woodmaster

    Woodmaster New Member

    Joined:
    Dec 25, 2002
    Messages:
    15,448
    Likes Received:
    0
    Location:
    Brasil
    :wtc: Well I guess i'm not on the up and up. I guess you guys are just too cool for school.
     
  5. CyberBullets

    CyberBullets I reach to the sky, and call out your name. If I c

    Joined:
    Nov 13, 2001
    Messages:
    11,865
    Likes Received:
    0
    Location:
    BC, Canada/Stockholm, Sweden
    it was funny cause my colleges student union website got nailed too. :ROFL: i fucking hate them.
     
  6. col_panic

    col_panic calm like a bomb Moderator

    Joined:
    Sep 19, 2003
    Messages:
    188,160
    Likes Received:
    0
    Location:
    winter haven, fl
    a DOS attack is a denial of service. an exploit might lead to a DOS, but strictly speaking it is not "hacking into" anything
     
  7. DatacomGuy

    DatacomGuy is moving to Canada

    Joined:
    Oct 14, 2002
    Messages:
    16,546
    Likes Received:
    0
    Location:
    Tampa, FL
    :rofl: Yeah, this is about 6 months old. :bigok:
     
  8. Juvenall

    Juvenall What Would Juvie Do?

    Joined:
    Dec 31, 2004
    Messages:
    2,221
    Likes Received:
    0
    Location:
    #!/usr/bin/Detroit

Share This Page