6882387 2001-08-10 07:20 +0000 /110 rader/ <kill-9@modernhackers.com> Sänt av: joel@lysator.liu.se Importerad: 2001-08-10 17:12 av Brevbäraren Extern mottagare: bugtraq@securityfocus.com Mottagare: Bugtraq (import) <18699> Ärende: Easily and Remotely Pipe a Covert Shell on phpBB version 1.4.0 and below ------------------------------------------------------------ From: <kill-9@modernhackers.com> To: bugtraq@securityfocus.com Message-ID: <20010810072048.7771.qmail@securityfocus.com> note to editors: please leave all links intact. ########################################### ######## Easily and Remotely Pipe a Covert Shell on phpBB version 1.4.0 and below found and written by: kill-9@modernhacker.com http://www.modernhacker.com phpBB, is an open source bulletin board created by the phpBB group (phpbb.com) . Versions 1.4.0 and below are vulnerable to an input validation attack that will allow arbitray code to be executed by an attacker. This will lead to disclosure of all user account information, access to the admin panel, and a simulated covert shell on the server running phpBB. A user may then elevate his privileges in the system. The problem is in the fact that in the prefs.php file, phpBB does not properly check user input for the language selection. The language selection for the user is inputted through a drop-down box and then saved in the database. The language selection is then processed during execution of auth.php to include the appropriate language file. <example code from auth.php> // Include the appropriate language file. if(!strstr($PHP_SELF, "admin")) { include('language/lang_'.$default_lang.'.'.$phpEx); } else { if(strstr($PHP_SELF, "topicadmin")) { include('language/lang_'.$default_lang.'.'.$phpEx); } else { include ('../language/lang_'.$default_lang.'.'.$phpEx); } } </end example code> If a user supplies an invalid language value, then no language file will be included. This is very bad becuase there are a few important variables that are defined in the language file that are passed through the eval() function. Therefore a user can supply his value that will get eval'ed if no language file is included In the page_header.php file such a situation exists where if a registered user has a private message in his box , then the $l_privnotify variable that is supposed to be defined in the language file can be processed as arbitrary php code becuase it passes through the eval() function. <example code from page_header.php> if ($new_message != 0) { eval ($l_privnotify); print $privnotify; } </end example code> I have provided code for testing purposes that will pipe back a covert shell to a netcat listener. Use the backdoor edition, and set the variable to l_privnotify. Summary: 1. Register an account on phpBB 1.4.0 or any older version and login. 2. Enter the following url to change the language to an invalid one: prefs.php?HTTP_POST_VARS[save] =1&save=1&viewemail=1&lang=../../ 3. Send yourself a private message. 4. Set the first part of the vhak backdoor edition to: "prefs.php?l_privnotify=" and you will gain an interactive shell to the system. It can be found at: http://www.modernhacker.com/vhak.php You may only use vhak for the legal purpose of testing your own board for this vulnerability. Note: phpBB team has known about this vulnerability and failed to alert the public. Their acknoledgement is seen in the 1.4.1 source code comments. ########################################### ######## (6882387) / <kill-9@modernhackers.com>/-------------