Re: phpBB Worm

To: bugtraq@xxxxxxxxxxxxxxxxx
Subject: Re: phpBB Worm
From: <ycw1bh302@xxxxxxxxxxxxxx>
Date: 22 Dec 2004 04:34:59 -0000
List-help: <mailto:bugtraq-help@securityfocus.com>
List-id: <bugtraq.list-id.securityfocus.com>
List-post: <mailto:bugtraq@securityfocus.com>
List-subscribe: <mailto:bugtraq-subscribe@securityfocus.com>
List-unsubscribe: <mailto:bugtraq-unsubscribe@securityfocus.com>
Mailing-list: contact bugtraq-help@xxxxxxxxxxxxxxxxx; run by ezmlm

In-Reply-To: <Pine.LNX.4.61.0412212325470.1764@xxxxxxxxxxxxxxxxxxxxxxx>

Forgive me if this is a newbie question, but a site I help run was hit by this, 
and I'm trying to understand it to protect against future worms.

The worm exploits the phpBB highlight vulnerability.  It uses PHP to run Perl 
to write the Perl script file, then executes it.  The script then proceeds to 
traverse the entire directory structure, overwriting .php, .htm, .shtm, .phtm, 
and on our server, .ssi files, and then spreads itself.  Correct?

I have two questions:

1.  Why has the worm been as effective on Windows servers as on *nix servers?  
At the very least, shouldn't the difference in file and directory naming cause 
a problem?  I looked at the decoded Perl script, but I'm not a Perl expert, so 
I couldn't understand all of it.  And what about the difference in file 
permissions?

2.  More importantly, why wasn't the worm's destructive ability limited by file 
permissions, especially on *nix servers?  If, for example, an HTML file on the 
server was uploaded by user bob, and has permissions of 755, how can the Perl 
script delete that file?  Shouldn't the Perl script be created with the Perl 
process's permissions, which was invoked by PHP, which should have the Web 
server's permissions, which should be, at least on most *nix servers, the 
nobody user?

This is a big issue on shared servers, or virtual hosts, whatever you want to 
call them.  Our site is on a shared server, and our site does not even run 
phpBB, but most of our HTML files were replaced with the worm's content.  
Obviously, then, another site on the server must have an old version of phpBB.  
But why could the worm, coming in through another site, modify files created by 
other users?  Even if the worm's script ran as the owner of the vulnerable 
viewtopic.php file, how could it then modify non-world-writable files created 
by other users?

I have long been concerned with the security of PHP scripts, especially on 
shared servers.  Since PHP almost always runs as an Apache module, and Apache 
usually runs as nobody, one must make files and directories world-writable for 
PHP scripts to be able to write to them.  But that means that any process on 
the server, including anyone's PHP script, can modify the files.

Thanks for any insights.

Adam Porter

Follow-Ups:
- Re: phpBB Worm
  - From: Anders Henke
- Re: phpBB Worm
  - From: Alvin Packard

Prev by Date: Re: DJB's students release 44 *nix software vulnerability advisories
Next by Date: Re: Local versus remote security holes
Previous by thread: Re: phpBB Worm
Next by thread: Re: phpBB Worm
Index(es):
- Date
- Thread