Re: phpBB Worm

To: bugtraq@xxxxxxxxxxxxxxxxx
Subject: Re: phpBB Worm
From: Alvin Packard <appredator@xxxxxxxxx>
Date: Wed, 22 Dec 2004 21:28:01 -0600
Domainkey-signature: a=rsa-sha1; q=dns; c=nofws; s=beta; d=gmail.com; h=received:message-id:date:from:reply-to:to:subject:in-reply-to:mime-version:content-type:content-transfer-encoding:references; b=QEZq+42c0kX4VntfrSR6DEBnVyC6IJQph2+xD1WkmeQL9evS5LOqqR429pdb3x8sRbfY7mRblQSSIAubmSLY6AXGD9rDQPEsXw9vDgOzHbT9rkdtEiMsgKi5cvdWcSGWoYHvq6ajhWI0+sNqytobWLJjrxO1QOJ9F2BYCD1yi/c=
In-reply-to: <20041222043459.16337.qmail@xxxxxxxxxxxxxxxxxxxxx>
List-help: <mailto:bugtraq-help@securityfocus.com>
List-id: <bugtraq.list-id.securityfocus.com>
List-post: <mailto:bugtraq@securityfocus.com>
List-subscribe: <mailto:bugtraq-subscribe@securityfocus.com>
List-unsubscribe: <mailto:bugtraq-unsubscribe@securityfocus.com>
Mailing-list: contact bugtraq-help@xxxxxxxxxxxxxxxxx; run by ezmlm
References: <20041222043459.16337.qmail@xxxxxxxxxxxxxxxxxxxxx>
Reply-to: Alvin Packard <appredator@xxxxxxxxx>

Last look at my log files and I was hit a total of 421 times by 278
different IPs. It seems to be moving rather quickly as these were from
the last 2 days. Good luck to those who have not patched yet.

Alvin Packard, CWNA
www.networksecuritytech.com


On 22 Dec 2004 04:34:59 -0000, ycw1bh302@xxxxxxxxxxxxxx
<ycw1bh302@xxxxxxxxxxxxxx> wrote:
> In-Reply-To: <Pine.LNX.4.61.0412212325470.1764@xxxxxxxxxxxxxxxxxxxxxxx>
> 
> Forgive me if this is a newbie question, but a site I help run was hit by 
> this, and I'm trying to understand it to protect against future worms.
> 
> The worm exploits the phpBB highlight vulnerability.  It uses PHP to run Perl 
> to write the Perl script file, then executes it.  The script then proceeds to 
> traverse the entire directory structure, overwriting .php, .htm, .shtm, 
> .phtm, and on our server, .ssi files, and then spreads itself.  Correct?
> 
> I have two questions:
> 
> 1.  Why has the worm been as effective on Windows servers as on *nix servers? 
>  At the very least, shouldn't the difference in file and directory naming 
> cause a problem?  I looked at the decoded Perl script, but I'm not a Perl 
> expert, so I couldn't understand all of it.  And what about the difference in 
> file permissions?
> 
> 2.  More importantly, why wasn't the worm's destructive ability limited by 
> file permissions, especially on *nix servers?  If, for example, an HTML file 
> on the server was uploaded by user bob, and has permissions of 755, how can 
> the Perl script delete that file?  Shouldn't the Perl script be created with 
> the Perl process's permissions, which was invoked by PHP, which should have 
> the Web server's permissions, which should be, at least on most *nix servers, 
> the nobody user?
> 
> This is a big issue on shared servers, or virtual hosts, whatever you want to 
> call them.  Our site is on a shared server, and our site does not even run 
> phpBB, but most of our HTML files were replaced with the worm's content.  
> Obviously, then, another site on the server must have an old version of 
> phpBB.  But why could the worm, coming in through another site, modify files 
> created by other users?  Even if the worm's script ran as the owner of the 
> vulnerable viewtopic.php file, how could it then modify non-world-writable 
> files created by other users?
> 
> I have long been concerned with the security of PHP scripts, especially on 
> shared servers.  Since PHP almost always runs as an Apache module, and Apache 
> usually runs as nobody, one must make files and directories world-writable 
> for PHP scripts to be able to write to them.  But that means that any process 
> on the server, including anyone's PHP script, can modify the files.
> 
> Thanks for any insights.
> 
> Adam Porter
>

References:
- Re: phpBB Worm
  - From: ycw1bh302

Prev by Date: SHOUTcast remote format string vulnerability
Next by Date: Crystal FTP Pro 2.8 PoC
Previous by thread: Re: phpBB Worm
Next by thread: Re: phpBB Worm
Index(es):
- Date
- Thread