PDA

View Full Version : Recent hacks - exploit discussion


create365
11-18-2013, 05:17 PM
http://www.reddit.com/r/netsec/comments/1qja8s/recent_vbulletin_compromises/
I have the exploit code, researching it, also confirmed it works.
On black market, exploit is worth $7000.

Most of the times, it ends up with C99/PHPShell installed (mostly under Admin CP -> Paid Subscriptions -> Subscriptions Manager - because part of the users never look there.)

Have you secured your vBulletins/were you hacked?
How vBulletin plans to fix it?



The XSS script is multistage based on what the user's session is currently capable of.
Create an invisible iframe pointing to the administrator control panel (ACP).
Using the iframe, check if the user is logged into the ACP. If yes, proceed to stage 5, otherwise continue to stage 3.
Since the user was not logged into the ACP, see if a password manager autofills the fields and submit the credentials off to an attacker controlled server. If no credentials were filled, continue to stage 4.
Retrieve all private messages of the user and ship them off to an attacker controlled servers since they might contain credentials or sensitive information. Not much to be done, exit the script.
Since the user was logged into the ACP, attempt to add a vBulletin hook that allows the remote execution of PHP code. If we don't have the permissions for this, continue to stage 6, otherwise exit the script.
Last straw attempt, try changing a higher ranked administrator's password. (yes, vBulletin is stupid enough to allow it) If we don't have the permissions for this either, continue to stage 4, otherwise exit the script.

Zachery
11-18-2013, 05:27 PM
So, you still have to some how gain access to a semi-privileged account, and then get an administrator to look at the post that has the malicious html in it?

create365
11-18-2013, 05:31 PM
Nope. Attack can be done from any site, but administrator has to view it. No account on target forums needed. It's pretty easy to achieve.
If someone with less privileges enters the page, it does other stuff. As described above its multi-stage.
The site when viewing opens an invisible iframe and executes the exploit.
Then, if it manages to install the shell, entering specific url enables hacker to access server almost like via ssh. It allows to execute SQL queries, for example to add new administrator, or even truncate all tables.

Zachery
11-18-2013, 05:50 PM
Still requires sending someone semi-privileged to view the malicious code, and that the user has access to do the things outlined.

I'd like to point out, you can restrict access to other admins changing other admins account via the config.php file, as well as locking down admin permisions via a super admin.

Max Taxable
11-18-2013, 06:15 PM
The XSS script is multistage based on what the user's session is currently capable of.Seems like requiring the security token for this POST action stops this cold.

create365
11-18-2013, 06:54 PM
Still requires sending someone semi-privileged to view the malicious code, and that the user has access to do the things outlined.Well, that is the easiest part.

TheLastSuperman
11-18-2013, 07:35 PM
I've ran into this before even was worried about it back in September remember that pm I sent you Zachery? It was related to this the exploit I thought was out there but could not confirm.

What they are doing is base64 encoding the plugins so hard to tell what exactly it's doing... it's always 3-4 plugins and 3/4 prompt virus alerts from your software (which c99 madshell does so if the shell script was not on the local server then zing you guessed it, they connected to it remotely via the plugin i.e. the anti-virus alert). Basically instead of now uploading c99madshell directly onto the server they are trying to exploit, they simply modified it and uploaded to their own server - after that the plugin connects to c99 madshell and they execute what they wish from their own server through your site via the plugins yet one more reason you don't see all what you wish you did in the logs while trying to figure out what just smacked you silly.

Digital Jedi
11-18-2013, 07:37 PM
So your admins should generally be undeletable/unalterable. It's a pain, but it helps.

$7000!?

Seems like all of this could have been avoided if you just used secure passwords.

findingpeace
11-18-2013, 07:59 PM
This page says the exploit uses HTML in Announcement Titles... Isn't that exactly what happened here on vBulletin.org?

Digital Jedi
11-18-2013, 08:07 PM
I don't see how, if the dev server attack was non-vBulletin related.

findingpeace
11-18-2013, 08:33 PM
I don't see how, if the dev server attack was non-vBulletin related.

Check out Post #22 by Paul M here:
https://vborg.vbsupport.ru/showthread.php?t=304654&page=2

Maybe I'm putting two and two together incorrectly here, but it seems like these are definitely the same.

Digital Jedi
11-18-2013, 08:47 PM
Check out Post #22 by Paul M here:
https://vborg.vbsupport.ru/showthread.php?t=304654&page=2

Maybe I'm putting two and two together incorrectly here, but it seems like these are definitely the same.
As much as I've been on here the last couple of days, I've completely missed that event. I thought you were referring to the attack on the server. I guess test accounts were overlooked during the password change.

adwolf1
11-18-2013, 09:04 PM
what about this post --

http://www.vbulletin.com/forum/forum/vbulletin-announcements/vbulletin-announcements_aa/4007719-regarding-claims-of-new-0-day-exploits-in-vbulletin

so we shouldn't be nervous?

tbworld
11-18-2013, 09:33 PM
Make sure you have proper backups and have handled all recommendations. Then go on and enjoy your life. :) I personally do not have time to deal with conjecture. It seems to me vBulletin is releasing information as they become aware and qualified it. I am good with that.