vb.org Archive
Page 1 of 2 1 2
Show 40 post(s) from this thread on one page

vb.org Archive (https://vborg.vbsupport.ru/index.php)
-   vB4 General Discussions (https://vborg.vbsupport.ru/forumdisplay.php?f=251)
-   -   Recent hacks - exploit discussion (https://vborg.vbsupport.ru/showthread.php?t=304711)

create365 11-18-2013 04:17 PM
Recent hacks - exploit discussion
 
http://www.reddit.com/r/netsec/comme...n_compromises/
I have the exploit code, researching it, also confirmed it works.
On black market, exploit is worth $7000.

Most of the times, it ends up with C99/PHPShell installed (mostly under Admin CP -> Paid Subscriptions -> Subscriptions Manager - because part of the users never look there.)

Have you secured your vBulletins/were you hacked?
How vBulletin plans to fix it?



Quote:
The XSS script is multistage based on what the user's session is currently capable of.
Create an invisible iframe pointing to the administrator control panel (ACP).
Using the iframe, check if the user is logged into the ACP. If yes, proceed to stage 5, otherwise continue to stage 3.
Since the user was not logged into the ACP, see if a password manager autofills the fields and submit the credentials off to an attacker controlled server. If no credentials were filled, continue to stage 4.
Retrieve all private messages of the user and ship them off to an attacker controlled servers since they might contain credentials or sensitive information. Not much to be done, exit the script.
Since the user was logged into the ACP, attempt to add a vBulletin hook that allows the remote execution of PHP code. If we don't have the permissions for this, continue to stage 6, otherwise exit the script.
Last straw attempt, try changing a higher ranked administrator's password. (yes, vBulletin is stupid enough to allow it) If we don't have the permissions for this either, continue to stage 4, otherwise exit the script.

Zachery 11-18-2013 04:27 PM
So, you still have to some how gain access to a semi-privileged account, and then get an administrator to look at the post that has the malicious html in it?

create365 11-18-2013 04:31 PM
Nope. Attack can be done from any site, but administrator has to view it. No account on target forums needed. It's pretty easy to achieve.
If someone with less privileges enters the page, it does other stuff. As described above its multi-stage.
The site when viewing opens an invisible iframe and executes the exploit.
Then, if it manages to install the shell, entering specific url enables hacker to access server almost like via ssh. It allows to execute SQL queries, for example to add new administrator, or even truncate all tables.

Zachery 11-18-2013 04:50 PM
Still requires sending someone semi-privileged to view the malicious code, and that the user has access to do the things outlined.

I'd like to point out, you can restrict access to other admins changing other admins account via the config.php file, as well as locking down admin permisions via a super admin.

Max Taxable 11-18-2013 05:15 PM
Quote:
The XSS script is multistage based on what the user's session is currently capable of.
Seems like requiring the security token for this POST action stops this cold.

create365 11-18-2013 05:54 PM
Quote:
Originally Posted by Zachery (Post 2461887)
Still requires sending someone semi-privileged to view the malicious code, and that the user has access to do the things outlined.
Well, that is the easiest part.

TheLastSuperman 11-18-2013 06:35 PM
I've ran into this before even was worried about it back in September remember that pm I sent you Zachery? It was related to this the exploit I thought was out there but could not confirm.

What they are doing is base64 encoding the plugins so hard to tell what exactly it's doing... it's always 3-4 plugins and 3/4 prompt virus alerts from your software (which c99 madshell does so if the shell script was not on the local server then zing you guessed it, they connected to it remotely via the plugin i.e. the anti-virus alert). Basically instead of now uploading c99madshell directly onto the server they are trying to exploit, they simply modified it and uploaded to their own server - after that the plugin connects to c99 madshell and they execute what they wish from their own server through your site via the plugins yet one more reason you don't see all what you wish you did in the logs while trying to figure out what just smacked you silly.

Digital Jedi 11-18-2013 06:37 PM
So your admins should generally be undeletable/unalterable. It's a pain, but it helps.

$7000!?

Seems like all of this could have been avoided if you just used secure passwords.

findingpeace 11-18-2013 06:59 PM
This page says the exploit uses HTML in Announcement Titles... Isn't that exactly what happened here on vBulletin.org?

Digital Jedi 11-18-2013 07:07 PM
I don't see how, if the dev server attack was non-vBulletin related.


All times are GMT. The time now is 01:04 PM.
Page 1 of 2 1 2
Show 40 post(s) from this thread on one page

Powered by vBulletin® Version 3.8.12 by vBS
Copyright ©2000 - 2025, vBulletin Solutions Inc.

X vBulletin 3.8.12 by vBS Debug Information
  • Page Generation 0.02210 seconds
  • Memory Usage 1,737KB
  • Queries Executed 10 (?)
More Information
Template Usage:
  • (1)ad_footer_end
  • (1)ad_footer_start
  • (1)ad_header_end
  • (1)ad_header_logo
  • (1)ad_navbar_below
  • (3)bbcode_quote_printable
  • (1)footer
  • (1)gobutton
  • (1)header
  • (1)headinclude
  • (6)option
  • (1)pagenav
  • (1)pagenav_curpage
  • (1)pagenav_pagelink
  • (1)post_thanks_navbar_search
  • (1)printthread
  • (10)printthreadbit
  • (1)spacer_close
  • (1)spacer_open 
Phrase Groups Available:
  • global
  • postbit
  • showthread
Included Files:
  • ./printthread.php
  • ./global.php
  • ./includes/init.php
  • ./includes/class_core.php
  • ./includes/config.php
  • ./includes/functions.php
  • ./includes/class_hook.php
  • ./includes/modsystem_functions.php
  • ./includes/class_bbcode_alt.php
  • ./includes/class_bbcode.php
  • ./includes/functions_bigthree.php 
Hooks Called:
  • init_startup
  • init_startup_session_setup_start
  • init_startup_session_setup_complete
  • cache_permissions
  • fetch_threadinfo_query
  • fetch_threadinfo
  • fetch_foruminfo
  • style_fetch
  • cache_templates
  • global_start
  • parse_templates
  • global_setup_complete
  • printthread_start
  • pagenav_page
  • pagenav_complete
  • bbcode_fetch_tags
  • bbcode_create
  • bbcode_parse_start
  • bbcode_parse_complete_precache
  • bbcode_parse_complete
  • printthread_post
  • printthread_complete