Register Members List Search Today's Posts Mark Forums Read

Reply
 
Thread Tools
  #1  
Old 18 Nov 2013, 17:17
create365 create365 is offline
 
Join Date: Aug 2013
Recent hacks - exploit discussion

http://www.reddit.com/r/netsec/comme...n_compromises/
I have the exploit code, researching it, also confirmed it works.
On black market, exploit is worth $7000.

Most of the times, it ends up with C99/PHPShell installed (mostly under Admin CP -> Paid Subscriptions -> Subscriptions Manager - because part of the users never look there.)

Have you secured your vBulletins/were you hacked?
How vBulletin plans to fix it?



The XSS script is multistage based on what the user's session is currently capable of.
Create an invisible iframe pointing to the administrator control panel (ACP).
Using the iframe, check if the user is logged into the ACP. If yes, proceed to stage 5, otherwise continue to stage 3.
Since the user was not logged into the ACP, see if a password manager autofills the fields and submit the credentials off to an attacker controlled server. If no credentials were filled, continue to stage 4.
Retrieve all private messages of the user and ship them off to an attacker controlled servers since they might contain credentials or sensitive information. Not much to be done, exit the script.
Since the user was logged into the ACP, attempt to add a vBulletin hook that allows the remote execution of PHP code. If we don't have the permissions for this, continue to stage 6, otherwise exit the script.
Last straw attempt, try changing a higher ranked administrator's password. (yes, vBulletin is stupid enough to allow it) If we don't have the permissions for this either, continue to stage 4, otherwise exit the script.
__________________
Developing quality products for vBulletin.
Server-related work, vB installing/upgrading/maintenance/moving between hosts, after hack cleanups + securing the server. I also offer penetration (security) tests for your VPS/dedicated servers.
Skype: create365

Last edited by create365; 18 Nov 2013 at 17:28.
Reply With Quote
  #2  
Old 18 Nov 2013, 17:27
Zachery's Avatar
Zachery Zachery is offline
 
Join Date: Jul 2002
Real name: Zachery Woods
So, you still have to some how gain access to a semi-privileged account, and then get an administrator to look at the post that has the malicious html in it?
__________________
Looking for ImpEx?
Reply With Quote
  #3  
Old 18 Nov 2013, 17:31
create365 create365 is offline
 
Join Date: Aug 2013
Nope. Attack can be done from any site, but administrator has to view it. No account on target forums needed. It's pretty easy to achieve.
If someone with less privileges enters the page, it does other stuff. As described above its multi-stage.
The site when viewing opens an invisible iframe and executes the exploit.
Then, if it manages to install the shell, entering specific url enables hacker to access server almost like via ssh. It allows to execute SQL queries, for example to add new administrator, or even truncate all tables.
__________________
Developing quality products for vBulletin.
Server-related work, vB installing/upgrading/maintenance/moving between hosts, after hack cleanups + securing the server. I also offer penetration (security) tests for your VPS/dedicated servers.
Skype: create365

Last edited by create365; 18 Nov 2013 at 17:38.
Reply With Quote
  #4  
Old 18 Nov 2013, 17:50
Zachery's Avatar
Zachery Zachery is offline
 
Join Date: Jul 2002
Real name: Zachery Woods
Still requires sending someone semi-privileged to view the malicious code, and that the user has access to do the things outlined.

I'd like to point out, you can restrict access to other admins changing other admins account via the config.php file, as well as locking down admin permisions via a super admin.
__________________
Looking for ImpEx?
Reply With Quote
  #5  
Old 18 Nov 2013, 18:15
Max Taxable's Avatar
Max Taxable Max Taxable is offline
 
Join Date: Feb 2011
The XSS script is multistage based on what the user's session is currently capable of.
Seems like requiring the security token for this POST action stops this cold.
Reply With Quote
  #6  
Old 18 Nov 2013, 18:54
create365 create365 is offline
 
Join Date: Aug 2013
Originally Posted by Zachery View Post
Still requires sending someone semi-privileged to view the malicious code, and that the user has access to do the things outlined.
Well, that is the easiest part.
__________________
Developing quality products for vBulletin.
Server-related work, vB installing/upgrading/maintenance/moving between hosts, after hack cleanups + securing the server. I also offer penetration (security) tests for your VPS/dedicated servers.
Skype: create365
Reply With Quote
  #7  
Old 18 Nov 2013, 19:35
TheLastSuperman's Avatar
TheLastSuperman TheLastSuperman is offline
 
Join Date: Sep 2008
Real name: Michael Miller Jr
I've ran into this before even was worried about it back in September remember that pm I sent you Zachery? It was related to this the exploit I thought was out there but could not confirm.

What they are doing is base64 encoding the plugins so hard to tell what exactly it's doing... it's always 3-4 plugins and 3/4 prompt virus alerts from your software (which c99 madshell does so if the shell script was not on the local server then zing you guessed it, they connected to it remotely via the plugin i.e. the anti-virus alert). Basically instead of now uploading c99madshell directly onto the server they are trying to exploit, they simply modified it and uploaded to their own server - after that the plugin connects to c99 madshell and they execute what they wish from their own server through your site via the plugins yet one more reason you don't see all what you wish you did in the logs while trying to figure out what just smacked you silly.
__________________
Daddy Does Dios and Figs!
https://www.linkedin.com/in/thelastsuperman

Search - Use the search feature to find similar issues/answers.
Information - Include screenshots, copy/pasted error codes, url etc.
Fixed - Please return to your thread/post and let us know how it was fixed!
Thanks - For participating! Click the "Like" on a post if someone helped you!

Last edited by TheLastSuperman; 18 Nov 2013 at 19:40.
Reply With Quote
  #8  
Old 18 Nov 2013, 19:37
Digital Jedi's Avatar
Digital Jedi Digital Jedi is offline
 
Join Date: Oct 2006
Real name: Mark Daniel Martinez
So your admins should generally be undeletable/unalterable. It's a pain, but it helps.

$7000!?

Seems like all of this could have been avoided if you just used secure passwords.
__________________
Reply With Quote
  #9  
Old 18 Nov 2013, 19:59
findingpeace's Avatar
findingpeace findingpeace is offline
 
Join Date: Nov 2011
This page says the exploit uses HTML in Announcement Titles... Isn't that exactly what happened here on vBulletin.org?
Reply With Quote
  #10  
Old 18 Nov 2013, 20:07
Digital Jedi's Avatar
Digital Jedi Digital Jedi is offline
 
Join Date: Oct 2006
Real name: Mark Daniel Martinez
I don't see how, if the dev server attack was non-vBulletin related.
__________________
Reply With Quote
  #11  
Old 18 Nov 2013, 20:33
findingpeace's Avatar
findingpeace findingpeace is offline
 
Join Date: Nov 2011
Originally Posted by Digital Jedi View Post
I don't see how, if the dev server attack was non-vBulletin related.
Check out Post #22 by Paul M here:
http://www.vbulletin.org/forum/showt...=304654&page=2

Maybe I'm putting two and two together incorrectly here, but it seems like these are definitely the same.
Reply With Quote
  #12  
Old 18 Nov 2013, 20:47
Digital Jedi's Avatar
Digital Jedi Digital Jedi is offline
 
Join Date: Oct 2006
Real name: Mark Daniel Martinez
Originally Posted by findingpeace View Post
Check out Post #22 by Paul M here:
http://www.vbulletin.org/forum/showt...=304654&page=2

Maybe I'm putting two and two together incorrectly here, but it seems like these are definitely the same.
As much as I've been on here the last couple of days, I've completely missed that event. I thought you were referring to the attack on the server. I guess test accounts were overlooked during the password change.
__________________
Reply With Quote
  #13  
Old 18 Nov 2013, 21:04
adwolf1 adwolf1 is offline
 
Join Date: Jan 2006
what about this post --

http://www.vbulletin.com/forum/forum...s-in-vbulletin

so we shouldn't be nervous?
Reply With Quote
  #14  
Old 18 Nov 2013, 21:33
tbworld tbworld is offline
 
Join Date: Oct 2008
Make sure you have proper backups and have handled all recommendations. Then go on and enjoy your life. I personally do not have time to deal with conjecture. It seems to me vBulletin is releasing information as they become aware and qualified it. I am good with that.

Last edited by tbworld; 18 Nov 2013 at 21:52.
Reply With Quote
Reply



Currently Active Users Viewing This Thread: 1 (0 members and 1 guests)
 
Thread Tools

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off


New To Site? Need Help?

All times are GMT. The time now is 22:11.

Layout Options | Width: Wide Color: