Impact
phpBB is one of the oldest and most popular board software. If an attacker aims to take over a board running phpBB3, he will usually attempt to gain access to the admin control panel by means of bruteforcing, phishing or XSS vulnerabilities in plugins that the target site has installed. But plugins cannot be installed directly in the admin panel and there is no other feature that can be abused by administrators to execute arbitrary PHP code. However, the vulnerability described here allows the attacker to break out of the admin panel, execute arbitrary PHP code on the underlying server and then to perform a full site takeover. The issue in the phpBB3 code base (300 KLOC) is a Phar deserialization vulnerability (CVE-2018-19274). It was fixed in version 3.2.4.
Technical Details
Phar deserialization vulnerabilities occur if user input is passed unsanitized to any file system function in PHP, such as file_exists(). We have detailed how the new exploitation technique discovered by Sam Thomas works in our previous blogpost.
The vulnerability in phpBB3 lies in a feature that allows administrators to edit images that were uploaded to the forum. The feature utilizes an image editor binary called Imagick. Administrators are able to set the absolute path to the image editor binary on the server running phpBB3. Before updating this setting, phpBB3 tries to validate the new path with the function validate_config_vars(). The function performs this validation by checking if the file actually exists.
/includes/functions_acp.php
568 function validate_config_vars($config_vars, &$cfg_array, &$error)
569 {
570 ⋮
571 case 'absolute_path':
572 case 'absolute_path_writable':
573 case 'path':
574 case 'wpath':
575 ⋮
576 if (!file_exists($path)) {
577 $error[] = sprintf($user->lang['DIRECTORY_DOES_NOT_EXIST'], $cfg_array[$config_name]);
578 }
579 ⋮Exploitation
For exploitation, the following steps are necessary. Please note that we left out some details on purpose.
Uploading a malicious Phar file
In order to trigger the Phar deserialization, the local path to the Phar file on the target server must be supplied.
Example of triggering a phar deserialization
file_exists('phar:///var/www/phpBB3/files/evil.phar');This means an attacker must upload the malicious Phar file to the target board. Since phpBB3 allows users to upload attachments and add them to threads and posts, uploading the malicious Phar file is trivial. Although only a whitelisted set of extensions, such as .jpg or .pdf is allowed, an attacker can still upload a valid Phar file to the server. This is because Phar files are extension independend. If the evil.phar file was renamed to evil.jpg, the above example of triggering the Phar deserialization would still work. There are also Polyglot files that are valid JPG and Phar files at the same time.
Phar files are extension independend
file_exists('phar:///var/www/phpBB3/files/evil.jpg');Defeating filename randomization
When files are uploaded to the phpBB3 forum (e.g. post attachments or images), their filename is randomized. When evil.jpg is uploaded, it will be stored in the /phpBB3/files/ directory as a randomly generated md5 hash, for example 2_08cc076da659b5b30de5fbfe10c05270. In order to exploit the Phar deserialization, an attacker must know the exact file path of the file on the server. The filename randomization of phpBB3 is cryptographically secure, so bruteforcing the filename is not a liable option. This means that the first step of uploading the malicious file can be done easily, but the second step of triggering the Phar deserialization fails because the attacker does not know the path to the Phar file.
However, a weakness in the file uploading process of attachments allows attackers to predict the filename on the server. phpBB3 offers users to upload files in chunks, which means that a large file can be uploaded in multiple requests. All upload chunks are written to a temporary file. Once all chunks have been appended to the file, its filename is randomized and moved to the /phpBB3/files directory. The temporary filename is generated by the temporary_filepath() function. The function takes one argument, which is the filename of the malicious Phar file the attacker wants to upload, in this case evil.jpg.
/includes/functions_acp.php
568 protected function temporary_filepath($file_name)
569 {
570 // Must preserve the extension for plupload to work.
571 return sprintf(
572 'files/plupload/%s_%s%s',
573 $this->config['plupload_salt'],
574 md5($file_name),
575 \phpbb\files\filespec::get_extension($file_name)
576 );
577 }The function then returns the filename, which consists of an upload salt, the md5 hash of the $filename, which is evil.jpg and the extension of the $file_name, which is .jpg. Since $file_name is under control of the attacker, the only part of the filename that is unknown is the plupload_salt. This salt is a cryptographically secure, random hash that is unique to each phpBB3 board and is generated when the target board was installed. However, the hash is stored in the database in the phpbb_config table. Administrators with founder privileges can download MySQL database backups from within the admin control panel. This means an attacker can simply download a backup and extract the plupload_salt from it. This allows the attacker to predict the full path of the Phar file on the server.
The temporary file will be stored on the server until all chunks are sent. An attacker can initiate a file upload and tell phpBB3 that two chunks will be sent. By uploading the Phar file with the first chunk but never sending the second, he can trick phpBB3 into waiting until the second chunk arrives and not deleting the temporary file. This way he can upload a file and know the local filename.
Triggering the exploit and executing code
The last step of exploiting the Phar deserialization is finding POP gadgets that can be abused to perform malicious actions. We managed to find a POP chain that allows attackers to create arbitrary files on the server and inject PHP code into the file. This means an attacker can easily create a shell.php and then execute arbitrary code on the target server, leading to a full site takeover.
Timeline
| Date | What |
| 2018/10/08 | Vulnerability reported to the phpBB3 security team on their public tracker. |
| 2018/10/08 | The vulnerability was triaged and verified by the security team. |
| 2018/10/09 | We provided more details about exploitation. |
| 2018/11/11 | phpBB3 proposes a patch. |
| 2018/11/16 | phpBB3 releases patch with version 3.2.4. |
Summary
Phar deserialization is a new exploitation technique in PHP and occurs in many popular CMS systems. In our analysis we detected this type of vulnerability in phpBB3, a popular forum software. The vulnerability allows authenticated attackers to execute arbitrary PHP code on the server. We would like to thank the phpBB security team for their very fast responses, as well as the competent and professional handling of the security issue.
Related Posts
- Pydio 8.2.1 Unauthenticated Remote Code Execution
- Shopware 5.3.3: PHP Object Instantiation to Blind XXE
- A Salesmans Code Execution: PrestaShop 1.7.2.4
- CTF Writeup: Complex Drupal POP Chain
- Breaking Into Your Company's Internal Network - SuiteCRM 7.11.4
- What is Phar Deserialization
- What is PHP Object Injection