More about phpBB <= 2.0.12

phpBB 2.0.13 is still safe.
An exploit has been released for phpBB bulletin boards. This exploit tries to drop netcat into the web root. There is another binary in tmp which I have not directly identified which appears to exploit a race condition in the Linux kernel. The file name is pwned and it calls a data file called TTdummyfile.
Previous diary entries regarding phpBB:

http://isc.sans.org/diary.php?date=2005-03-12

http://isc.sans.org/diary.php?date=2005-02-27

http://isc.sans.org/diary.php?date=2005-02-22



We have had one report of a system compromised with this tool. Since it creates at least one backdoor on the system my recommendation is to take the machine offline and rebuild it. With the caveat that the same exploit path may still exist since from the report that I have seen the exploit works on all the current versions of phpBB, Apache, and PHP. I will update this information as I learn more. The exploit is listed as affecting versions phpbb <= 2.0.12. The report we got today was running version 2.0.12. It had not been fully patched to 2.0.13.
I was informed this evening that the netcat file was downloaded by the owner and not the exploit to compare to the pwned and other files in the tmp directory.

Identity theft

We got a note from a reader regarding a series of phone calls he received with regard to credit applications. He had not filled any out. After questioning the callers (there were several, one was a Honda dealer) he found that they had his name correct but none of his other data.
The pertinent thing here is that he immediately had a fraud alert placed on his account for the next three months. This alert has been set to all three bureaues.
There is excellent information on how to protect yourself at this web site:

http://www.fightidentitytheft.com/flag.html
We wish this reader good luck. It is getting harder to protect yourself.

Alternative browser java exploit

Lastly for now there is now a cross browser exploit for Mozilla browsers. It is written up in the register. The affected page calls a java applet which looks like it is signed with a bogus code signing cert that expired in February. If you click yes the applet launches IE and installs a bunch of spyware nasties.


As far as I can tell it does not penetrate the sandbox directly since user intervention is required, though I could be wrong. The article is here: http://www.theregister.co.uk/2005/03/11/alternative_slimeware/
This is yet another thing for users to look out for, my opinion is that we will see more if this type of cross browser exploit in the future, and that we will start to see it for malware instead of spyware.

opinion

It is beginning to look grimmer on the net. I think I am going to pickup my copy of Handler Ed Skoudis' book "Malware: Fighting Malicious code" and re-read the optimistic conclusion to brighten things up a bit.


Speaking of books, Handler Lenny Zelster's (and others) new book "Inside Network Perimeter Security (second edition) is out now. I got my copy yesterday as one of the technical editors. The authors have taken this book from really good to great! check it out.

Dan Goldberg GCFW

MADJiC Consulting, Inc.

dan at madjic dot net