Blog post

phpBB 3.2.3: Phar Deserialization to RCE

Simon Scannell photo

Simon Scannell

Vulnerability Researcher

Date

  • Security
A new PHP exploit technique affects the most famous forum software phpBB3. The vulnerability allows attackers who gain access to an administrator account to execute arbitrary PHP code and...

Impact

phpBB is one of the oldest and most popular board software. If an attacker aims to take over a board running phpBB3, he will usually attempt to gain access to the admin control panel by means of bruteforcing, phishing or XSS vulnerabilities in plugins that the target site has installed. But plugins cannot be installed directly in the admin panel and there is no other feature that can be abused by administrators to execute arbitrary PHP code. However, the vulnerability described here allows the attacker to break out of the admin panel, execute arbitrary PHP code on the underlying server and then to perform a full site takeover. The issue in the phpBB3 code base (300 KLOC) is a Phar deserialization vulnerability (CVE-2018-19274). It was fixed in version 3.2.4.

A video walkthrough of phpBB 3.2.3: Phar Deserialization to RCE

Technical Details

Phar deserialization vulnerabilities occur if user input is passed unsanitized to any file system function in PHP, such as file_exists(). We have detailed how the new exploitation technique discovered by Sam Thomas works in our previous blogpost.


The vulnerability in phpBB3 lies in a feature that allows administrators to edit images that were uploaded to the forum. The feature utilizes an image editor binary called Imagick. Administrators are able to set the absolute path to the image editor binary on the server running phpBB3. Before updating this setting, phpBB3 tries to validate the new path with the function validate_config_vars(). The function performs this validation by checking if the file actually exists.


/includes/functions_acp.php

568    function validate_config_vars($config_vars, &$cfg_array, &$error)
569    {
570        ⋮
571        case 'absolute_path':
572        case 'absolute_path_writable':	
573        case 'path':
574        case 'wpath':
575        ⋮
576        if (!file_exists($path)) {
577            $error[] = sprintf($user->lang['DIRECTORY_DOES_NOT_EXIST'], $cfg_array[$config_name]);
578        }
579        ⋮

Exploitation

For exploitation, the following steps are necessary. Please note that we left out some details on purpose.

Uploading a malicious Phar file

In order to trigger the Phar deserialization, the local path to the Phar file on the target server must be supplied.


Example of triggering a phar deserialization

file_exists('phar:///var/www/phpBB3/files/evil.phar');

This means an attacker must upload the malicious Phar file to the target board. Since phpBB3 allows users to upload attachments and add them to threads and posts, uploading the malicious Phar file is trivial. Although only a whitelisted set of extensions, such as .jpg or .pdf is allowed, an attacker can still upload a valid Phar file to the server. This is because Phar files are extension independend. If the evil.phar file was renamed to evil.jpg, the above example of triggering the Phar deserialization would still work. There are also Polyglot files that are valid JPG and Phar files at the same time.


Phar files are extension independend

file_exists('phar:///var/www/phpBB3/files/evil.jpg');

Defeating filename randomization

When files are uploaded to the phpBB3 forum (e.g. post attachments or images), their filename is randomized. When evil.jpg is uploaded, it will be stored in the /phpBB3/files/ directory as a randomly generated md5 hash, for example 2_08cc076da659b5b30de5fbfe10c05270. In order to exploit the Phar deserialization, an attacker must know the exact file path of the file on the server. The filename randomization of phpBB3 is cryptographically secure, so bruteforcing the filename is not a liable option. This means that the first step of uploading the malicious file can be done easily, but the second step of triggering the Phar deserialization fails because the attacker does not know the path to the Phar file.


However, a weakness in the file uploading process of attachments allows attackers to predict the filename on the server. phpBB3 offers users to upload files in chunks, which means that a large file can be uploaded in multiple requests. All upload chunks are written to a temporary file. Once all chunks have been appended to the file, its filename is randomized and moved to the /phpBB3/files directory. The temporary filename is generated by the temporary_filepath() function. The function takes one argument, which is the filename of the malicious Phar file the attacker wants to upload, in this case evil.jpg.


/includes/functions_acp.php

568    protected function temporary_filepath($file_name)
569    {
570        // Must preserve the extension for plupload to work.
571        return sprintf(
572            'files/plupload/%s_%s%s',
573            $this->config['plupload_salt'],
574            md5($file_name),
575            \phpbb\files\filespec::get_extension($file_name)
576        );
577    }

The function then returns the filename, which consists of an upload salt, the md5 hash of the $filename, which is evil.jpg and the extension of the $file_name, which is .jpg. Since $file_name is under control of the attacker, the only part of the filename that is unknown is the plupload_salt. This salt is a cryptographically secure, random hash that is unique to each phpBB3 board and is generated when the target board was installed. However, the hash is stored in the database in the phpbb_config table. Administrators with founder privileges can download MySQL database backups from within the admin control panel. This means an attacker can simply download a backup and extract the plupload_salt from it. This allows the attacker to predict the full path of the Phar file on the server.


The temporary file will be stored on the server until all chunks are sent. An attacker can initiate a file upload and tell phpBB3 that two chunks will be sent. By uploading the Phar file with the first chunk but never sending the second, he can trick phpBB3 into waiting until the second chunk arrives and not deleting the temporary file. This way he can upload a file and know the local filename.

Triggering the exploit and executing code

The last step of exploiting the Phar deserialization is finding POP gadgets that can be abused to perform malicious actions. We managed to find a POP chain that allows attackers to create arbitrary files on the server and inject PHP code into the file. This means an attacker can easily create a shell.php and then execute arbitrary code on the target server, leading to a full site takeover.

Timeline


DateWhat
2018/10/08Vulnerability reported to the phpBB3 security team on their public tracker.
2018/10/08The vulnerability was triaged and verified by the security team.
2018/10/09We provided more details about exploitation.
2018/11/11phpBB3 proposes a patch.
2018/11/16phpBB3 releases patch with version 3.2.4.

Summary

Phar deserialization is a new exploitation technique in PHP and occurs in many popular CMS systems. In our analysis we detected this type of vulnerability in phpBB3, a popular forum software. The vulnerability allows authenticated attackers to execute arbitrary PHP code on the server. We would like to thank the phpBB security team for their very fast responses, as well as the competent and professional handling of the security issue.

Related Posts