Allele Security Alert
ASA-2019-00376
Identifier(s)
ASA-2019-00376, CVE-2019-12831
Title
Remote Code Execution (RCE) in Admin panel via File Write
Vendor(s)
MyBB Group
Product(s)
MyBB
Affected version(s)
MyBB versions prior to 1.8.21
Fixed version(s)
MyBB version 1.8.21 or later
Proof of concept
Unknown
Description
There is an authenticated Remote Code Execution (RCE) vulnerability that can be exploited by administrators of a forum.
Technical details
Administrators of a MyBB forum can manage stylesheets of the active theme of their installation within the Admin Panel. They can also create new stylesheet files on the server and choose the filename.
An obvious File Write vulnerability would occur if an attacker in the role of an administrator account could simply create a new stylesheet file and call it for example shell.php.
However, a quick investigation of the source code behind this functionality revealed that only the .css file extension was allowed:
admin/inc/functions_themes.php
foreach($theme['stylesheets']['stylesheet'] as $stylesheet) {
263 if(substr($stylesheet['attributes']['name'], -4) != ".css"){
264 continue;
265
What captured our attention was what happened after the extension had been checked. Instead of simply creating the stylesheet file in the file system, MyBB first stores the name of the stylesheet file, as well as the contents in the MySQL database powering the board. When we looked at the mybb_themestylesheets table and how it was structured, we noticed something interesting: the name column which stores the filename of a newly imported stylesheet is defined as a varchar column with a maximum of 30 characters.
Table definition of mybb_themestylesheets MariaDB [mybb]> DESC mybb_themestylesheets; 1 +--------------+----------------------+------+-----+---------+----------------+ 2 | Field | Type | Null | Key | Default | Extra | 3 +--------------+----------------------+------+-----+---------+----------------+ 4 | sid | int(10) unsigned | NO | PRI | NULL | auto_increment | 5 | name | varchar(30) | NO | | | | 6 [...] 7 | stylesheet | longtext | NO | | NULL | | 8 [...] 9 +--------------+----------------------+------+-----+---------+----------------+ 10
We then noticed that the length of a stylesheet filename is not checked when imported through an XML file, resulting in attackers being able to trick MyBB into inserting a filename with more than the allowed 30 characters. MySQL’s default behavior on many systems is to then truncate the filename to 30 characters.
An attacker could abuse this behavior by setting a filename to for example aaaaaaaaaaaaaaaaaaaaaaaaaa.php.css. This filename is 34 characters long. Since it ends with the .css extension, it passes the security checks of MyBB. However, when that string is then inserted into the database, it is truncated to 30 characters and onlyaaaaaaaaaaaaaaaaaaaaaaaaaa.php remains stored in the database.
An attacker can then use the admin panel to generate the newly imported stylesheet files and write them to the file system. This would create a PHP shell within the cache directory.
Credits
Simon Scannell (RIPS Techonologies)
Reference(s)
MyBB 1.8.21 Released — Security & Maintenance Release
https://blog.mybb.com/2019/06/10/mybb-1-8-21-released-security-maintenance-release/
MyBB <= 1.8.20: From Stored XSS to RCE
https://blog.ripstech.com/2019/mybb-stored-xss-to-rce/
MyBB 1.8.21
https://github.com/mybb/mybb/commit/44fc01f723b122be1bc8daaca324e29b690901d6
CVE-2019-12831
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-12831
CVE-2019-12831
https://nvd.nist.gov/vuln/detail/CVE-2019-12831
If there is any error in this alert or you wish a comprehensive analysis, let us know.
Last modified: June 23, 2019