Hacking Book | Free Online Hacking Learning


analysis of vbulletin backdoor without file in the leakage tool of equation group

Posted by agaran at 2020-04-14



Background introduction

Although most of the waves of samples leaked from the equation have been used by others for many years, the technical details, attack methods, thinking and angles involved in the analysis of these samples are still amazing, including the loopholes like the external series, which have directly brought about a huge impact. One of the samples that leaked the IP of the equation itself attracted the attention of global security researchers, but at present, all the public conjectures about this sample have no technical analysis. This sample is a function remote control tool specially for the vBulletin forum system. Formsec will make a detailed technical analysis and apt attack interpretation of this sample in this paper.

VBulletin (https://www.vbulletin.com/) is a powerful, flexible and customized forum program suite, which is widely used worldwide. Many large forums choose vBulletin as their own community.



Funelout sample analysis

Sample source:

Original file: https://mega.nz/#!zEAU1AQL!oWJ63n-D6lCuCQ4AY0Cv_405hX8kn7MEsa1iLH5UjKU

Passphrase: CrDj"(;Va.*[email protected])#>deB7mN (as disclosedby the ShadowBrokers, source)


      The remote control name of this function is funnelout, which involves four versions in total. The functions of each version are basically the same, and the applicable time range is between 08 and 13 years. According to the existing analysis results, the combination of this tool and vBulletin system is very high. The core principle used is the special logic when vBulletin framework loads the template. It can be inferred that if the vBulletin version update is in progress If the framework doesn't make big adjustments, the tool will be applicable all the time, and there may be an updated version now.

Here we select v4.1.0.1 for analysis. The script running environment needs Perl support. Running the script directly will show the usage of the tool, including database connection method, backdoor operation and other customizable parameters.

        Database connection can be divided into two types: one is to access the database directly by defining the relevant parameters of database connection, including the IP address, port, vBulletin database name, user name, password, etc. when MySQL can be accessed remotely, it can be connected to the database through this method for remote control; the other is to read the database configuration file of vBulletin directly by script File config.php to obtain host, port, dbuser, dbpass, dbname, etc. and then connect to the database. Of course, it may be executed on the application server, or the configuration file may be dragged back and then parsed locally and accessed remotely.

The op options for remote control can be roughly divided into three functions: backdoor, proxy and tag. Other functions are around these three points, such as implantation, clearing and viewing statistics, and can be guessed from their names.

Next, we analyze and interpret the three core function operations.

01 backdoor function analysis

The implementation of the door function is relatively simple and crude. First, take a look at the implementation code of the door function. You can see that the back door of a sentence is directly put into the database after Base64 coding, and spliced into the footer template of the template table by default.

The next step is to repeat. Run the script to specify door to insert the back door into the database.

Through show door, we can see that the backdoor code has been spliced into the template through Base64.

Let's go back to vBulletin's code and see why the back door is set like this.

The whole framework implementation of vBulletin puts all kinds of templates that need to be called into the database. When calling, it will take them out of the template table and eval them for execution. The script developer just uses this logic to carry out backdoor implantation. For example, in the implementation of door here, global.php of vBulletin contains calls to header and footer templates. Funnelout embeds the backdoor code of proxy and door into the two template tables by default. As shown in the figure below, the template code is taken out and executed, and the backdoor code contained therein is also executed together.

Therefore, if the maintenance personnel of the vBulletin forum check and kill malicious code on the application server, it is certainly invalid. Only the database security audit can trigger the alarm. After all, it depends on whether there are relevant rules, which is the strength of the back door.

Of course, all pages containing global.php can trigger subsequent execution, just put the code to be executed in the referrer custom attribute of the request header.

02 proxy function analysis

The proxy implementation principle of funnelout is the same as that of door, but the code of proxy is relatively complex. Proxy has a set of template code. Script users can define the host and path to be accessed by proxy according to the actual environment, and finally generate specific proxy code.

Next, repeat the proxy function. When using proxy, you need to specify the tag. We construct a simple tag according to the code and insert it

After inserting the proxy, you can use the corresponding showproxy to view the content of the header template. Like the door, it has been Base64 encoded and spliced into the database

Let's take a look at the proxy code embedded in Base64 decoding, as shown in the figure below. I have made some annotations in the code to facilitate your understanding of the code. The logic is to obtain the intranet web service host that the proxy needs to request, and encapsulate a request package to send the matching URL request to the intranet web server, which can be a get request or a post request, postData A is the data submitted to vBulletin.

It can be seen that is added to the blacklist. The specific meaning here is uncertain, but it can be determined that this is a server operated by the attacker. There are many equation samples related to this IP in Threat Intelligence.

Finally, the proxy is reproduced as follows, but the proxy mentioned here can not be said to be a complete proxy, more like the meaning of SSRF

03 tag function analysis

Tag code is generally divided into two types. The first one is that when creating an agent, the script will automatically add a proxytag. We can use findall to view it. By default, it is embedded in the navbar template.

The generated tag code is roughly as follows, which is relatively complex. It can be found that the tag code and the vBulletin code are highly integrated. Similarly, I added some comments in the code to facilitate your understanding. Interested students can debug it by themselves. The main purpose of tag code is to trigger page view after some condition judgment. Interestingly, tag code needs to trigger show Page must be invalid for more than one day after the user is marked for the first time. It can only reset, which is a bit of a self destruct program. After the user is marked for the first time, a random number with a default value of 0-6 will be generated. The random number will decrease with the number of visits. Until it is 0, pageview will be triggered through iframe tag. After triggering, the number will be reduced to - 1 again, and returned for use The user has been marked for reset, but the intent of this function here is not clear.

Take a look at the reproduction process of proxytag

A VB forum user visited a similar link after logging in to view the content of the private message:

The hacker can view the currently tagged user through showtagged, and generate a random number of 4 when the user first accesses

That is to say, after the user visits the page four times, the page view will be triggered to send the request with the hex code of the current user name. Speculation may be used to mark specific users and then launch targeted attacks.

Use showtagged again to see that the user has been tagged and is waiting for reset

The second is the tag code directly inserted by using the tag command. If you want to subdivide it here, you can also divide it into two categories according to whether you use nohttp or not. You can see the difference between them from the code

A summary of tag is given

Here, we do not use - nohttp for function replication. It is also encrypted through Base64 and put in navbar template

Trigger page view when forum users visit

Here, the tag function is basically analyzed. We found an open attack trace on the Internet. According to the above analysis, this is the third case of tag

The domain name involved is technology-reviewed.com, and there are many countries with history resolution records.

In addition, it should be noted that two special MD5 are found in the tag code. The script will verify whether the user name of the marked user is the same as the two MD5

84b8026b3f5e6dcfb29e82e0b0b0f386      Unregistered (EN)

e6d290a03b70cfa5d4451da444bdea39  dbedd120e3d3cce1 (AR)

In addition, the code excludes the IP address marked from the special region

In addition to the only identified IP mentioned earlier -, the rest of the IP segments involve countries and regions such as Jordan, Turkey and Egypt.

Finally, based on the above information, we guess that technology-revealed.com is the server controlled by the equation. It can be used to receive some tag information from users in special areas of sensitive topic discussion forums, from which specific targets can be screened out and targeted attacks can be carried out, including vBulletin The access log collects the user IP address, the database collects the user password information, etc., and then cooperates with other ways to carry out water pit attacks, such as using vBulletin template to hang horses again, and there are other loopholes in the equation enough to complete the subsequent attacks and expand the results. Of course, the above is just my conjecture about the use of tag in the attack link of apt, and the specific may only be known by the equation itself.

Vulnerability analysis of Microsoft formula editor series (I): cve-2017-11882


Analysis of RPO attack technology

Dedecms arbitrary user password reset vulnerability

Viewing side channel attack from CPU vulnerability meltdown & spectrum

Penetration skills | n gestures for windows to upload and execute malicious code

Magic safety

Scan QR code and follow us

Formsec is an information security technology research team operated by non-governmental enterprises. The team has been recruiting members in the ancient city of Xi'an. Please pay attention!