MyBB 0day Authenticated Remote code execution

Introduction

Up to the latest version of MyBB is vulnerable to remote code execution due to the allowing admin to set custom mail parameters used in mail function without proper sanitization.

Also, it should be noted that there is no default way that you can get code execution in MyBB such as installing plugins or etc (even by admin users).

The sendmail binary should exist and the www-data user should have permission to send mail through it that is the default configuration of most installations since it’s the easiest way that makes MyBB able to send reset password links and etc.

Why did not report it to the vendor?

I just was reading some ZDI advisories I saw someone reported a MyBB authenticated RCE to them.

So I decided to work on MyBB to find another RCE as admin.

However, they did not accept it due to the high level of admin access required.

I asked them why the previous report that require the same privilege was accepted and their response:

So I decided to write this article instead of reporting it directly to the vendor.

PHP mail function for RCE

the PHP mail function is an interface for sending emails it will actually invoke the sendmail interface installed on the system.

based on the official PHP documentation for the mail function it will take 5 parameters:

mail(
    string $to,
    string $subject,
    string $message,
    array|string $additional_headers = [],
    string $additional_params = ""
): bool

for us, the interesting one is the additional_params.

PHP says:

The additional_params parameter can be used to pass additional flags as command line options to the program configured to be used when sending mail, as defined by the sendmail_path configuration setting. For example, this can be used to set the envelope sender address when using sendmail with the -f sendmail option.
This parameter is escaped by escapeshellcmd() internally to prevent command execution. escapeshellcmd() prevents command execution, but allows to add additional parameters. For security reasons, it is recommended for the user to sanitize this parameter to avoid adding unwanted parameters to the shell command.

it allows us to control the parameters of executing sendmail command and also uses escapeshellcmd to prevent command injection.

But escapeshellcmd does not prevent argument injection and as excepted behavior of controlling parameters, it should not prevent this.

As an attacker, we could abuse it for example by passing -X parameters to define a file to write logs and control the file path and extension by this way if we find a way to inject our custom code into the log file we could write a web shell in the server.

Root cause analysis

MyBB allows the admin to set Mail handlers and also additional parameters and when we set them it will update the config file and will write our config without sanitization to settings.

When MyBB is going to send an email if the admin sets the usage mail it will call send function of PhpMail class defined in inc/mailhandlers/php.php and if PHP safe mode sets to off (default installation of PHP) it will use the additional parameters defined by us:

MyBB exploitation

So in order to write a web shell first, we need to know the document root path and find a way to inject our own PHP code into the log file.

MyBB allows us to call a phpinfo and see its result so we can easily send a simple request to admin/index.php?module=tools-php_info&action=phpinfo and from its result, we can find the document root path to write our web shell.

Also, we can add a new stylesheet and write custom CSS files in cache/themes/theme2 so we can trigger the file write by :

  1. Find the webroot path from phpinfo result
  2. Write our PHP code to a CSS file
  3. set mail parameters to -C <web_root>/cache/themes/theme2/rce.css -X <web_root>/rce.php
  4. trigger call of mail function by a password reset.
  5. since rce.css is not a valid config file it will result in an error and write its content to the log file that is our webshell.
https://github.com/416e6e61/MyBB-0day-RCE/blob/main/exploit.py

3 thoughts on “MyBB 0day Authenticated Remote code execution

  1. You say why you didn’t report it to ZDI, but not why you didn’t to the vendor (MyBB). These are separate things.

Leave a Reply

Your email address will not be published.