Vulnerability: new user create themselves as admins

Submitted by Anonymous on Fri, 04/26/2013 - 21:56
Written by
FiMa

Hello,

I need some help regarding UseBB forum engine. I used UseBB 1.0.15 last time but recently I have updated to UseBB ver. 1.0.17 (development version) because of problems with security.

My forum has the setting user activation by email is enabled, but mail service is not installed on server side at all now (recently launched web service). So it should be impossible to pass registration now obviously.

By the way I already see several new users somehow created themselves with administrator privileges! All the users are in spam Internet catalogs:
BoriegeodaBop zollaerewsels@hotmail.com
AReattrofe skypeillelf@hotmail.com

How is it possible? Any ideas? I cannot see any useful info in server access logs. The problem is reproduced for UseBB ver. 1.0.15 and 1.0.17.

I have enabled logging for users registration. And also found some requests in web server access logs related to spammers visits:

/var/log/apache2/access.log:91.207.8.245 - - [23/Apr/2013:21:35:31 +0000] "GET /forum/panel.php?act=register&mydomain_sid=rrmdn2dt83fevbul07s7f81t65&coppa_pass=1 HTTP/1.0" 200 6229 "http://www.mydomain.com/panel.php?act=register&mydomain_sid=rrmdn2dt83fevbul07s7f81t65&coppa_pass=1" "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:17.0) Gecko/17.0 Firefox/17.0"

The IP 91.207.8.245 is on all Internet spam lists, e.g. http://www.stopforumspam.com/ipcheck/91.207.8.245.

The parameter coppa_pass is also used by spammers in most of cases (e.g. http://goo.gl/CTbon).

It is still not clear how they bypass the registration...

One more thing: after first spammer created himself I have changed my admin password immediately. But then two more spammers registered themselves again.

There should be a database table usebb_stats with a row for "members". This is the counter for the number of members. When this is 0, a user is registered as an admin. The counter is increased every time after registration. So new users are always set as regular members.

So check if the table and especially the table row is there (however I assume there would be an error when it's missing).

Well I have members=4 in the table usebb_stats and in the table usebb_members I have the following:

mysql> select name,email,level from usebb_members;
+---------------+---------------------------+-------+
| name | email | level |
+---------------+---------------------------+-------+
| admin | admin@somemail.com | 3 |
| AReattrofe | skypeillelf@hotmail.com | 3 |
| BoriegeodaBop | zollaerewsels@hotmail.com | 1 |
| SopImpock | usencyencaddy@hotmail.com | 1 |
+---------------+---------------------------+-------+

And new user - SopImpock registered on Sat, 27 Apr 2013 01:08:29 GMT. But only me and AReattrofe are administrators (level=3).

Several more things, after I deactivated the user AReattrofe all new users (BoriegeodaBop and SopImpock) are only created now in database but I don't see them on the forum (i.e. in section Statistics on forum UI). And in spite of user registration logging is enabled with registration log file registration.log, the file was not created on the server for the last user SopImpock.

If I understand correctly the problem really seems to be that UseBB decides to register using an admin level, which only occurs when the member counter is 0. There is no email activation used for the first admin user.

If the database is correct something must be wrong with how your MySQL or PHP version treats it. I tested it myself but didn't come across this issue with 1.0.17. What PHP/MySQL versions are you using?

Also, there is nothing logged when the log file is not writable. If it did before the permissions must have been changed (or UseBB config changed).

Dietrich

If I understand correctly the problem really seems to be that UseBB decides to register using an admin level, which only occurs when the member counter is 0. There is no email activation used for the first admin user.

Yes, looks smth like this.

Dietrich

What PHP/MySQL versions are you using?

mysql> select version();
+-------------------------+
| version() |
+-------------------------+
| 5.5.29-0ubuntu0.12.04.1 |
+-------------------------+
ubuntu:~$ php -version
PHP 5.3.10-1ubuntu3.5 with Suhosin-Patch (cli)
(built: Jan 18 2013 23:40:19)
Copyright (c) 1997-2012 The PHP Group
Zend Engine v2.3.0, Copyright (c) 1998-2012 Zend Technologies

Dietrich

Also, there is nothing logged when the log file is not writable. If it did before the permissions must have been changed (or UseBB config changed).

Well, the Apache is launched with user www-data. As I in the forum admin panel I specified for 'Registration log file' value 'registration.log' (Relative to the forum's directory, or absolute path) and /var/www/forum/on the server has read-write permissions for user www-data, I expect that the file should be writtable. I'll double check the permission and try to set an absolute path as well.

---
I have enabled extended logging for Apache as well:
LogFormat "%h %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\" \"%{Cookie}i\" \"%{Origin}i\" %I %O" custom

Dietrich

If I understand correctly the problem really seems to be that UseBB decides to register using an admin level, which only occurs when the member counter is 0. There is no email activation used for the first admin user.

I'm still thinking about these your words. I think this can be the real reason why I got new users as administrators.

The scenario and root cause:
1. The forum engine is installed on the server not using a wizard but from scratch (copy php souce codes and install database scheme manually):

DROP TABLE IF EXISTS `usebb_stats`;
CREATE TABLE IF NOT EXISTS `usebb_stats` (
`name` varchar(255) NOT NULL DEFAULT '',
`content` text NOT NULL,
PRIMARY KEY (`name`)
) ENGINE = INNODB DEFAULT CHARSET=utf8;

--
-- Dumping data for table `usebb_stats`
--

INSERT INTO usebb_stats VALUES ('topics', '1');
INSERT INTO usebb_stats VALUES ('posts', '1');
INSERT INTO usebb_stats VALUES ('members', '0');
INSERT INTO usebb_stats VALUES ('started', UNIX_TIMESTAMP());

As you can see there is an error:

INSERT INTO usebb_stats VALUES ('members', '0');

2. Of course first spammer was able to register as an administrator (that corresponds to the behavior your described).

3. I deleted this spammer through forum admin panel, then next spammer was again able to register as an administrator (usebb_stats.members is again 0). So I decided there is a pattern and possible vulnerability.

I'm really amazed how quickly you were able to find the root cause! Thanks a lot!
But how do you think if it can be a problem in future for other forum administrators, possibly there should an additional check before set new user as admin...

The log file needs to exist already (shortcoming in the old code).

Yes, the stats table was probably the culprit. You can fix errors in the stats using the resync stats ACP module, which should be in the default package.