Full Report
MyBB is a bulletin board application. It has a special template functionality that allows for simple PHP eval execution. However, it has a regex to ensure that anything besides variable access is removed. A good description on what is going on can be found on the DayZeroSec blog. Regex is amazing for finding patterns. However, it comes at a cost - ReDoS. If the regex is too computationally expensive, then it can eat up all of the memory of a program. This is because of the backtracking on the pattern matching that occurs, resulting in these commonly having limits on the recursive nature of it. To test for ReDoS bugs, there is a tool they used. In PHP, the Perl based Regex functions (preg_match, preg_replace, etc.) do not throw an exception when they reach their backtrack limit. Instead, it will return null. The calls to preg_match are wrapped in an if statement. If anything malicious is found, then return. Otherwise, continue on. Since null is being returned instead of a value, the verification for the malicious input can be bypassed. How do we trigger this? A super nested payload that requires a bunch of backtracking. They went with a eval injection with a lot of [0] inside of it. Overall, love the post! A seemingly good check on the verification was bypassed by a ReDoS attack. Super slick stuff!
Analysis Summary
# Vulnerability: MyBB Admin Panel Remote Code Execution via Regex ReDoS Bypass
## CVE Details
- CVE ID: CVE-2023-41362
- CVSS Score: 7.2 (HIGH) (CVSS vector details not present, derived from RCE impact)
- CWE: CWE-78 (Improper Neutralization of Special Elements used in an OS Command) or related to logic flaw bypassing input validation.
## Affected Systems
- Products: MyBB (Bulletin Board Application)
- Versions: Versions prior to the security release (specific range not listed, but implies recent versions before patch).
- Configurations: Requires authenticated access to the administrative panel with template modification privileges.
## Vulnerability Description
The vulnerability exists in the `check_template()` function within MyBB's admin panel, which uses regular expressions (PCRE) to sanitize template code before storage and execution via `eval()`. One critical regex check uses `preg_replace()` followed by `preg_match()` on the result. The complexity of the final regex pattern is susceptible to **Regex Denial of Service (ReDoS)** via catastrophic backtracking when supplied with specifically crafted, deeply nested input (e.g., `{$a[0]}` rapidly repeated).
The crucial flaw is that when PHP's PCRE functions encounter their backtrack limit during a `preg_replace()`, they **return an empty string** instead of throwing an exception. This empty string result bypasses the subsequent security check performed by `preg_match()`, which would otherwise have detected malicious content. By sending a sufficient number of nested `[0]` elements to trigger this ReDoS limit return (which causes `preg_replace` to return null/empty string), an attacker can bypass the filter and inject code that is subsequently executed via template evaluation.
## Exploitation
- Status: **PoC available** (Exploitation demonstrated using an injected template modification).
- Complexity: **Medium** (Requires administrative access and constructing a precise backtracking payload).
- Attack Vector: **Adjacent** (Requires authenticated access to the admin panel).
## Impact
- Confidentiality: **High** (Data exposure possible via arbitrary code execution).
- Integrity: **High** (Arbitrary code execution allows full system compromise).
- Availability: **High** (Code execution or successful ReDoS attempt can lead to service disruption).
## Remediation
### Patches
- A security patch was released by MyBB on 2023-08-28. Users should update to the fixed version provided by MyBB.
- Reference patch commit: `https://github.com/mybb/mybb/commit/a43a6f22944e769a6eabc58c39e7bc18c1cab4ca.patch`
### Workarounds
- **Restrict Admin Access:** Ensure that only trusted administrators have access to template modification functions within the administration panel.
- **Input Validation Review:** Verify implementations relying on PCRE functions do not implicitly trust the return values upon hitting recursion limits; utilize functions like `preg_last_error()` or `preg_last_error_msg()` to check for errors explicitly, rather than relying on the function's return value alone when catastrophic backtracking is possible.
## Detection
- **Indicators of Compromise:** Look for unusual template modifications containing very long strings of characters designed to trigger backtracking (e.g., extensive, repeated bracket structures or specific injection payloads).
- **Detection Methods and Tools:** Monitor administrative access logs for template editing actions. Security scanners should look for input structures capable of triggering ReDoS in known vulnerable regex expressions. Use the provided ReDoS checker link (defanged) to enumerate known problematic strings if analyzing historical logs.
## References
- Vendor Advisory: `https://github.com/mybb/mybb/security/advisories/GHSA-pr74-wvp3-q6f5`
- Exploit Source: `https://github.com/SorceryIE/CVE-2023-41362_MyBB_ACP_RCE`
- Vulnerability Analysis: `https://blog.sorcery.ie/posts/mybb_acp_rce/`